Ransomware Groups Focusing on Compromising Backups to Amplify Profits

In recent times, there has been a concerning trend in the world of cybersecurity: ransomware gangs are increasingly directing their efforts towards compromising data backups, aiming to increase their monetary gains.

A report released by a prominent cybersecurity company shed light on this issue, revealing that a staggering 94% of organizations affected by ransomware attacks in the past year reported attempts by threat actors to breach their backups during the assault. Particularly alarming is the fact that in sectors such as government, media, leisure, and entertainment, this figure climbed even higher, reaching 99%.

The rationale behind targeting backups is clear: in the event of a ransomware attack, organizations typically rely on two main strategies for recovering encrypted data – restoring from backups or paying the ransom. By compromising an organization’s backups, attackers effectively sabotage the victim’s ability to independently recover their data, thereby intensifying the pressure to comply with their ransom demands.

Curtis Fechner, a cybersecurity expert at Optiv, emphasized the strategic significance of targeting backups for attackers, stating, “Part of their strategy for maximizing ransom payments involves identifying and compromising backups, as it allows them to extract the maximum revenue from their attacks.”

Over the past decade, ransomware tactics have evolved considerably. Initially, these attacks were relatively simplistic, exploiting insecure configurations or system vulnerabilities to encrypt data and extort ransom payments from victims. However, as organizations strengthened their security measures and implemented better backup and recovery practices, ransomware operators adapted their strategies accordingly.

Ilia Sotnikov, a security strategist at Netwrix, highlighted this evolution, explaining, “Ransomware attackers have evolved their tactics to target backups, making recovery either impossible or prohibitively expensive, thereby compelling victims to pay the ransom.”

The ramifications of compromised backups are profound for organizations affected by ransomware attacks. Not only do victims face higher ransom demands, but they also incur significantly greater recovery costs. According to the report, organizations with compromised backups faced median ransom demands that were more than double those of organizations with intact backups. Additionally, the median overall recovery costs for these organizations were eight times higher, reflecting the prolonged downtime and additional expenses associated with rebuilding systems and data.

Darren Guccione, CEO of Keeper Security, underscored the vulnerability of organizations with compromised backups, stating, “Attackers recognize that by disabling access to backups, organizations are left with limited options, thereby increasing the likelihood of compliance with exorbitant ransom demands to regain access to their data.”

Addressing the vulnerability of backups requires a multifaceted approach. While offline backups offer protection against attacks, they can be costly to implement, particularly for small to medium-sized businesses. Narayana Pappu, CEO of Zendata, stressed the importance of implementing robust security measures and disaster recovery plans for backup systems to mitigate the risk of compromise.

Despite the challenges, safeguarding data backups remains paramount in the battle against ransomware. As attackers continue to refine their tactics, organizations must prioritize cybersecurity measures to safeguard their critical data and operations.