ProLion Team, October 2022

Backups and Ransomware: Theory vs. Practice

The ransomware pandemic has not relented. Since 2020, ransomware attacks have risen significantly and there doesn’t seem to be any sign of these attacks letting up. Between 2019 and 2020, ransomware attacks surged 150% and increased an additional 105% in 2021. These ransomware attacks are also evolving further in methods of deployment and how threat actors are behaving post-infection.

This is making ransomware attacks harder to defend against and more critical to handle, especially concerning high-risk industries like retail and education, who have seen elevated instances of attacks. The retail industry faced an increase of 264% in ransomware attacks in 2021 and the education industry experienced a 50%+ increase in attacks in both 2020 and 2021.

Unfortunately, organizations are not meeting the demands required to properly defend against ransomware. Many companies are overdependent on backups, which don’t provide the level of protection required. In a real attack scenario, backups may not even aid in the recovery efforts promised, putting organizations at risk if that’s the only ransomware defense they have in place.

We’ll show you why organizations need to adopt a more proactive and preventative approach beyond backups to defend against ransomware.

The promise of backups: Why theory doesn’t hold up

Backups are designed to help organizations recover faster after they’ve succumbed to a ransomware attack. By relying on backups, companies can get back their files and systems faster, preventing lockdown and downtime. Ideally, this will even stop the need to pay the ransom, saving the organization money.

However, this idyllic scenario hardly holds up when facing a real-world attack.

Backups work best under the best circumstances. Ideally, an organization does everything right against a simple attack— the backup works as designed and the company gets their critical files back in a matter of hours and can return to business as usual with hardly any interruption in business.

But this never occurs. Facing an attack, particularly one as potentially devastating as a ransomware attack, always results in a scramble. Both security teams and department leaders likely have to deal with a number of priorities and duties that need to be resolved immediately. Resolving these issues may take days or weeks before the proper attention is paid to backups. Due to these organizational responsibilities and priorities, a backup may not serve the organization within the right timeframe, affecting its effectiveness.

Ransomware threat actors know about backups

Backups aren’t a secret weapon. Ransomware attackers are well aware of backups and design methods of exploitation and attacks to get around them. For example, many ransomware threat actors are turning to double extortion and triple extortion ransomware attacks and threatening companies to leak the locked up data if a ransom isn’t paid. Even with backups in place, the threat may be too urgent to wait on.

Some ransomware software is even designed to attack back-ups. The notorious Conti ransomware hacker group has been specifically targeting backups, rendering them largely ineffective for many organizations. Earlier this year, several vulnerabilities were discovered in the Veeams backup software, which could result in a ransomware infection. A known vulnerability was exposed multiple times resulting in several compromised organizations.

Threat actors know that backups often contain the information they’re looking to lock down and target them first. If an organization is breached, competent hackers will ensure they can disable or delete any backups before deploying any ransomware.

Backups are hardly tested

Too often, there are stories of backups simply not working during a ransomware attack, and part of the reason why is largely due to overcomplication and inadvertent negligence. Having a single device backed up is vastly different than having an entire company’s network backed up. Not only are there multiple dependencies and hundreds or thousands of devices to consider, but maintaining regular backups can disrupt business continuity.

This can result in ineffective backups, or backups that aren’t maintained regularly or even tested to ensure they’re working properly. If an organization does get hit with ransomware, they may find that the backup simply doesn’t work or was set up too far back for it to be usable.

Organizations need to invest in preventive and proactive services

By only relying on backups, organizations aren’t only relying on something that may not even work, but they’re also not taking steps toward preventing ransomware attacks. Backups aren’t useless but shouldn’t be the only line of defense, they should be the last line of defense.

If a company can be hit with a ransomware attack, that’s a sign of a vulnerability or exploitation that could lead to other kinds of cyber attacks or another ransomware attack. 80% of companies who are hit with a ransomware attack are targeted again.

Companies must invest in technology that detects and removes threats and attacks before they can fully compromise an organization. These tools should apply to all kinds of environments, particularly hybrid environments, where the attack surface is quite large. Against ransomware attacks specifically, companies should look to detection services that leverage pattern recognition and detection to flag ransomware and remove them immediately from their environment.

Coupled with additional detection and prevention services, as well as backups, an organization can build a layered security posture that’s comprehensive and effective at preventing ransomware attacks while reducing the amount of damage a successful attack can do.

By placing protection at the forefront of an organization’s environment, they can save time, money, and resources by drastically reducing the possibility of an attack taking up precious time and resources from various departments. Even if a backup is working, your company will still have to manage and deal with the ransomware attack until your environment recovers — regardless of the backup you use, that will still result in lost resources and potentially loss of revenue.

The good news? Our CryptoSpike solution detects and blocks ransomware attacks attempting to access your data, and helps you isolate affected users in real time.