There are two main ways to recover encrypted data after a ransomware attack: restoring from backups and paying the ransom. The attackers also know this and try to deprive companies of a solution by attacking backups.
Two problems, same cause: Complete recovery of data after a ransom payment is highly uncertain, because in case of doubt you cannot rely on a promise from cybercriminals. And restoring the data from the backups doesn't work in many cases because the cybercriminals have often encrypted them in order to dramatically increase the pressure on the victims to pay the ransom. Companies that don't have a protected backup in place are in a bind. It is therefore advisable to combine security and data backup to maximize the protection of backups and also rely on immutable backups.
Hard facts prove the risk
In a survey of nearly 3.000 IT and cybersecurity professionals worldwide conducted by market research firm Vanson Bourne on behalf of Sophos in early 2024, it became clear that the financial and operational impact of a backup compromise due to a ransomware attack is immense. Overall, four main findings from the survey stand out:
Insight 1
Ransomware attackers almost always try to compromise your backups. At 94 percent of companies affected by ransomware last year, cybercriminals attempted to compromise backups during the attack.
Insight 2
The success rate for compromises varies greatly depending on the industry. Across all industries, an average of 57 percent of backup compromise attempts were successful. Interestingly, there are big differences across different industries, from 79 percent in the energy, oil/gas and utilities sectors to 30 percent for the IT, technology and telecommunications sectors.
Insight 3
Ransom demands double when backups are compromised. On average, victims whose backups were compromised received ransom demands that were more than twice as high as those whose backups were not affected. The average ransom demands were $2,3 million (backups compromised) and $1 million (backups not compromised).
Insight 4
The cost of recovering from a ransomware attack is eight times higher when backups are compromised. Outages caused by ransomware, in addition to potential ransom payments, often have a significant impact on daily business operations. In addition, restoring IT systems is complex and expensive. The average total cost to recover from a ransomware attack for organizations whose backups were compromised averaged $3 million. That's eight times the amount of organizations whose backups were not affected, which spent an average of $375.000.
Important tips for protecting backups from ransomware
🔎 The success rate of attackers when attempting to compromise the backups is usually 50 percent or more (Image: Sophos).
With the help of security services such as Managed Detection and Response, companies can detect and stop malicious actors in the entire IT infrastructure around the clock - even before systems and thus backups are compromised. This is particularly helpful for companies that cannot operate their own security operations center (SOC) or do not have their own security specialists with forensics experience and 24×7 availability on their team.
It also makes sense to integrate the backup with the security ecosystem. Like all endpoints, backup systems should be continuously and actively protected against ransomware and other malicious damage. Protection is particularly effective when security or security services are an integral part of the backup solutions, as implemented by Sophos in cooperation with Arcserve and Veeam.
Additionally, the following three tips can significantly reduce the dangers of a ransomware attack:
- Regularly create backups and store them in multiple locations, for example according to the 3-2-1 rule.
- Enabling MFA (multi-factor authentication), especially on cloud backup accounts, to prevent attackers from gaining access.
- Regular testing and practicing data recovery from backups. The more fluid the recovery process is, the faster and easier companies can recover from an attack.
- Security monitoring and monitoring of backups in order to detect and respond to suspicious activities from potential attackers in a timely manner.
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.
1 thoughts on "Why cybercriminals specifically target backups"
Comments closed