March 2025
Newsletter Link: REDLab-Newsletter-March-2025
We conducted LuckBit and Cactus ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Luckbit ransomware appends their filenames with a ".znhpj". For example, a file initially named "example.pdf" appears as "example.pdf.znhpj". Similarly, Cactus ransomware appends the ".cts1" extension to filenames where the number at the end of the extension can vary. For example, a file initially named "example.pdf" appears as "example.pdf.cts1". For Luckbit ransomware post attack resulting in the generation of a both "Job and Image entropy anomaly" and for Cactus ransomware post attack resulting in the Client health anomaly. In this edition, we would like to introduce a feature known as ‘Image Entropy anomaly’. This feature incorporates an in-line ransomware detection process(nbinlinerwdetect) that analyzes the entropy and various file attributes, including File size, File extension, File permission, File access time, File modified time, File change time to detect anomalies. To enable the computation of entropy and file attributes use the COMPUTE_IMAGE_ENTROPY option in NetBackup on primary server.
February 2025
Newsletter Link: REDLab-Newsletter-February-2025
We conducted INC and Abyss ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. INC ransomware appends their filenames with a ".INC". For example, a file initially named "example.pdf" appears as "example.pdf.INC". Similarly, Abyss ransomware appends the ".Abyss" extension to filenames . For example, a file initially named "example.pdf" appears as "example.pdf.Abyss". For both ransomware post attack resulting in the generation of a both "Job and Data anomaly".
In this edition, we would like to introduce a feature known as ‘Security Configuration Risk Meter’. This feature provides a risk score based on current security configurations in NetBackup. A higher risk score indicates weaker security settings. The risk score is determined by the configurations of various security features, including Multifactor authentication(MFA), Multi-person authorization(MPA), Secure control communication, Secure data-in-transit, Secure certificate deployment, Service user configuration, Malware detection configuration and Anomaly detection configuration.
January 2025
Newsletter Link: REDLab-Newsletter-January-2025
We conducted CryptMIC and MountLocker ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. CryptMIC ransomware does not append the name of encrypted files with specific RW extension and MountLocker ransomware appends extension “ReadManual.C77BFF8C” after the file name like “Filename.ReadManual.C77BFF8C”. For CryptMIC ransomware post attack resulting in the generation of a both "Job and Data anomaly" and for MountLocker ransomware post attack resulting in the generation of a "Client health anomaly".
In this edition, we would like to introduce a feature known as 'Data Protection Add-On for Splunk Enterprise server'. The Data Protection Add-On effectively integrates Splunk where user can forward product usage behavior details of product like NetBackup to SIEM vendor Splunk. Using this add-on, you can retrieve audit logs that are specific to NetBackup and Alta View on a request from Splunk.
December 2024
Newsletter Link: REDLab-Newsletter-December-2024
We conducted Cuba and DataBlack ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".cuba" by Cuba ransomware and "random_filename.Datablack" by DataBlack ransomware for both ransomware post attacks resulting in the generation of a "Client Health system anomaly" and it also starts an automatic malware scan of the backup image. In this edition, we would like to introduce a feature known as 'Viewing hash values of malware-infected files and virus information'. Malware scanned images in NetBackup allows to view the hash values(SHA-256) of the malware infected files, names, backup times and virus information in a .csv file.
October 2024
Newsletter Link: REDLab-Newsletter-October-2024
We conducted Royal and Xorist ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".royal" by Royal ransomware, resulting in the generation of a "Client Health system anomaly" and ".xorist" by Xorist ransomware, the change of data deduplication rate is detected by the ML algorithm and generates an alert and it also starts an automatic malware scan of the backup image. In this edition, we would like to introduce a feature known as 'Suspicious file extension Detection' in NetBackup allows to configure the system to detect anomalies if any file is found in the backup with Ransomware extension. You can set threshold for the percentage of files with suspicious extension that cannot be exceeded. You can also add custom file extensions to search for such files in your domain.
September 2024
Newsletter Link: REDLab-Newsletter-September-2024
We conducted Play and Agenda ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".PLAY" by Play ransomware, resulting in the generation of a "Client Health anomaly" and ".OnHnnBvUej" by Agenda ransomware, the change of data deduplication rate is detected by the ML algorithm and generates an alert and it also starts an automatic malware scan of the backup image. In this edition, we would like to introduce a feature known as 'Anomaly Detection for Image Expiration' in NetBackup allows to configure the system to detect anomalies in image expiration. This feature helps identify unusual or suspicious activities related to the expiration of backup images.
August 2024
Newsletter Link: REDLab-Newsletter-August-2024
We conducted Babuk and RansomEXX ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".__NIST_K571__" by Babuk ransomware, resulting in the generation of a "ransomware extension anomaly" and ".txd0t" by RansomEXX ransomware, the change of data deduplication rate is detected by the ML algorithm and generates an alert and it also starts an automatic malware scan of the backup image. In this edition, we would like to introduce a feature known as 'Anomaly configuration to enable automatic scanning' in NetBackup allows to trigger automatic malware scan for those anomalies that have high severity and based on the configuration file settings. Use the configuration file on the primary server to do the required settings.
July 2024
Newsletter Link: REDLab-Newsletter-July-2024
We conducted Blacksuit and CryptBB ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".BlackSuit" by Blacksuit ransomware, resulting in the generation of a "Client Health anomaly" and ".OKHkzrxNC" by CryptBB ransomware, the change of data deduplication rate is detected by the ML algorithm and generates an alert. In this edition, we would like to introduce a feature known as 'Malware scan before recovery' feature in NetBackup allows you to scan the supported backup images for malware before initiating data recovery. During recovery, if you start from a malware-affected backup image, a warning message appears, and you are prompted for a confirmation. This feature helps ensure that the recovered data is free from malware, enhancing security and reliability during the restoration process.
June 2024
Newsletter Link: REDLab-Newsletter-June-2024
We conducted BlackBasta and BlackCat ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".basta" by BlackBasta ransomware and ".uhwuvz" by BlackCat ransomware, , resulting in the generation of a "Client Health anomaly". In this edition, we would like to introduce a feature known as NetBackUp risk engine anomaly detection which detects certain system anomalies in a proactive manner and sends appropriate alerts, enabling corrective action to be taken before any security threats can impact your environment.
May 2024
Newsletter Link: REDLab-Newsletter-May-2024
We conducted 8Base and Medusa ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".8base" by 8Base ransomware and ".medusa" by Medusa ransomware, , resulting in the generation of a "Client Health anomaly". We have published script options for automating Malware scan host configuration and anyone can refer to the May 2024 newsletter for in-depth details.
April 2024
Newsletter Link: REDLab-Newsletter-April-2024
We conducted Trigona and Wannacry ransomware attacks on the NetBackup Client and data on NetBackup Client is encrypted. Filenames appended with the extension ".WNCRY" by Wannacry ransomware and "._locked" by Trigona ransomware, resulting in the generation of a Ransomware file extension-based anomaly detection.
March 2024
Newsletter Link: REDLab-Newsletter-March-2024
We conducted LostTrust and LeakDB ransomware attacks on the NetBackup Client, resulting in the generation of a Client Health anomaly. This anomaly triggers a critical audit event indicating failed communication with the NetBackup Client. Consequently, this audit event generates an alert and reports the affected client's name to NetBackup IT analytics or the SIEM/XDR platform.
February 2024
Newsletter Link: REDLab-Newsletter-February-2024
In this edition, we would like to introduce a feature known as Data-in-transit encryption(DTE). The security policies require the backup administrator to ensure that the channel on which NetBackup Clients send metadata and data to NetBackup Servers be secure. In NetBackup 10.0 and later, the data and metadata are encrypted over the wire. We conducted Lucky and MuskOff ransomware attacks on NetBackup Client and Client Health anomaly was generated and it creates a critical audit event that indicates failed communication with the NetBackup Client. This audit event generates an alert and reports the affected client name to NetBackup IT analytics or the SIEM/XDR platform.
January 2024
Newsletter Link: REDLab-Newsletter-January-2024
In this edition we would like to introduce a feature is Multi-factor Authentication which is a multiple-step account login process that requires you to enter a 6-digit one-time password along with your password. It is strongly recommended that you configure multi-factor authentication to protect the security of your account. We have carried out Faust and Mallox ransomware attack on NetBackup Client and Client Health anomaly was generated and it creates a critical audit event that indicates failed communication with the NetBackup Client. This audit event generates an alert and reports the affected client name to NetBackup IT analytics or the SIEM/XDR platform.
December 2023
Newsletter Link: REDLab-Newsletter-December-2023
In this edition we would like to introduce a feature which is Multi Person Authorization(MPA) NetBackup Security Administrator can configure multi-person authorization. It proactively protects NetBackup primary servers from an undesirable or a malicious act by ensuring that a second authorized user approves that action before it is allowed to take place. We have carried out BianLian and NoEscape Ransomware attack on NetBackup Client. Data on NetBackup Client is encrypted along with NetBackup configuration files and Client Health anomaly is detected. Once the anomaly is detected, the Client Health system anomaly creates a critical audit event that indicates failed communication with the NetBackup Client. This audit event generates an alert and reports the affected client name to NetBackup IT analytics or the SIEM/XDR platform.
November 2023
Newsletter Link: REDLab-Newsletter-November-2023
In this edition we would like to introduce a feature which is Anomaly Detection of ransomware file extension. During a backup operation NetBackup 10.3 check all file extensions, compares them with the ransomware extension list and generates an anomaly if there is a match. We have carried out Rhysida and Akira Ransomware attack on VMware infrastructure protected by NetBackup and post attack, a system anomaly of type ransomware file extension was generated. NetBackup rules engine is a new feature added in NetBackup 10.3 which is a rules-based engine that can trigger certain threshold-based detection use cases. The rule engine detects abnormal activities through NetBackup audit data.
October 2023
Newsletter Link: REDLab-Newsletter-October-2023
We have carried out Maze and Lockbit ransomware attack on a NetBackup client. Data on NetBackup Client is encrypted along with NetBackup configuration files and Client health anomaly is detected. Once the anomaly is detected, the Client Health anomaly creates a critical audit event that indicates failed communication with the NetBackup Client. This audit event generates an alert and reports the affected client name to NetBackup IT analytics or the SIEM/XDR platform. In this edition we would like to introduce a feature which is RBAC in NetBackup enhances security by ensuring that users have the appropriate level of access and control over backup and recovery operations. It helps prevent unauthorized access and minimizes the potential for errors or data breaches caused by users with overly broad permissions.
August 2023
Newsletter Link: REDLab-Newsletter-August-2023
In this edition we would like to introduce you to an Isolated Recovery Environment (IRE) that enables air-gapped backup copies by disabling network connectivity to a secure copy of your critical data, providing administrators a clean set of files on demand to neutralize the impact from a ransomware attack. We conducted Royal and Ryuk ransomware attack on NetBackup Client, resulting in the generation of a Client Health anomaly. This anomaly triggers a critical audit event indicating failed communication with the NetBackup Client. Consequently, this audit event generates an alert and reports the affected client's name to NetBackup IT analytics or the SIEM/XDR platform.
June 2023
Newsletter Link: REDLab-Newsletter-June-2023
NetBackup 10.2 introduced a new anomaly detection framework through which we delivered two new extensions, Image Expiry and Client Health Anomaly. Both of these utilize our machine learning engine to provide just-in-time detection capabilities keeping our customers one step ahead of the new cyber attacks. These extensions and any new ones will be available in a single package to simplify deployment and will receive regular updates.
Attachments
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.