Protecting Against Ransomware with Veeam

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hello my name is George Kelly and I'm a systems engineer for beam software I'd like to talk to you today on the subject of protecting against modern ransomware with V now the purpose of this particular session very short and sweet is to run a live ransomware attack on a isolated and controlled virtual machine in my own lab ok and the purpose of that is I want to show you how after that particular instant we can recover instantly with a with veeam software ok now I'm not going to cover off any the background of ransomware or the purpose of it so on and so forth we all have seen and heard on the news about what ransomware is we're all very well-educated on that piece okay but I'm going to show you some of the mechanics of it what it does in the background and that's very important to understand that and this allows us to understand some of the things we should be doing in environment and some of the things we should be trying to avoid to try to make sure we're we're protected ok and equally so with the demonstration some of our software allows us to spin up virtual machines from backups very very quickly almost within two minutes so the purpose of this to show how that actually works so quickly after suffering a ransomware attack and it really is applicable to something that isn't just in a lab environment it could be a production workload with several terabytes or petabytes there sa of data that have been corrupted and you can spin it up in that same very small fraction of time so let's dive straight in and have a look at what's going on so and here's my virtual machine you can see here I have a number of files on the desktop these may be represent files that you have on your desktop maybe on your workstation at home or at work standard Word documents let's just open them up and have a look see you've got some some data in them with a with an image let's go have a look at the excel spreadsheet just some standard spreadsheet data we've got in there let's close it off and I've included an image I've just downloaded from Google it's a JPEG but again that might be indicative of honeymoon photos holiday photos photos that live on a corporate network designs or some sort of surveying so I want to so forth all the typical stuff you'd see on a tip computer or server in the motto in the modern day era okay now not only that let's go have a look a little bit further on this machine we have a drive mapping okay so we have a share to another system a direct and isolated connection to another system in my lab mapped to the drive letter s if we go into that we can see there's more data more Microsoft Office data Word documents Excel so on and so forth I just copied and pasted the same content over and we've also got a Veen backup file so I've put that in there for a good reason it's a vbk and yet fair enough it's a backup of a particular subset of data that we we have we allocate but the important thing here is that we are somewhat a victim of our own success okay it's no good storing backup data on your live environment you will find that ransomware these days specifically looks for file extensions of common backup vendors so vbk is our full backup file so if ransomware comes across that it will normally encrypt it to make sure that the users can't restore from their backup because if they can then what's the point in doing a ransom attack in the in the first place final thing I want to show you just before we run it if I right click on the share mapping we can see restore from previous versions as available to us so overlaid enabled Shadow Copy services on this particular box and we can see that I've got a timestamp that we can roll back to those timestamps that are built into Windows using Shadow Copy Services are local to that particular system so there they're very good they're very quick to restore data from but because they're local not just from ransomware if that system was to become unavailable you've not only lose all the data but you lose the backup data as well so Shadow Copy services are great but they do have their pitfalls so just to be aware of that so when you run the ransomware attack let's see if that's still available to us so here's my ransomware deployments we're going to be running this one here today let's dive into that and just have a look at what's in there so we've got a a zip file let's just open him up extract extract this now extract water here yep here we go here's our farm and long string name there there's just a dot exe on the end of that first thing to notice is he's actually got he's actually been programmed to pick up the same icon or very similar icon it would look to Adobe and Adobe file maybe an update file we can even rename this wouldn't make any difference to the exploitation Adobe install or maybe Adobe underscore updater okay so it looks relatively genuine now you know you could see that maybe on a USB stick or maybe on a directory maybe it would be emailed through to you so we've heard in the news about ransomware being low-tech okay it's not anything sophisticated when you talk about the mechanics of it the actual broadcasting is maybe the most taxing thing for them but the actual software designed and how it ticks is a very low-tech Joe public could run this so let's not wait about any more let's dive in and actually see what happens if we run this particular exploitation you can see my systems egg timing now so it's actually run it's far too late to do anything now the files are still there they still look healthy let's flick up task manager and actually have a look at what's going on under the hood so if we go to performance we can see we've had a recent spike there performance hit that's probably where I ran the ransomware attack because ransomware is going to go and encrypt all of the the files within that particular system it's not just the things that are on the desktop bear in mind anything that has eight an extension that the ransomware attack has been designed to corrupt or to encrypt it will go and do it so they could be on all those drives that I showed you before so that's why these the CPU is going through a certain that a load right now just going through all of that that those directories and finding those particular areas we can see the CPUs chugging along nicely it's probably going higher than what it normally would thirty-four percent fifty percent fifty six so it's cranking up quite heavily using quite a lot of CPU to run the somewhere attack in the background you can see that the CPU and the memory has been utilized quite heavily so this moves out of the way we can actually see now that the random eye has already started to take place these files of what he become encrypted if you're if you've been a victim of ransom in the past you'll know that you've been in this in these particular points you may not have seen the particular steps that happen when you run the ransomware attack which is half the reason why while I'm running this demonstration but you would have woken up in the morning logged into your systems and you maybe have seen a load of files like this that were where your previous good files used to be and you're like well what's going on so what's happened here okay have actually finished yet let's just give it a bit more time to actually figure out what's going on you can see the CPU still going under a significant amount of load there you can see it's really really churning as it's going through my file system and just encrypting all of that data that it can find okay so let's just give it a few more seconds to finish off doing what he needs to do he's got the stage at the moment and you can see coming to the crescendo now he's he's done a couple of things there okay so he's opening up this web page I'm just going to move the web page out of the way the one thing I do want to show you first and foremost is the directory where the exploitation was published to okay where I unpacked it from from that zip file it's actually gone okay so it's actually deleted itself they've they've been they've taken effort to write the code so they changed the icon to an Adobe icon and they also delete the file once it's been been written why is that well it stops you from then uploading that back to your AV vendor maybe you want to be a charitable person and upload that to the community and say look this is the exploitation it's fresh here's the problem or listen you can't you know it's too late now it's removed any evidence of it ever existing on that system it's probably fair to say this system was actually cleaner now than what it was before because it's removed that particular threat okay but it has done the damage its encrypts our files it's given us this webpage and it's telling us some very clear instructions it wants us to go and download the Tor project browser so let's just click on that I've still got an internet connection that I've secured down just to this machine nothing wrong with the tool browser it's designed to understand and interpret onion links so they want to use that browser to transmit and communicate with you because fundamentally they they need to publish some sort of address to you some sort of mechanism to share their there their mechanism of payment to you normally that's done via some sort of virtual currency we won't know until we get there so let's let the tor browser run and also if I could just click on this link in the background yep so once we've downloaded the Tor project it wants us to blah blah blah after 6:00 in session type in this address into the address bar so let's just copy that because I'm not going to type it and far too lazy let's copy that and when tor is loaded up we want to put that address into the tor URL browser tools finished installing but they've been nice enough to give us a link at all I like that you know they've gone their extra mile to say look we really want to get your money click on this link download this nice browser here's a nice desktop background that we've we've put on your your machine so you certainly know you've been infected and here is the tor browser now only took a few moments to get hold of that so nothing's arduous here they're making it very easy for us they want their money so they're making the steps for us very very convenient egg-timer going again we're just churning that CPU over and here we have our browser so let's throw that address in the onion link wearing away while it finds a location sometimes you find that ISPs have locked down the actual page if they're storing on some sort of reputable board we're lucky in this case of the demonstration that that's not the case so you can see they've got a drop-down list here and their webpage they've got different languages they've gone TF of that they got some nice cascading stylesheets going on so they've made the page look you know it's relatively aesthetic it doesn't look very very nasty all these different nice methods to pay if you don't know how to go about getting a Bitcoin wallet you can click on one of these links so you know they've been really good to us they've let us know exactly where they need to go here's your unique ID and we you just send here we go there's the money there's the money shot Section four send one Bitcoin to this particular address so they've got you now they've done what they needed to do they've infected your file system and they've given you the URL you've hit the home page and really now it's just an enormous anonymous transaction of some virtual currency into their Bitcoin wallet and they will release the all so you would like to think release the decryption codes over to you to get your files back okay but we don't want to do that we want to go and recover from a backup and I work for being software so should have the tools in my kit bag to do that let's close that off this is our box let's load up vmware no I like actually let's go and load up our being server and here's my being server if you haven't seen our interface before it's very easy to use you can see you've got these panels here on the left and I'm going to go and run a let's go and run a restore instant VM recovery check on that button at the top it's going to ask me for my restore points from all the different points I've got within that particular system okay I need to select the correct virtual machine which I didn't do straightaway there so if I do this I go instant VM recovery this is the process and spoke to about at the beginning where I want to get a work load on as soon as possible here's my restore points all the different points in time that I have a valid backup from I'm going to select the most recent one what do you want to do do you want to restore the original location so we're going to basically overwrite that that previous VM or doing our store to a new location with different settings let's do that because it's a demonstration so it'll be nice to show you how that works and the main thing I'd probably want to change here is I probably want to give it a new name so I can distinguish it between it and the the spell restore the the compromised system and let's just put it into the root of the resource pool and go next I don't want to read it right my virtual disks just put a few letters in there to suggest as a restore do I want to connect the VM network automatically do want to power on a VM ultimately I'll tell you yes I will I took both of those because I want to get it on and it's going to come with a nice little warning here so make sure the original server is powered off so we can do that in just a moment so VM recovery is still in process we've just kicked that off let's go and launch up VMware and we'll kill the original VM which is this guy here I'm just going to put them into a suspended state so that's the compromised VM and in the background now what's happening is Veen is taking care of restoring that virtual machine to us in an instant vm recovery scenario okay so what it's doing we're not rehydrating data we're not moving vast amounts of data around all we're doing is connecting vmware to the backup infrastructure we're literally booting that virtual machine does have to be one it could be a number of virtual machines from the backup tin said to the backup disks and we're presenting that back to the network should happen within just a couple of minutes so we can see the machine has already gone online so we can see that their status is probably saying that he is powered on he is let's go and actually look at the console of him and see what's actually happening here is click on him and you can well actually you can see already within windows he's actually come up with this glass screen so let's go and check him out and actually see if we can log in and see see what's actually happened here he is going connect to him you can see Windows is booting this is not V now we're just waiting for Windows to chug along you know we've presented that VM within probably less than two minutes maybe just one minute to get that back on line to be longer to go through the wizard and it took longer for Windows to boot then it took Ravine to present that data back to the environment and it's worked you know we have our data so here's our here's our Excel spreadsheets who's all here's our picture so we can click on that again and actually have a look at what's going on there and see that that's all good and healthy so you know the machine has been recovered you know we know what the repercussions of of the the ransomware were we could see these were all encrypted files we can open them and access them they've been totally corrupted but I tell you what's interesting I actually have a beam agent running on this tik euler machine and it's just going to take a look at that we haven't used the agent to recover from but it's worthwhile talking about because in the agent we can use this for virtual machines or physical workloads or any particular workload as long as it's Windows or Linux and we can actually do a quite a few unique things here one of which is I just want to share with you is the ability to repoint where our backups land at now we can see in that scenario we compromised a lot of data we compromised the data or the living on those file shares we compromised the data living on the desktop but within our agents we have the same functionality we can store data locally into local storage directories or maybe a shared folder these are great very quick very efficient but they do have the downside that they're going to be susceptible being affected by ransomware as well because they're on that same fabric as your production environment so if you have a a ransomware attack in your business is going to proliferate through the network traverse over tool to your backup directory and affect those files as well equally so we have a Veen backup repository so this is where we have our containers essentially all our disks where we like to store data down onto we can do a few unique things in there to make sure that's isolated from the environment create a backup copy job and that protects from from essentially ransomware attacks but the interesting one I want to draw your attention to here is the Veen Cloud Connect repository so this is actually where ultimately we can take our data whether that be a virtual machine a physical work load and push that directly into what we call a VM Cloud Connect platform and that's going to live in a service provider environment either as a backup as a service or dr as a service entity so we could have used that that would give us a very unique disconnect from our production environment to our backup environment is going to live in the cloud on a service providers platform in an environment where you know and trust and you know that organization and all the good things they're doing for you as a business ok not really ideal for this scenario because obviously restoring data from that cloud platform we have to traverse the data over the internet so would be a little bit longer but again ultimately your data is in a cloud platform that's isolated from your environment so gives you a very unique and safe way of recovering data from if we go back to to being very quickly let's actually decide that we're going to stop publishing that machine because we've decided we're happy with it we've recovered our data we no longer need that virtual machine so we can either migrate that virtual machine back into our environment if I just click up here we can migrate their production so that will basically make it a live VM and therefore all the users will be completely ignorant that's going on the background they will just continue to work on that live data or actually if we've taken the data out manually we could just stop publishing it and what that's going to do it's just going to reverse process all of that that good stuff that we did publishing that to VMware so there's no need for us to to do that at the VMware level being takes care of that for you it disconnects the the backup architecture from your hypervisor and you can see it was a very quick to clean that operation up as well one thing we didn't do we didn't check out properly the actual status of the files so let's go and just reconnect to the infected machine the one that actually had the problem I'll just probably need to go and resume it because I paused it this is the one that actually has the has a problem with it let's just go and see what he looks like because I showed you at the beginning the the volume Shadow Copy directory and also the the Veen backup file let's go and actually have a good look at what actually happened to that to that encrypted data once once the the exploitation had run on that particular machine so again it's just having to boot up off VMware now standard technology waiting for it but this machine's been compromised you know there's no way that this is is in a good State the data in there is not in a healthy situation so we're just waiting for Windows to do its thing yet we're back to here so this is the corrupted machine we're doing a bit of a yo-yo here going back and forward but no problems you get you get the point of this if we launch up the Windows Explorer directory let's just have a quick look at this you saw before that I had volume Shadow Copy or Shadow Copy Services name if I go to restore from previous versions we had one restore point never fall so let's just give that a whirl right now we can see so in Windows there's a there's a there's a shadow copy cache where Windows will organically just check all that if it's enabled we'll just check all the changes throughout your system so it really is a unique feature to use but you can see the ransomware has ran on that system it's affected all the files that are on the desktop so we can't open these because Windows doesn't know how to interpret them we either need to restore from backup or get the decryption keys okay there's no ever going to get that but it's also gone and affected our actual VSS so again no good to us if that system was to fail as well we'd need an off-site backup or a backup move to another location so we need to mature our understanding of backup in order to protect against these circumstances that prevail to us in the modern datacenter these days so that's it really I wanted to cover off some of the high-level points around how they ransomware attack actually runs some of the mechanics behind the scenes and more importantly how you can recover from that using instant VM recovery with theme I hope that's been helpful any more questions please don't hesitate to contact one of our systems engineers they'll be more than happy to give you some guidance
Info
Channel: GEE VEEAM
Views: 5,145
Rating: 5 out of 5
Keywords: Ransomware, Veeam, IVMR, INSTANT VM RECOVERY, RAAS, BACKUP AND REPLICATION
Id: Litmmza6OYU
Channel Id: undefined
Length: 21min 22sec (1282 seconds)
Published: Mon Jul 24 2017
Related Videos
Ransomware Attacks Backups
storageswiss
5.8K
Green Party 'shocked' boiler upgrade scheme is not mandatory
Sky News
29K
Why Dutch Bikes are Better (and why you should want one)
Not Just Bikes
2.1M
Kubernetes Tutorial for Beginners [FULL COURSE in 4 Hours]
TechWorld with Nana
2.2M
TrueNAS 12 ZFS Replication & Encryption
Lawrence Systems
13K
The REAL story About the Crash that Killed Concorde! | Air France flight 4590
Mentour Pilot
2.5M
Introduction to Veeam Agent for Windows - Free backup software for your computer or server
HERESJAKEN
17K
Veeam ONE - Deep Dive and "What can it really do?"
Veeam Animal
3K
Deduplication, Compression & Encryption - What's the difference?
Veeam
6.7K
Ransomware and cyber attacks: hear from former FBI agent Jeff Lanza and Veeam's Nathan Steiner!
Alex On Tech
216
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.