enjoynz - stock.adobe.com

Almost all ransomware attacks target backups, says Veeam

Some 93% of ransomware attacks go for backups and most succeed, with 60% of those attacked paying the ransom, according to a Veeam survey

Data stored in backups is the most common target for ransomware attackers. Almost all intrusions (93%) target backups and in 75% of cases succeed in taking out victims’ ability to recover. In addition, 85% of global organisations suffered at least one cyber attack in the past year.

That’s according to the Veeam 2023 Ransomware trends report, recently launched at the company’s event in Florida. The survey questioned IT decision-makers in 1,200 affected organisations that had suffered around 3,000 ransomware attacks across 14 different countries in APJ, EMEA and the Americas. 

The majority (80%) of victims surveyed paid the ransom to end an attack and recover data, even though 41% of organisations have a do-not-pay policy on ransomware. And while 59% paid the ransom and were able to recover their data, 21% paid the ransom but didn’t get their data back from the cyber criminals.

Only 16% of organisations avoided paying ransom because they were able to recover from backups, down from 19% in last year’s survey.

Veeam recently found itself on the wrong end of a vulnerability in its Backup & Replication product, with security researchers finding evidence that a cyber criminal gang had found a way past its defences.

The company also recently added ransomware warranty payouts to its offer, but said it thought it would be unlikely to have to hand them out.

According to the survey, criminals attempt to attack backup repositories in almost all (93%) cyber events in EMEA, with 75% losing at least some of their backups and more than one-third (39%) of backup repositories being completely lost.

Attackers target backups because an organisation’s best bet to avoid paying the ransom when a ransomware attack hits is to try to recover from its most recent good copies of data.

So it is key for organisations to have secure backups, immutable copies of data that they test regularly to ensure they can actually recover from the data retained there. Air-gaps between production environments are also recommended.

According to the Veeam survey, 82% use immutable clouds, 64% use immutable disks, and only 2% of organisations do not have immutability in at least one tier of their backup solution.

“The report shows that today it’s not about if your organisation will be the target of a cyber attack, but how often. Although security and prevention remain important, it’s critical that every organisation focuses on how rapidly they can recover by making their organisation more resilient,” said Danny Allan, CTO at Veeam.

“We need to focus on effective ransomware preparedness by focusing on the basics, including strong security measures and testing both original data and backups, ensuring survivability of the backup solutions, and ensuring alignment across the backup and cyber teams for a unified stance.”

When respondents were asked how they ensure that data is clean during restoration, 44% of said they completed some form of isolated staging to re-scan data from backup repositories prior to its reintroduction to the production environment. That potentially means the other 56% run the risk of re-infecting the production environment by not testing for clean data during recovery.

Other key findings included that 21% said ransomware is now specifically excluded from insurance policies; and of those with cyber insurance, 74% saw increased premiums since their last policy renewal. 

Read more about ransomware and backup

Read more on IT strategy

Data Center
Data Management