sglee
asked on
Backup System and Ransomware
Hi,
I like to understand how safe external USB backup drives are against Ransomware attack.
First I perform two types of backups on HyperV servers:
1. Windows Server Backup on an external USB HD which is only visible it in Disk Management.
2. NAKIVO Backup to an external USB HD which is visible when you open "This PC".
Second, on standalone Windows 2016 or 2019 servers, I only do Windows Server Backup.
Third, I do cloud backup on each site.
I know that:
1. These external USB HDs are not shared. Therefore not visible from other computers on the same network.
2. Only domain administrator logs into these HyperV & Windows servers. So no chance to click on any link in the body of spam email or visit infected websites.
3. As I understand it, Ransomeware will encrypt the files on infected computer and any shared drives on the same network.
I am curious how other network administrators protect their backup data from Ransomware attacks.
Thanks.
I like to understand how safe external USB backup drives are against Ransomware attack.
First I perform two types of backups on HyperV servers:
1. Windows Server Backup on an external USB HD which is only visible it in Disk Management.
2. NAKIVO Backup to an external USB HD which is visible when you open "This PC".
Second, on standalone Windows 2016 or 2019 servers, I only do Windows Server Backup.
Third, I do cloud backup on each site.
I know that:
1. These external USB HDs are not shared. Therefore not visible from other computers on the same network.
2. Only domain administrator logs into these HyperV & Windows servers. So no chance to click on any link in the body of spam email or visit infected websites.
3. As I understand it, Ransomeware will encrypt the files on infected computer and any shared drives on the same network.
I am curious how other network administrators protect their backup data from Ransomware attacks.
Thanks.
unplugged they are safe, attached to the system.. they are a target
Ransomeware attacks come in different flavors.
One deals with the user running a malware that encrypts everything the user has write access to.
Another, is a user inudvertantly grants access to a third party who can then overtake the access on the system, which might be to elevate and effectively run as an admin user, in which case the attacker can do what the elevated account has access to.
You could use GPO to mitigate on whether regular users can run executeable files by pushing a software restriction that no user can run anything executable from their %userprofile% %%localapdata% %userprofile%\local\temp\ %userprofile%\appdata\roam
This should limit The user based attack vector.
Consider it this way, you want to prevent items in your car from being stolen So you take the important things from the car and you place it in a secured storage hitch, that is attached to the car.
Cloud backup is run under a service account, depending on the type of attack, the cloud based backups have been known to have been compromised.
Some cloud backup vendors include a versioning mechanism as well as anti-ransomeware ....
which might mitigate the issue.
Try the following. Lets say every thing on your network is ransomewared, in accessible.
can you using a computer you've not used before, access the data in the cloud and restore a file (Deals with whether you have a safeguarded set of credentials, means to access the cloud backup if the worst just happened)?
Some ransomeware attacks, (intrusion) they go after backups that are not offline/offsite.
One deals with the user running a malware that encrypts everything the user has write access to.
Another, is a user inudvertantly grants access to a third party who can then overtake the access on the system, which might be to elevate and effectively run as an admin user, in which case the attacker can do what the elevated account has access to.
You could use GPO to mitigate on whether regular users can run executeable files by pushing a software restriction that no user can run anything executable from their %userprofile% %%localapdata% %userprofile%\local\temp\ %userprofile%\appdata\roam
This should limit The user based attack vector.
Consider it this way, you want to prevent items in your car from being stolen So you take the important things from the car and you place it in a secured storage hitch, that is attached to the car.
Cloud backup is run under a service account, depending on the type of attack, the cloud based backups have been known to have been compromised.
Some cloud backup vendors include a versioning mechanism as well as anti-ransomeware ....
which might mitigate the issue.
Try the following. Lets say every thing on your network is ransomewared, in accessible.
can you using a computer you've not used before, access the data in the cloud and restore a file (Deals with whether you have a safeguarded set of credentials, means to access the cloud backup if the worst just happened)?
Some ransomeware attacks, (intrusion) they go after backups that are not offline/offsite.
Hi,
agree with David, as soon as it is accessible your backup storage is a target.
Some vendors offer immutable file system for backup now, as Rubrik (by design) and Veeam (Linux backup repository).
agree with David, as soon as it is accessible your backup storage is a target.
Some vendors offer immutable file system for backup now, as Rubrik (by design) and Veeam (Linux backup repository).
I have worked several recoveries for companies and I can tell you they are a target. Generally, the threat actor will ensure they can get rid of your recovery capabilites well before they attack or encrypt your files. They usually delete the backups first, as no one is really payin attention to the existance of these files. Then they only encrypt the active data. Since the backups are deleted, there is no reason to encrypt them. There are several items that should be standard practice for any company and immutable backups (immutable means the data cannot be deleted once written). Your cloud backup storage provider may off this. It may require more money. Pay it. ALso backup targets like Rubrik, StoreOnce, Cohesity, Data domain, etc. offer immutability if you check the box when creating the target. The Veeam Database will get deleted as well, so rely on the storage immutability.
I wrote a blog article concering security. Things like don't join your Veeam backup servers to the domain. You can find it here https://richfaulkner.com/cybersecurity/security-lessons-learned/
I wrote a blog article concering security. Things like don't join your Veeam backup servers to the domain. You can find it here https://richfaulkner.com/cybersecurity/security-lessons-learned/
this is a research question, not a troubleshooting break/fix question
all contributing comments should be selected
all contributing comments should be selected
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
offsite is a good idea
correct
if a user has write access to certain shares on a NAS, then that data is vulnerable
in our case, the NAS (NetApp) has snapshots so we can restore to within the hour if something happens; that's in addition to Veeam backups