Stop Ransomware Attacking your Backup Data

Following the news, and learning about other organisations falling victim to ransomware attacks, you might realise that your organisation is not immune from such an attack; in fact, your organisation could be next, The question is, when?

It has become a norm that every week that we hear on the news about another organisation falling victim to a ransomware attack. This news is making big headlines, and the organisations involved always pay the ransom to the attackers just to try and minimise the damage to the organisation caused by the headlines and the attack.

Many organisations are shopping for new technologies to protect their most important asset, data. However, acquiring and implementing these technologies can cost organisations a lot of money.

When it comes to data management and data backup, Veeam Software offers one of the best and cheapest ways to implement a secure backup solution that can minimise or almost eliminate the damage caused by a ransomware attack.

In this article, I will take you through the technologies on offer, and the ways you can adapt them to suit your organisation. So let’s get started.

Data Immutability

Let’s first define the term immutability: The idea behind immutable data is that the data cannot be altered or modified after creation. In the data management world, this means the backed up data should not be modified, deleted or altered in any way shape or form, for a predefined period, after it was written to the backup target.

Veeam and Data Immutability

Veeam implemented data immutability several years ago; but with the latest version, Veeam extended the support for immutability to the Linux world. With this support, they helped many customers to adopt and implement this feature in-house on a Linux server, and then enable the Linux immutability feature introduced with the xfs FileSystem.

How It Works

Protecting your backed up data has never been simpler when you implement the Veeam “Hardened Repository”. The implementation is very simple; it involves setting the immutability period you wish to implement when you create your immutable “Hardened” Linux repository. During the Repository configuration, you need only to set the period as shown on the following screenshot:

As shown on the screenshot, Make recent backup immutable for <7> days is the minimum, and the default, period allowed.

After the backup files are written to the repository, the Veeam backup repository flags these data as immutable for the pre-defined period; in this example, it is 7 days, in two different ways:

Standard backup

Let’s assume we are taking an incremental backup, starting on June 12. The first backup is a full backup; it then carries out incremental backups until June 18.

All the backup files are flagged as immutable, and the immutable flag is cleared on the 28 of June, as Veeam always adds ten days to the last restore point of an active backup chain.

GFS Backup

The same workflow is implemented with GFS backup; but this time, if your GFS full backup set to 7 years, then these full backup files are immutable for the 7 year period.

Deployment of Hardened Veeam Repository

*Note: on this article, I am taking you through the steps to implement Veeam Immutable Repository on a Ubuntu server deployed on-premises, or on the cloud (Azure). The following steps assume you have deployed the Linux server, and you wish to create a RAID-5 where you are hosting your immutable backup. So let’s get started from this point:

Add new disks to your Linux Server. An example setup is in the following figure:

From the command line, run the lsblk command to list, and get the names of the new disks. See the return of the lsblk command in the following screenshot:

From the list returned, you can see the new disks presented to the OS as, sdb, sdc and sdd.

Create the Array

We decided to use these three disks on a RAID-5 array. To set up the array, we must prepare the array first, then add the disk to the RAID-5 using the command: mdadm –create –verbose /dev/md0 –level=5 –raid-devices=3 /dev/sdb /dev/sdc /dev/sdd

To check the array creation progress, run the following command: cat /proc/mdstat

If you wish to watch the progress of the array creation process from 0% to 100%, use the following command: watch cat /proc/mdstat

Upon completion of the array creation, you are ready for the next step:

Next, lets prepare the file system to host the immutable backups.

Create Linux xfs File System

From the command line, run the following command to create an xfs file system on the newly created RAID-5 volume.

Use the command: sudo mkfs.xfs -b size=4096 -m reflink=1,crc=1 /dev/md0

Note: -b size=4096: logical block size set to 4096 bytes, -m: global metadata option, reflink: Enables sharing data blocks between files, and crc: maintains and checks CRC information in all metadata objects on disk.

After the xfs file system is created, we are ready to mount the new volume, or array, to a mount point.

Mount the newly created Array to a mount point

Let’s create a folder to be used as the mount point by running the following command: sudo mkdir /mnt/Volume5

Next, mount the array to the new mount point: sudo mount /dev/md0 /mnt/Volume5

To ensure the mount point is automatically mounted to the new array, we must save the array layout, and then add the mount to the /etc/fstab” file:

sudo mdadm –detail –scan | sudo tee -a /etc/mdadm/mdadm.conf

sudo update-initramfs -u

echo ‘/dev/md0 /mnt/Volume5 xfs defaults,nofail,discard 0 0’ | sudo tee -a /etc/fstab

Veeam Repository Configuration

As our focus in this process is securing the backup repository, we must minimise the attack surface on our repository. To achieve this, we will run through the following steps:

  • Create a temp user to be used during the repository add a process on the Veeam – Single-use credentials for hardened repository
  • Create a folder on the newly created Array (mount point)
  • Assign permissions to the backup folder

Let’s start with task one; creating the temporary user:

sudo useradd veeamuser –create-home -s /bin/bash

sudo passwd veeamuser

sudo usermod -a -G sudo veeamuser

sudo chown -R veeamuser:veeamuser /mnt/Volume5

sudo chmod 700 /mnt/Volume5/

After we complete the pre-requisites tasks to add the repository to the Veeam backup infrastructure, we are ready to start the creation of the new repository as described in the following instructions:

From the Veeam console, add a new repository, and provide the new repository server IP or Hostname:

On the Credential page, at the SSH Connection – Credentials text box, click the Add button. Select the Single-use credentials for hardened repository option from the dropdown list:

Let’s use the temp user we created earlier; in this example, veeamuser:

Complete the deployment of the Veeam Data Mover Service:

After the Data Mover Service deployment is complete, we must choose the mount point we created earlier. This folder is used to save our immutable backup:

Using the figure below as a guide, provide the backup location; in this example, it is /mnt/Volume5

Ensure the fast cloning on XFS volumes checkbox is enabled.

Apply the immutable period in days on the backup file. Note: 7 days is the minimum and the default value:

Assign a mount server from the list, and an instant recovery write cache folder. Use the figure following as a guide:

To complete the repository creation process, click on Apply. See the figure following:


Following the steps outlined above, you can create a backup and use the new Linux Server as a repository server. After the backup job run is complete, you can logon to the server using the temp user (before removing).

Check your backup files, if they are tagged as immutable, using the either of the following commands: lsattr or lsattr -l

After confirming that your backup is set up properly and works, you can remove the temporary user using the command: sudo deluser veeamuser

Leave a Reply