Veeam backups targeted by the Conti ransomware group

Conti ransomware first appeared in late 2019 and has steadily grown to become one of the forefront ransomware-as-a-service (RaaS) operations. A recent report from ransomware incident response firm Coveware1, based on thousands of cases investigated during Q2 2021, showed Conti V2 to be the second-most-prevalent ransomware encountered, trailing Sodinokibi, also known as REvil by just 2.1% for the top position.

Likewise, Veeam had the fastest revenue growth in the worldwide Data Replication & Protection market, both sequentially (+21.5%) and YoY (+17.9%) in 2H’20 among the top 5 vendors, all other vendors combined, and overall market average, according to the IDC Semi-annual Software Tracker, 2H20.  In 2020 Veeam became the #2 provider worldwide in terms of overall revenue with YoY growth more than 17.5 percentage points above the market average2.

Ransomware gangs know that having secure backups of critical files massively reduces the likelihood of a ransom payment being made, so it comes as no surprise that the rising star of the cybercrime world is targeting Veeam, the fastest growing and widespread backup platform for virtualized infrastructures

The anatomy of a Conti attack

The Conti ransomware group has made headlines around the world causing a great deal of damage during their relatively short tenure. Of course, they have not appeared from nowhere, the same group is believed to have been behind Ryuk ransomware, known for targeting large, public-entity Microsoft Windows networks which first appeared in 2018.

A Conti attack will typically start with some very carefully designed spam email messages based on specific research of prospective targets. Messages could be based on topics presented in media regarding company executives and employees, a technique used to ensure that the attack emails containing the malware, known as Cobalt Strike beacon backdoor, are opened and the attached payload is executed.

This emphasises the importance of training on spam and phishing email identification, a subject often overlooked in many staff training programs. Useful resources regarding Security Awareness Training & Anti-Phishing Simulators can be found in our earlier article The Blocky for Veeam ® – 5 Step Guide to a Safer Network

A high-profile attack will not be something rushed into, instead it is a complex operation, prior to deploying the Cobalt Strike beacon backdoor, the Conti attackers attempt to infiltrate the network and move laterally throughout the organization. The group will try to extend their reach beyond the initial infected machines using communications protocols such as Server Message Block (SMB) to encrypt as many remote machines as possible.

Once the Cobalt Strike beacon has been deployed, this signals Conti’s team of experienced network intruders known as “pentesters” to get to work, seeking both local and cloud-based backups within the target network.

The pentesters search specifically for Veeam privileged users and services and which they can then leverage to access, exfiltrate, remove and encrypt backups to ensure their ransomware demands are not hindered by this last line of defense.

Of course, backup files are not just a security policy against ransomware attacks, they are also a potential mine of customer data and other Personal Identifiable Information (PII), hence exfiltrated backup files will most likely contain PII for data breach double extortion.

The entire process is very much a manual operation culminating in the deletion of Veeam Backups (.vbk) simply using the Windows ‘rm’ command followed by encryption of Veeam-designated local domains using the Conti locker.

Steps to mitigate Conti Veeam backup removal attacks

An effective cybersecurity policy will always need a holistic approach presenting as many hurdles to prospective attackers as possible. Here we outline 5 key areas that should be addressed to reduce you attack surface and ensure your Veeam backups are a safe as possible.

Security education

The importance of regular and evaluated staff training around IT security cannot be stressed enough. Improving your internal security education will greatly reduce the success rate of social engineering campaigns against your organization.

Endpoint protection

With the recent increase in remote working endpoint devices have increased in number and likewise additional remote network access facilities have been set in place by organizations to accommodate this. Second to social engineering, remote access protocols such as VPN and RDP have known vulnerabilities regularly exploited by pentesters, therefore expert advice regarding endpoint and access protocol vulnerability is vital.

Implement Application Fingerprint (Whitelisting) technology

Whitelisting technology can be used at many points within your Veeam backup infrastructure. The most direct and effective place is at the backup volume level. Blocky for Veeam® uses application fingerprinting techniques which make it practically impossible for malware code to masquerade as an approved application and gain control of backup volumes. It will also block any manual attempts to alter the contents of backup volumes using commands such as ‘rm’ from the windows command line. At a more general level tools provided by the Microsoft operating system, such as AppLocker, can help you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers.

Early detection is paramount

Stopping an attack in its early stages will of course limit the amount of damage caused and elevate your chances of a rapid recovery. The Conti gang has released multiple new revisions of the ransomware, improving, and expanding the capabilities in each version. For this reason, detection tools such as anti-virus which are based on blacklists of ‘known’ threats are always on the back foot. New ransomware variants are called ‘zero day’ attacks when they first appear on the scene, however, whitelisting technologies still have the potential to stop them in their tracks. Blocky for Veeam® not only works in this way, but it can also be configured to alert administrators of any access attempts to backup volumes by unauthorized executables. Alerts can be delivered by email, SMTP and through logs files. Identification of unauthorized attempts to modify backup volume contents can provide early warning of a zero-day attack unfolding.

Veeam account security

There are a multitude of account security measures for Veeam which should be implemented to prevent Veeam account takeover. These can be found in the excellent online best-practice resources provided by Veeam, many of which are referenced in our previous article Quick tips for Veeam® Backup Security

For any questions, please get in touch through our contact form, the Blocky team are always ready to help.