Cyberattacks aim at backup to force ransom payment

Firms of all sizes are increasingly falling victim to ransomware attacks and inadequately protecting against this rising cyberthreat, according to Veeam’s 2023 Ransomware Trends Report.

Veeam commissioned Vanson Bourne to conduct a survey of 1,200 unbiased IT leaders representing firms of all sizes from 14 different countries in Asia-Pacific and Japan; Europe, Middle East and Africa; and the Americas.

Finding show that cyberattackers almost always — more than 93% of the time — target backups and are successful in debilitating their victims’ ability to recover in 75% of those events, reinforcing the criticality of immutability and air gapping to ensure backup repositories are protected.

“Although security and prevention remain important, it’s critical that every organisation focuses on how rapidly they can recover by making their organization more resilient,” said Danny Allan, CTO at Veeam. 

“We need to focus on effective ransomware preparedness by focusing on the basics, including strong security measures and testing both original data and backups, ensuring survivability of the backup solutions, and ensuring alignment across the backup and cyber teams for a unified stance,” said Allan.

For the second year in a row, the majority (80%) of the organisations surveyed paid the ransom to end an attack and recover data – now up 4% compared to the year prior – despite 41% of organizations having a “Do-Not-Pay” policy on ransomware. 

Still, while 59% paid the ransom and were able to recover data, 21% paid the ransom yet still didn’t get their data back from the cyber criminals. 

Additionally, only 16% of organizations avoided paying ransom because they were able to recover from backups. The global statistic of organisations able to recover data themselves without paying ransom is down from 19% in last year’s survey.

Following a ransomware attack, IT leaders have two choices — pay the ransom or restore-from-backup. As far as recovery goes, the research reveals that in almost all (93%) cyber-events, criminals attempt to attack the backup repositories, resulting in 75% losing at least some of their backup repositories during the attack, and more than one-third (39%) of backup repositories being completely lost.

By attacking the backup solution, attackers remove the option of recovery and essentially force paying the ransom. 

While best practices – such as securing backup credentials, automating cyber detection scans of backups, and auto verifying that backups are restorable – are beneficial to protect against attacks, the key tactic is to ensure that the backup repositories cannot be deleted or corrupted. 

To do so, organisations must focus on immutability. The good news is that based on lessons learned from those who had been victims – 82% use immutable clouds, 64% use immutable disks, and only 2% of organisations do not have immutability in at least one tier of their backup solution.

The report also found that cyber-insurance is becoming too expensive, with 21% of firms saying that ransomware is now specifically excluded from their policies.

Those with cyber insurance saw changes in their last policy renewals, with 74% seeing increased premiums, 43%  seeing increased deductibles, and 10% seeing coverage benefits reduced.