Veeam One – Ransomware Monitoring

Between the Wannacry outbreak and the current Petya strain currently doing the rounds, ransomware detection/monitoring is a necessary tool for system administrators.

At the recent VeeamOn Tour, in Edinburgh, one of the SEs presented a session on ‘Ransomware Resiliency for the IT Decision Maker‘. Part of the presentation, a couple of the slides discussed the importance of monitoring your environment for possible Ransomware attacks/events. I was pleasantly surprised to learn that Veeam One has a built in alarm for this already, which is also available in the free edition!

The alarm is called ‘Possible ransomware activity‘ and is enabled by default for both VMware and Hyper-V.

The parameters of the alarm are based on CPU Total Run Time and Disk Writes, but these can be amended to your own preference:-

Pretty cool to see the alarm in the free edition. Just another reason to run Veeam One free edition against your virtual environment.

There’s a quote from Rick Vanover “I guarantee Veeam ONE will show you something about your environment that you didn’t know AND need to address.” , sounds quite apt for Ransomware events.

Now I appreciate this is not going to be the definitive solution to ransomware detection, as there may be false positives from heavily loaded VMs, hence the word ‘Possible‘ in the title. The alarm is there to raise awareness of a possible attack, and for system administrators to investigate, analyse and make a judgement call.  I think you’ll agree being informed is infinitely better than being oblivious to an ongoing attack within your organisation.

For more information about how Veeam can help, I’d suggest reading Michael Cade’s excellent blog post ‘RansomWARe – What is it Good for? Absolutely Nothing!’