The component Transport will be installed. Select Single-use credentials for hardened repository.Ĭredential has been added. Select the credential in the drop-down list or click on Add to add a new credential. You can enter description if you want.Ĭlick on Add New for add new Repository server.Įnter DNS name or IP address of the Linux Server. Select Direct attached storage in the wizard.Įnter the name of the repository and click on Next. sudo chmod 700 /Backup Create Backup Repositoryįrom the Veeam server, open the Backup Infrastructure view and select Backup Repositories. You can grant access to the file only to the owner with the following command. The Backup folder is created in the root. Create folder for the hardened repositoryįrom the Linux server, create the folder with the following command. The Veeam Data Mover Service used by Hardened repository requires the Linux host 64 bits.
The immutability feature, require to select forward incremental with active full or synthetic full backup when the job is created. Without this retention policy, you can’t use the immutability. Note that immutable backup files can’t be deleted manually.īackup copy jobs it is necessary to set up GFS retention policy. So the file is not deleted even if the retention is over, the file is deleted when the immutability period is over. The job retention is overrides by the Immutability retention.
Special security protocol, password update, and account security measures for Veeam should be implemented to prevent Veeam account takeover.
Rclone and other data exfiltration command-line interface activities can be captured through proper logging of process execution with command-line arguments.
To prevent lateral movement, network hierarchy protocols and should be implemented with network segregation and decentralization.Īudit and/or block command-line interpreters by using whitelisting tools, like AppLocker or Software Restriction Policies with the focus on any suspicious “curl” command and unauthorized “.msi” installer scripts particularly those from C:\ProgramData and C:\Temp directory Tracking externally exposed endpoints is therefore critical. Sometimes Conti uses corporate VPN compromise and TrickBot delivery as an alternative means for attack initiation. Conti uses very developed social engineering techniques in order to convince the victim employees that the targeted emails are legitimated. To prevent the attack initiations, employee training, and email security protocols should be implemented.
Secure backup solutions and mitigations listed will enable any possible victims to leave Conti without their demanded ransom money. Maintaining developed protocols of access rights hierarchy, network security, and password hygiene, as well as systemic network monitoring aimed at spotting abnormal network behavior may significantly reduce the chances of Conti successfully removing backups. This way, Conti simultaneously exfiltrated the data for further victim blackmailing, while leaving the victim with no chances to quickly recover their files as the backups are removed. Conti hunts for Veeam privileged users and services and leverages to access, exfiltrate, remove and encrypt backups to ensure ransomware breaches are un-”backupable”. Conti group is particularly methodical in developing and implementing backup removal techniques.Ĭonti’s tactics are based on utilizing the skills of their network intruders or “pentesters” in order to ensure to target on-premise and cloud backup solutions. Backups are a major obstacle for any ransomware operation as they allow the victim to resume business by performing data recovery instead of paying ransom to the criminals.Ĭyber groups specifically target backup solutions in order to ensure that the victim has no other option except for paying the ransom.