Skip to content

Ransomware attacks are on the rise – in 2021, the number of ransomware attacks rose by 92.7% compared to 2020 levels, with 2,690 attacks reported. In this short articl, we’ll show you how Kasten K10 by Veeam can be leveraged to  detect a common ransomware pattern in order to  prevent data loss or corruption.


Follow along and get a visual by watching this demo video.



In the upper right of the screenshot is the Kasten K10 UI. Underneath is the terminal and on the left is the Falco dashboard. Falco is a helpful sidekick utility that’s used to display a real-time livestream of events that we want to detect:


image3


Say a bad actor phished an admin and now has unrestricted access to Kasten K10. The attacker will first look to see what applications they have access to. You can see that they now have access to application namespaces:


image1


In this scenario, the nginx server provides a frontend GUI, and the attacker wants to disrupt it because it serves revenue-generating activity. With unrestricted access, the attacker may look to see what restore points are available:


image8 


Once the attacker starts to discover data, the events pop up in near real time: 


image2


image6



This detection policy has been written to be aggressive in detecting when an attacker could be performing discovery to determine the level of protection for the application: 


image4


The next step an attacker would want to take is to destroy the backups in preparation  for a ransomware attack. They could attempt this action either via the Kasten K10 web interface or, as shown below, using the Kubernetes API:


image7


In the Falco UI, we can see that these events have been detected:


image5


In order to prevent this deletion, backup exports should be stored on immutable storage. Immutability is supported by Kasten K10 in both S3 and Veeam Hardened Repository locations. If immutability were enabled in this scenario, the failed attempts to delete K10 RestorePoints would be a strong early indicator of compromise.


We hope you've enjoyed this quick look at how Kasten K10 helps to detect and analyze ransomware attacks in real time. Learn more about using Kasten K10 for ransomware protection, or start your free trial today.

For information about Kasten K10

Contact Us

For information about Kasten K10, please send us a message using the form on this page, or email us at contact@kasten.io

For product support: Open a case via Veeam
Community support: Veeam Community

Address:

Kasten, Inc. 
8800 Lyra Drive, Suite 450
Columbus, Ohio 43240

We value the critical role that the security community plays in helping us protect the confidentiality, integrity, and availability of our software, services, and information. If you have information about security vulnerabilities that affect Kasten software, services, or information, please report it to us via our HackerOne Vulnerability Disclosure Program, or anonymously via this form.

Please Send Us a Message