Backups are an essential part of any solid anti-ransomware strategy. In fact, research shows that the median recovery cost for ransomware victims that used backups is half the cost incurred by those that paid the ransom. But not all data backup approaches are created equal.

A separate report found that in 93% of ransomware incidents, threat actors actively target backup repositories. This results in 75% of victims losing at least some of their backups during the attack, and more than one-third (39%) of backup repositories are completely lost.

What makes one backup strategy better than another? It starts with immutability, but there’s much more to the story.

Ransomware continues to wreak havoc

According to a recent Veeam Ransomware Trends report, 85% of organizations suffered at least one cyberattack in the past 12 months. The report surveyed 1,200 IT leaders whose organizations suffered at least one ransomware attack in 2022. The participants included companies of all sizes from 14 different countries across APJ, EMEA and the Americas.

One of the most notable findings in the study is that team leaders are acutely aware of a disconnect between IT backup teams and security teams. In fact, 70% of backup administrators and 59% of security professionals believe team alignment needs either “significant improvement” or a “complete overhaul.”

Why do these teams sense a wide alignment gap? One reason might be that only 16% of survey respondents said they got their data back and avoided paying the ransom. Also, 21% paid the ransom and never recovered their data. Meanwhile, 59% paid the ransom to get their data back.

Backup repositories affected

According to the report, malicious actors targeted backups in at least 93% of attacks in 2022. And adversaries successfully penetrated backup repositories in 75% of attacks. Based on the study data, Veeam came to these shocking conclusions:

  • It’s 75% likely that backup repositories will be affected by a cyberattack
  • When affected, 39% of repositories become unusable
  • Nearly one-third (29%) of data restoration attempts are not viable.

Meanwhile, survey respondents estimated that it took them an average of 3.3 weeks until they considered their recovery efforts to be complete. And the reality is that some recovery efforts can drag on for months.

Read the ransomware guide

Making data recoverable

Less than 25% of ransomware victims stated that attacks did not affect their backup repositories. As per Veeam, the way these organizations achieve this level of backup protection starts with immutability or air gapping.

For immutability, 82% of those surveyed use immutable clouds, and 64% use immutable disks. Immutable cloud backup refers to a backup strategy where the backed-up data cannot be modified, altered or deleted for a specified period. It ensures the backup data remains intact and tamper-proof, protecting against accidental or malicious changes. Strict access controls and write-protection mechanisms can help prevent modifications to the backup files.

Air gapping can isolate a computer or network from unsecured or potentially compromised networks. It involves physically disconnecting the system or network from any external connections, such as the Internet or other networks. Isolating the system or network creates a barrier that makes it difficult for attackers to infiltrate or exfiltrate data. This means storing backup data on an isolated, offline storage medium, such as external hard drives, tapes or optical discs.

Even if your data backup doesn’t get lost, what if it gets contaminated? The Veeam report also noted that even with immutability tools in place, 56% of organizations run the risk of re-infection during restoration.

Data backup immutability plus scan

Immutable data backup supports the ability to create cyber-resilient, point-in-time data copies that cannot be changed or deleted through user errors, malicious actions or ransomware attacks. Immutability can isolate backup copies from production data, so if a cyberattack occurs, data can be quickly recovered from copies.

Truly comprehensive data immutability also automatically scans data copies for signs of corruption introduced by malware or ransomware. Scanning can help identify a ransomware attack soon after it’s launched. Data scanning also enables the identification of data copies that have not been affected by an attack. Equipped with this information, backup teams can quickly identify an attack in progress and recover a clean data copy.

Data immutability and scanning also help IT staff perform the forensic analysis required for incident assessment. From there, teams can formulate optimal recovery plans and determine the scope of recovery for files, databases or entire systems.

Reducing breach timeframes and impact

The Veeam report highlights the fact that data backups are only part of a solid cyber resilience plan. There are, in fact, four key elements to a robust backup framework:

  • Data Copy Immutability: This creates secure, point-in-time copies or snapshots of active production data that cannot be altered or deleted (immutable). Data copies are typically created in a separate storage environment from production.
  • Proactive Monitoring: Detects malicious patterns leveraging a number of data sources and analysis tools and techniques. This includes access logs, heuristics, correlation with logs from other systems such as network logs or server logs, network flow and packet data.
  • Test/Validation of Data Copies: Provides proactive detection of data corruption or reassurance that the copy is validated clean before any further actions.
  • Rapid Recovery: Includes forensic investigation of a problem to determine the recovery action, tools and procedures needed to identify the cause and scope of an attack. Recovery tools extract data from the backup copy and logically restore it to the production environment. This operation is critical to restoring data, files or systems back into production use if there has been an intended or unintended data loss.

Truly effective data backup

If organizations are going to invest in a backup strategy, it should be fully immutable and enable fast recovery from an attack. Data scanning and monitoring are key parts of the equation. Any data contamination should be detectable, which makes breach resolution faster and easier. That way, you can get your operations up and running faster, sometimes even within hours instead of weeks.

More from News

Securing critical infrastructure with the carrot and stick

4 min read - It wasn’t long ago that cybersecurity was a fringe topic of interest. Now, headline-making breaches impact large numbers of everyday citizens. Entire cities find themselves under cyberattack. In a short time, cyber has taken an important place in the national discourse. Today, governments, regulatory agencies and companies must work together to confront this growing threat. So how is the federal government bolstering security for critical infrastructure? It looks like they are using a carrot-and-stick approach. Back in March 2022, the…

650,000 cyber jobs are now vacant: How to tackle the risk

4 min read - How far is the United States behind in filing cybersecurity jobs? As per Rep. Andrew Garbarino, R-N.Y., Chairman of the HHS Cybersecurity and Infrastructure Protection Subcommittee, overseas adversaries have a workforce advantage over FBI cyber personnel of 50 to one. His statements were made during a recent subcommittee hearing titled “Growing the National Cybersecurity Talent Pipeline.” Meanwhile, recent CyberSeek data shows over 650,000 cyber jobs to fill nationwide. Given the rising rate of cyberattacks, these numbers are truly alarming. How…

Should you worry about state-sponsored attacks? Maybe not.

4 min read - More than ever, state-sponsored cyber threats worry security professionals. In fact, nation-state activity alerts increased against critical infrastructure from 20% to 40% from 2021 to 2022, according to a recent Microsoft Digital Defense Report. With the advent of the hybrid war in Ukraine, nation-state actors are launching increasingly sophisticated attacks. But is this the most prominent danger facing companies today? While nation-state-based attacks cannot be ignored, it looks like insider cyber incidents are far more common. In fact, for the…

New report names attack surface management leaders

4 min read - Cloud adoption, digital transformation and the remote work explosion have widened nearly every company’s digital footprint and attack surface. Today’s enterprise is more distributed and more dynamic than ever — and new assets connect to a company’s network daily. According to one report, 67% of organizations have seen their attack surfaces expand in the preceding two years. To make things worse, 69% have been compromised by an unknown or poorly managed internet-facing asset in the past year. For these reasons, Gartner…