Why Backups Are Key Ransomware Targets

Tony MasonCyber Security, Data Backup, Data Protection

And 10 Best Practices for being Ransomware Resilient

We keep hearing “Ransomware is the new normal.”  Cyberthreats such as ransomware are a constant concern, now more than ever. The frequency of ransomware attacks continues to increase and new regulatory standards for cybersecurity are constantly being introduced. This means safeguarding your data (and business) against ransomware attacks is a necessity.

The frequency of attempted ransomware attacks respondents experienced over the past 12 months​:

IT managers, CISOs, and CIOs recognise the crucial importance of data protection within their organisations. They are seeking a ransomware solution, understanding that the risk extends beyond data to the entire business. Plus, ransomware is increasingly targeting backup data.

So, what’s the level of concern across those tasked with cyber resilience?

According to the Enterprise Strategy Group (ESG) report, “2023 Ransomware Preparedness: Lighting the Way to Readiness and Mitigation,” of the 600 IT and cybersecurity professionals surveyed, only 4% were not concerned at all about ransomware attacks affecting their data protection copies. That means 96% have at least some level of concern for their backup data! That’s nearly one in three voicing serious concerns.

Access the full report

Let’s examine the current ransomware landscape. This will help us understand why backups are becoming prime targets.  Then let’s identify the proactive and reactive measures companies should implement to avoid falling victim to ransomware. This analysis will guide us into discussing data protection best practices that ensure cyber readiness.

6 Reasons why backup is targeted by ransomware
  • Data recovery Ransomware attackers know that organisations depend on backups to recover from data loss incidents. By encrypting or deleting backup data, cybercriminals greatly diminish the victim’s ability to restore their systems and data without paying the ransom.
  • Business continuity: When backup data is compromised, an organisation’s ability to continue its operations is severely hindered. Ransomware attacks are designed to disrupt business continuity and inflict financial damage.  So targeting backups is a particularly effective way to achieve this goal.
  • Data value: Backups often hold a comprehensive record of an organisation’s data, including sensitive customer information, intellectual property, and financial records. Ransomware attackers may threaten to expose or sell this data to pressure victims into paying the ransom. They can also exploit compliance-critical data, putting organisations at risk of serious liabilities, substantial fines, and reputational damage.
  • Access and control: Once ransomware infects a system, it often spreads to other network devices. By compromising backups, attackers gain a strategic foothold in the organisation’s infrastructure, facilitating further attacks, ransom demands, and additional damage. This is a significant concern for businesses utilising Entra ID.
  • Lack of separation:  Cloud backups are often stored on the same network or in the same cloud environment as the primary data. This is true for Microsoft backups and others using public cloud services. If ransomware infiltrates one part of the network, it can easily spread to inadequately separated backups.  This will make them vulnerable. Put simply, one attack could reach all your production data and backup data. This brings to mind the saying ‘Don’t put all your eggs in one basket’.  It is also why true backup requires having backup data stored on a logically separate infrastructure. 
  • Minimal security measures: Historically, cloud backups have not received the same level of security scrutiny as production data. Many companies focus their security efforts on their active systems.  They also underestimate the need to secure backups adequately. If your backups aren’t stored safely and independently, how can you restore your data from them in the event of an attack? Organisations also now need to concentrate on how to secure their backups in a way that is compliant with all the new cybersecurity regulation being introduced.
The Protection Gap

The protection gap in data security refers to the potential vulnerability that exists between a company’s primary data and how well it can recover or restore that data should they experience data loss or a cyberattack.

This gap comes from the fact that while organisations invest in various security measures to protect their active data, they can often overlook comprehensive backup and recovery strategies. This oversight can mean your critical data is left exposed and susceptible to loss, damage, or theft.

We can see from the respondents’ answers in the report that backup infrastructure security is one of the most critical to protect. However, it is also one of the areas with the biggest gaps in ransomware preparedness.

Top four preventative security controls, as well as the top four gaps in ransomware preparedness:
What are the common vulnerabilities in data protection?
  • Inadequate access controls: Weak or improperly configured access controls mean that unauthorised users or malware are able to infiltrate backup systems.  This leads to compromising the integrity of the data stored there
  • Lack of air gapping: Ransomware can easily move between systems when backup systems share a network with primary systems. Without air gapping (network segmentation) this increases the risk of cross-contamination.
  • Insufficient authentication: If backups lack robust authentication mechanisms, cyber attackers can gain unauthorised access to backup data, then manipulate, or even delete it without any problems.
  • No data immutability: Without data immutability, backup data is vulnerable to tampering by ransomware. Attackers can alter or delete backup files, making them useless for recovery.
  • Single points of failure: A company can create a single point of failure if they rely on a single backup solution or location. If this point is compromised by ransomware, the company could lose both primary and backup data.

It is essential to understand the vulnerabilities and the tactics used by ransomware to attack backup systems in order to develop a comprehensive defence strategy that will protect valuable data assets and maintain business continuity.

Safeguarding your data: Data protection best practices

Organisations use many strategies and technologies to protect their cloud-based backups and to ensure data integrity.  There are also well-established best practices that are proven effective at keeping data safe and companies compliant with all regulatory bodies, such as NIS2 and GDPR.

These methods are essential for safeguarding cloud data against various threats, including ransomware.

Here are 10 best practices that organisations typically follow. 

These ensure cloud-based backups are protected and that businesses meet regulatory and compliance standards: 

  • Access control: Access to cloud backup systems is tightly controlled. Only authorised personnel are granted permission to modify or delete backup data stored in the cloud. Access control mechanisms may include role-based access control (RBAC) and multi-factor authentication (MFA) to enhance security. It’s also important to limit the number of subprocessors to as few as possible: Some backup solutions even have zero subprocessors.
  • Encryption: Backup data stored in the cloud is encrypted both in transit and at rest. This ensures that even if an attacker gains access to the data, it remains unintelligible without the right decryption keys.
  • Data immutability: Immutability features are implemented to prevent the unauthorised modification or deletion of backup data. This safeguards the integrity of the cloud backups, making them resilient to ransomware attacks.
  • Regular cloud backups: Organisations perform regular backups of their cloud data to ensure that information is backed up frequently. This minimises the amount of data that could be lost in an attack or data corruption.
  • Offline and air-gapped backups: Some organisations maintain offline or air-gapped cloud backups. These backups are physically disconnected from the network, making them immune to online attacks, including ransomware. Air-gapped cloud backups are especially effective in preventing data loss due to cyber threats.
  • Versioning/snapshot: Cloud-based backup systems often support versioning, allowing organisations to recover previous versions of files stored in the cloud. This feature is crucial for restoring data to a known-good state when ransomware has altered files.
  • Geographic redundancy/sovereignty: Large organisations may store cloud backups in multiple geographic locations within the cloud infrastructure to mitigate the risk of data loss due to regional incidents or localised cyberattacks. It’s vital that your data protection provider offers regional data centres and that they guarantee no data transmission outside of your selected region.
  • Regular testing: Cloud-based backup systems are regularly tested to ensure that they are functioning as expected. This involves not only verifying the backup process but also performing restoration tests to confirm that cloud data can be successfully recovered.
  • Monitoring and alerts: Continuous monitoring of cloud backup systems and alerts for suspicious activities are set up. Any unusual access or data modification triggers alerts that can be addressed promptly.
  • “Offsite storage” in the cloud: Backups are often stored offsite in cloud services. This protects cloud data in the event of on-premises disasters, such as fires or floods. But in cloud storage, having backup data outside of the production environment is key.

By implementing these protective measures, organisations can maintain the security and availability of their cloud-based backup data.  It helps them reduce the risk of data loss due to ransomware and other potential threats and thereby strengthening cyber resilience.

As organisations have become aware of the vulnerabilities in their data protection processes for backup and recovery, many are taking extra precautions to safeguard their backup copies, which are crucial for recovery in case of a crisis.

Let’s look at the percentage of organisations taking additional measures to protect their backup copies​:

As awareness grows of the vulnerabilities and data protection best practices, unfortunately only 40% of organisations are making extra efforts to protect all their backup copies. This gap in data protection is highlighted in the finding that after a ransomware attack, not all data can be recovered.

The amount of data organisations were able to recover after a ransomware attack:

The numbers show that there is still a lot to be done to prepare for the threat of ransomware.

For more information about data backup by our partner Keepit check here.

Keepit back up Microsoft 365, Dynamics 365, Power Bi, EntraID, Salesforce, Google Workspace, ZenDesk and AzureDevOps. They have immutable backup, encrypted in transit & at rest, air gapped, stored in 2 separate locations inline with NIST framework, with granular restore.