Demo: Simulation of Ransomware remediation with Veeam ONE

The Veeam ONE is a powerful tool available to customers from the most basic Veeam Data Platform licensing bundle (VDP Essentials).

To automate virtual and backup infrastructure troubleshooting, we can configure Veeam ONE to detect and remediate a possible Ransomware incident in the production environment. The remediation actions can be automatic or approved by the administrators.

Simulating these actions with a simple test environment is possible!

This demonstration simulates a response to a Ransomware attack and shows how to:

• Use the Veeam One alarm remediation actions (automatic or by approval);

• Use IO Meter to generate intensive write operations and emulate a Ransomware encryption action over the disk;

• Deploy PowerShell scripts to apply actions over Hyper-V VMs;

• Use Veeam Backup & Replication Secure Restore associated with Windows Defender antivirus scan;

• How Linux Hardened Repository protects your backup files with immutability.

There is a clickbait associated with a Teddy Bear icon and wallpaper 😊

Here we have the PowerShell script for the compromised VM. It just changes the wallpaper and blocks the keyboard and mouse input for some time. It is necessary to have the IO Meter running in the background. Change the wallpaper name per your desired simulation.

Start-Sleep -Seconds 5
#Change Desktop
$MyWallpaper="C:\skull-virus-malware.png"
$code = @' 
using System.Runtime.InteropServices; 
namespace Win32{ 
         public class Wallpaper{ 
        [DllImport("user32.dll", CharSet=CharSet.Auto)] 
         static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;        
         public static void SetWallpaper(string thePath){ 
            SystemParametersInfo(20,0,thePath,3); 
         }
    }
 } 
'@
add-type $code 
[Win32.Wallpaper]::SetWallpaper($MyWallpaper)
$code = @"
    [DllImport("user32.dll")]
    public static extern bool BlockInput(bool fBlockIt);
"@
$userInput = Add-Type -MemberDefinition $code -Name UserInput -Namespace UserInput -PassThru
function Disable-UserInput($seconds) {
    $userInput::BlockInput($true)
    Start-Sleep $seconds
    $userInput::BlockInput($false)
}
Disable-UserInput -seconds 300 | Out-Null

And we have the PowerShell script for Veeam ONE remediation action. This script removes the Hard Disk and the Network Adapter from the affected Virtual Machine.

$AlarmName=$args[0]
$AlarmState=$args[1]
$ObjectName=$args[2]

$Text="$(Get-Date)" + "`r`n" + "$AlarmName" + " Removed the Hard Disk drive and the Network Adapter on " + "$ObjectName" + "`r`n"

$Text | Out-File C:\Users\Administrator\Desktop\Ransomware_Sim\anti-ransomware_actions.txt -Append

#Actions: Remove the HardDiks and the Network Adapter from affected VM (stops the encryption job and lateral movement

Enter-PSSession -ComputerName LAB-DATACENTER

Remove-VMHardDiskDrive -ComputerName LAB-DATACENTER -VMName "$ObjectName" -ControllerType SCSI -ControllerNumber 0 -ControllerLocation 0

Remove-VMNetworkAdapter -ComputerName LAB-DATACENTER -VMName "$ObjectName"

Exit-PSSession

I hope this video was helpful!