Executive Summary

A recent report has found that almost all (93%) of ransomware attacks explicitly target backups and most succeed, with 60% of those attacked paying the ransom. 1 in 4 organisations paid the ransom and did not get their data back, and 75% of backup repositories were affected in successful attacks. This all highlights the importance of backup immutability and protecting access to backups as they are now the primary focus of the attacker.

What is the risk to my business?

With the rise of ransomware attacks, as identified by the report, attackers are deliberately seeking to compromise backups of an organisation. This means that even if the organisation has backups of their data, they are not necessarily protected since the backups are seen as a critical target to aim for which could then lead to further compromises, with the report detailing that 56% of organisations risked reinfection during restoration of their data after an attack. Attackers are also more commonly using double and triple extortion techniques instead of just encrypting the organisations data, which include exfiltrating the data, threating to release the data unless a ransom is paid or directly targeting individuals of whom the data may concern for a payment instead.

By targeting the backup, the time it takes for to recover to a business-as-usual state could be substantially increased. In a worst-case scenario complete data loss could occur, leading to potentially unrecoverable financial and reputational impacts to the organisation.

What can I do?

The best defence from a ransomware attack is implementing strong information and cyber security policies which dictate controls across people, processes and technology, including detection capabilities to identify and prevent an attack. These controls should be further enhanced with user education and awareness training to reduce the likeness of a ransomware attack from occurring at the ingress point which is often the end user.

Other actions to help protect backups from attacker includes ensuring that the backup solution being used provides immutability, meaning that the backed-up data cannot be altered once it has been saved. Backup Assurance testing should be regularly undertaken to ensure the data, and the environment stored can be recovered successfully. Consideration should be made for the use of air gapped environments between production and backup to lower the risk of lateral intrusion.

Further information on the report is available here:

https://www.veeam.com/blog/2023-ransomware-trends-report-insights-html.html

Need help understanding your gaps, or just want some advice? Get in touch with us.

#threatadvisory #threatintelligence #cybersecurity