Ransomware attacks are on the rise – in 2021, the number of ransomware attacks rose by 92.7% compared to 2020 levels, with 2,690 attacks reported. In this short article, we’ll show you how Kasten K10 by Veeam can be leveraged to detect a common ransomware pattern in order to prevent data loss or corruption.
Follow along and get a visual by watching this demo video.
In the upper right of the screenshot is the Kasten K10 UI. Underneath is the terminal and on the left is the Falco dashboard. Falco is a helpful sidekick utility that’s used to display a real-time livestream of events that we want to detect:
Say a bad actor phished an admin and now has unrestricted access to Kasten K10. The attacker will first look to see what applications they have access to. You can see that they now have access to application namespaces:
In this scenario, the nginx server provides a frontend GUI, and the attacker wants to disrupt it because it serves revenue-generating activity. With unrestricted access, the attacker may look to see what restore points are available:
Once the attacker starts to discover data, the events pop up in near real time:
This detection policy has been written to be aggressive in detecting when an attacker could be performing discovery to determine the level of protection for the application:
The next step an attacker would want to take is to destroy the backups in preparation for a ransomware attack. They could attempt this action either via the Kasten K10 web interface or, as shown below, using the Kubernetes API:
In the Falco UI, we can see that these events have been detected:
In order to prevent this deletion, backup exports should be stored on immutable storage. Immutability is supported by Kasten K10 in both S3 and Veeam Hardened Repository locations. If immutability were enabled in this scenario, the failed attempts to delete K10 RestorePoints would be a strong early indicator of compromise.
Matt is a 15+ year IT veteran with a passion for educating others about emerging technologies. From roles in development, to sales, to enablement, Matt’s career has continually focused on creating connections between customer value and technical problem solving. His work at Kasten includes designing and delivering training on Kasten’s product and Kubernetes ecosystem for employees, partners, and the community. Matt holds a bachelor’s degree in Computer Engineering from Northeastern University.
Kasten, Inc. 8800 Lyra Drive, Suite 450 Columbus, Ohio 43240
We value the critical role that the security community plays in helping us protect the confidentiality, integrity, and availability of our software, services, and information. If you have information about security vulnerabilities that affect Kasten software, services, or information, please report it to us via our HackerOne Vulnerability Disclosure Program, or anonymously via this form.