LinkedIn Instagram WhatsApp

Podría interesarle…

Ransomware Recovery with Veeam and Pure Storage in Latin America

The layered ransomware recovery architecture that combines Pure Storage SafeMode immutable snapshots with Veeam immutable backup — designed for Latin American organizations that cannot afford to pay the ransom

Ransomware operators in Latin America follow a consistent playbook before deploying their encryption payload: they spend days or weeks quietly locating and disabling backup software, deleting backup repositories and exfiltrating data for double-extortion leverage. By the time the encryption activates, the attackers have often neutralized the organization’s primary recovery option. The result: organizations face the impossible choice between paying the ransom or rebuilding from scratch over weeks or months.

The solution to this problem is a layered recovery architecture that creates multiple immutable copies of data that attackers cannot reach even with full administrative access to the environment. The combination of Pure Storage SafeMode at the storage layer and Veeam immutable backup at the backup layer provides defense in depth that has withstood real ransomware attacks against Latin American organizations.

Layer 1: Pure Storage SafeMode — Immutable Storage Snapshots

SafeMode is Pure Storage’s mechanism for creating array-level snapshots that cannot be deleted or modified by any user, including storage administrators, even if an attacker has obtained full administrative credentials to the storage array.

How SafeMode prevents ransomware from deleting snapshots:

  • SafeMode snapshots are protected by an additional authentication layer separate from the normal array admin credentials
  • Deleting or modifying SafeMode snapshots requires a multi-step verification process with Pure Storage Support that includes identity verification steps an attacker cannot complete
  • Even if an attacker compromises the storage admin account, they cannot delete SafeMode snapshots through normal array management commands
  • By default, SafeMode snapshots are retained for a minimum of 24 hours and can be configured for up to 30 days

In a ransomware attack: the encryption payload encrypts all production data on the FlashArray. However, SafeMode snapshots of the pre-encryption data remain intact on the array. Recovery from SafeMode snapshot restores the encrypted volumes to their pre-encryption state. RTO for storage recovery from SafeMode: typically 15-60 minutes depending on volume size.

Ransomware recovery Veeam Pure Storage SafeMode immutable backup Latin America GLADiiUM
Pure Storage SafeMode ransomware protection recovery Latin America GLADiiUM

Layer 2: Veeam Immutable Backup — Off-Array Backup Copies

SafeMode protects against encryption of production storage, but production storage snapshots have limited retention (typically 24 hours to 30 days). Veeam immutable backup provides the long-term recovery layer: backup copies that are stored separately from the production environment and protected by immutability mechanisms that ransomware cannot defeat even with privileged access.

The three Veeam immutable backup targets GLADiiUM deploys for Latin American organizations:

1. Hardened Linux Repository

A dedicated Linux server (physical or VM) configured in single-use mode, accepting Veeam backup data via Veeam’s proprietary protocol and storing it with XFS immutability flags. Even if an attacker obtains the root password to the Linux server, they cannot delete backup files protected by the Veeam immutability flag — the immutability is enforced at the filesystem level independent of user credentials.

2. S3 Object Lock

Veeam Scale-Out Backup Repository offloads backup data to S3-compatible object storage (AWS S3, Lenovo DG Series on-premise, Wasabi) with Object Lock compliance mode. Once written with Object Lock, backup data cannot be deleted or overwritten during the retention period by any API call — including calls from a compromised Veeam backup server. The ransomware cannot impersonate the Object Lock deletion override because Object Lock compliance mode does not provide one.

3. Pure Storage SafeMode + Veeam Integration

Pure Storage’s Plug-in for Veeam enables array-level SafeMode snapshots triggered by Veeam backup jobs, providing the fastest-restoring immutable backup copy: a SafeMode snapshot of the Veeam backup repository, protected from deletion, that can be recovered to a clean storage volume in minutes.

The Recovery Sequence

When ransomware strikes, the recovery decision tree:

  1. Can you recover from SafeMode snapshots? If the ransomware activated within the SafeMode retention window (24 hours to 30 days), recover production storage from SafeMode snapshots. Fastest recovery option — typically 15-60 minutes. Restores to the state at the last SafeMode snapshot, potentially losing minutes to hours of data depending on snapshot frequency.
  2. Do you need an earlier recovery point? If SafeMode snapshots don’t have the clean state you need, recover VMs from Veeam immutable backup. Recovery point depends on backup frequency — typically the backup from the night before ransomware activated. RTO is longer but RPO can reach further back.
  3. For tier-1 systems with Zerto: Recover from the Zerto journal to the specific timestamp seconds before the ransomware began encrypting. RPO in seconds, RTO in minutes. This is the gold standard recovery for mission-critical systems.

Build Ransomware Recovery That Works Without Paying the Ransom

GLADiiUM will assess your current backup and storage environment, identify ransomware exposure gaps, and design the layered Veeam + Pure Storage + Zerto architecture appropriate for your organization.

Assess Your Ransomware Recovery Architecture