New ransomware variant also finds & deletes backups?!

Back to Blog
11Apr2017

New ransomware variant also finds & deletes backups?!

I recently came across this forum thread on Veeam’s website, which scared the crap out of me. Coincidentally, Veeam published this article the same day. If these reports are accurate, then it means most organizations have some work to do to better secure themselves against the latest emerging rasomware / crypto-variants.

It makes sense. Probably the number one reason people don’t pay the ransom is that they can restore from backup instead. So if you are designing a ransomware with that in mind, you would be wise to write in some logic to seek out and  then destroy any backup repositories, rather than just encrypting file shares.

How to better protect your backups

Ideally, of course, you would design layers of security to protect you from getting ransomware in the first place. Good perimeter security is part of that picture, and protecting & managing your endpoints well is another. But the thing about security is, you always need to have a contingency plan in place, just in case those other layers fail (and probably someday, they will).

Backup & recovery is absolutely your last line defense, and one of the most important. However, little good that does you if your backup gets deleted, or is itself encrypted. So here are two tips that I suggest for achieving better backup protection, at a minimum:

  1. Isolate your backups from the rest of the network. This means in a different subnet behind your firewall, with limited or no communication to the production/data network. Since most of us are doing virtualization these days, I would further recommend keeping the physical host/hypervisor away from your virtual machines, as well; place the host server & backup repositories (whether that is another physical server or NAS) into a DMZ. Use different credentials on both the hypervisor & the backup repositories than anywhere else on the internal domain.*
  2. You absolutely need an offsite copy of your backup data. This can be accomplished in many ways, with many different products. It could be at another datacenter or location (if you have that luxury) with its own backup repository and a synchronization script setup on a schedule from the main location (e.g.: backup replication is easily achieved using Veeam’s Backup & Replication product), or it could be a cloud backup service (see Azure Backup), or even a full DRaaS solution (e.g. Azure Site Recovery) with offsite replicas of your full production systems. Better still if you can afford a combination of on-prem backup, a cloud-based backup and another offsite recovery option.

If you do both of these things well (isolation + offsite/offline backup), you will be several steps ahead of the game, compared to most small businesses today. I recommend engaging your technology partner/provider as soon as possible to make these changes.

And if you yourself are a provider, then start talking to your clients about a security update project based on this information. One of the big security predictions for 2017 (based on some other recent reading around the interwebs), is that ransomware in general will continue to evolve, and include worm variants (in other words, this malware crawls around your network looking for other things to infect/damage).

To take the above design a step further, you might even setup ACL’s or another DMZ for your virtual servers/domain infrastructure, and only open the ports that are required for its hosted services (LDAP, SMB, DNS, HTTPS, etc.)–see below.  Before you try to bite off more than you can chew, however, I’d just start with the above, and keep improving from there.

*A note about failover clusters

Since clustered Hyper-V hosts have a strong dependency on Active Directory, you can’t just leave them in a workgroup (which is what I’d recommend for standalone hosts). Therefore, you would need to make sure that the cluster is able to communicate with your AD/DNS servers, on the necessary ports. However, another option would be a separate management domain. To achieve this, I would place one virtual DC on each host’s local storage (so they could be started outside of the cluster entirely), and create a new separate forest/domain root. If your internal domain were “Company.local” I might make it “CompanyHost.local” or “CompanyMgmt.local,” or whatever you like.

In the future, I may even take the time to write up a more detailed design describing an ideal setup, including isolated VM’s, and the ports that would be required for most major domain-based services. Again, for now, I’d just say isolate your host(s) & guests, with the hypervisor and backup repositories not even accessible from the rest of the LAN–that communication should not be necessary, anyway.

Technical , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

08Apr

Updated! Checklist co-developed with Microsoft: Set up your SMB customers for secure remote working

I had the great pleasure to participate in a webinar today with David Bjurman-Birr (Partner Architect) and Jon Orton (Director of Product Marketing for Microsoft 365 SMB). David and I recently developed a checklist together for Microsoft 365 Business Premium, aimed at helping partners who... read more
08Apr

Managing Hybrid Exchange environments: a Cheat Sheet

Office 365 Exchange Online is pretty simple to manage if you are a "cloud-only" organization. Especially now that many edits can be made easily via the Microsoft 365 admin center, without even going into the Exchange Online admin area, separately. But, for those of us who... read more
05Sep

Replacing your traditional file server with Microsoft Teams and OneDrive, part 2: How to make it happen fast

As promised, today I am going to show you how easy it is to replace your legacy file server and network drive experience with Microsoft Teams and OneDrive. Seriously, anyone can set this up, and it takes just a few minutes. Pre-requisites are: Windows 10... read more
GDAP in M365 Lighthouse
01Apr

Reviewing the GDAP Wizard in Lighthouse

Hey folks! In today’s article, we will be taking a closer look at Granular Delegated Admin Permissions or GDAP.  You can think of this feature as providing similar functionality to Privileged Identity Management (PIM), including “Just-in-Time” (JIT) access, but specifically with regard to your partner... read more
19Oct

Azure Virtual Network: What is the difference between Policy-based and Route-based VPN?

You want to configure a Site-to-Site (S2S) VPN tunnel from an on-premises hardware VPN device, such as your firewall, and an Azure Virtual Network. For this, you require several objects in Azure. One of those is a "virtual network gateway"--which is basically just a software... read more
04Feb

How-to set up Multi-factor Authentication for Office 365

Note that there are multiple layers to Microsoft's Multi-factor Authentication (MFA) service. In this post, we are only covering the MFA included with Office 365.  Additional Azure MFA features are available, for example, through a subscription to the Enterprise Mobility Suite. In order to begin setup for multi-factor... read more
14Jul

Remove SBS 2008 or SBS 2011 Source Server from the domain

Sorry Old Yeller--I know you were a faithful companion for many years--but it's time to put you down, buddy. I usually wait until the end of the migration project for this. There is no harm leaving the old server as-is for the duration of the project while you finish migrating... read more
28Jun

Does Microsoft backup my data in Office 365? Do I need more or additional backup?

A new reader question came in, and frankly it's one that I hear a lot. I'm sure I have smatterings referring to this issue in other articles, but this one should stand to clear up the questions once and for all--this will be something I... read more
Unboxing Defender for Business, Part 2: Threat & Vulnerability Management
01Feb

Unboxing Defender for Business, Part 2: Threat & Vulnerability Management

Last time we looked at how to get started with Microsoft Defender for Business and the so-called "Simplified configuration process," which helped us onboard our first Windows devices and apply basic policies to manage antivirus and firewall settings across the organization. In this blog post,... read more
28May

How-to setup Intune quickly (and strategically) in your environment

Update March 2023: Much of what is written here eventually became the basis for my SMB Guide to Threat Defense and Microsoft Defender. Which in turn is part of the Consultant's Bundle. I encourage you to check it out! UPDATE: I have updated the setup script... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me