Why Your Backups May Not Save You From Ransomware

You've got backups, so you may assume ransomware is no big deal.

If you do get hit you could just ignore the ransom, restore your data from backups and get back to whatever you were doing. But it's not that simple.

Backups Are Now a Key Target for Ransomware

According to a recent survey of 1200 organisations hit by ransomware in 2022, ransomware targeted the organisation's backups in 93% of cases.

In 49% of cases, it knocked out most or all of the backups, and in 28% of cases, some of them. In 18% it tried to compromise backups but failed. Only in 7% of cases did it leave the backups alone.

These alarming figures come from the 2023 Veeam Ransomware Trends Report.

How Did Organisations Hit By Ransomware Get Their Data Back?

• In 59% of cases they paid the ransom and recovered the data.
• In 21% of cases, they paid the ransom but didn't get the data back.
• In 16% of cases, they refused to pay the ransom but got their data back from backups.
• In 4% of cases, no ransom was demanded.

Who Ultimately Paid the Ransom?

In cases where a ransom was paid:

• 49% of ransoms were paid by cyber-insurance firms
• 28% of ransoms were paid by other insurance firms
• 18% of ransoms were paid by the victim organisation, even though it had insurance
• 4% of ransoms were paid by the victim organisation, with no insurance coverage applicable
• 1% of ransoms, the survey respondent couldn't recall who paid.

Restoration Risks

When recovering data, 44% of respondents would recover to a staging server, which would then be scanned.

In 56% of cases, there would be no staging server and recovery would involve restoring backups directly to a live environment, potentially restoring ransomware-compromised files.

Ensuring Immutability of Backups, or Air-Gaps

• 59% of organisations use hyperscale clouds
• 52% of organisations use Backup-as-a-Service or Disaster-Recovery-as-a-Service offerings
• 41% of organisations use an on-premises storage array with immutibility
• 36% of organisations use on-premises object storage
• 14% of organisations use tape
• 2% don't have any of the above

Where Would Data Be Restored To, Initially?

• 48% of organisations would restore to hyperscale clouds
• 41% of organisations would restore to DRaaS offerings
• 41% of organisations would restore to alternative servers already owned
• 41% of organisations would restore to the original servers
• 34% of organisations would restore to new servers

Takeaways

• You need backups, as paying the ransom is no guarantee you'll get your data back. In 21% of cases, a ransom is paid but the data isn't restored. And in 4% of cases, no ransom is demanded, so paying it isn't even an option.

• Having immutable backups and/or air gaps is no longer a luxury. Ransomware tries to take out backups in 93% of attacks, and often succeeds, due to backups being too easy to delete or corrupt.
• Full recovery from attacks takes close to two weeks on average, so you need to think out how you can speed that up.

How hSo Can Help

• Cloud Backup - Our service lets you backup data from your on-premise servers, cloud servers and services such as Microsoft 365 and Salesforce to an offsite backup repository.
• Immutable Backups - We give you the option of having immutable backups, so ransomware can't delete or overwrite your backup archives.
• Disaster Recovery as a Service - This makes it easy to rapidly restore a working snapshot of your virtual machines, so you can bounce back from an attack in minutes rather than weeks.
• United Threat Management - This can filter your LAN/WAN/VPN traffic to reduce the likelihood of your devices getting compromised.
• Zero Trust Network Access - This introduces a proxy that polices network access requests. This makes it harder for attackers to traverse your network after compromising a device or a user's credentials.

To learn more, call us on 020 7847 4510 or fill in the contact form below.