Backup Recovery Key Success Point in Ransomware Battle

A successful backup and recovery capability has long been a cornerstone of any business continuity strategy. But the effectiveness of this seemingly obvious safety net has been significantly diminished when attackers began targeting backup repositories as part of ransomware deployment. Reports indicate that in 80-90% of ransomware attacks, backup repositories and capabilities are targeted. Without viable backups, cyber victims have very few options other than to negotiate with ransomware attackers in order to obtain decryption keys.

Evolution of Backup

The traditional backup strategy was based on physical tapes that usually executed nightly. Recovery was an arduous task that could involve numerous physical tapes. The speed of recovery data throughput often took days just to understand if the tapes in question actually contained viable data. The only upside was that tapes themselves where immutable and separated from compromised systems, increasing the potential that uncompromised data and system images existed somewhere in the tape library.

A significant step forward occurred when disk to disk backup capabilities where introduced which increased the speed of backup and recovery. However, the proximity of the disk backup created a vulnerability where the backup could be more easily accessed by malicious software and rendered useless. As the ransomware epidemic grew exponentially, backup software vendors were caught completely off guard, leaving IT groups to develop secure solutions to ensure backup integrity.

Backup as a Weapon

An effective backup solution today takes advantage of native backup software security, employs multiple and segregated backup destinations, and includes the backup and recovery framework in its penetration and vulnerability testing.

A recent report by Artic Wolf observed that in 71% of ransomware incidents, the availability of viable backups was leveraged by victims in recovery. This is an encouraging statistic indicating that effective backup and recovery strategies are becoming a key component in ransomware incident response.

"Don't Pay the Ransom"

This may be obvious from the sidelines, but quite different when your data and systems have been rendered inaccessible and the life of your company hangs in the balance. There are only two viable mechanisms that would enable a company to pursue this strategy. One option is "breaking" the decryption keys and leveraging decryption software to "unlock" the systems. The probability of success is somewhere between 0-1%. Option two involves successfully securing the environment and recovering data and system images from backup. How successful is option two? This is hard to pin down because we are seeing in real-time a dramatic shift in the capabilities of companies across industries and company size.

As reported by Wired Magazine and according to data from the incident response firm Coveware, 29% of ransomware victims paid a ransom in the fourth quarter of 2023, a dramatic drop from payment rates between 70 percent and 80 percent for most of 2019 and 2020. But this seemingly positive statistic is limited to Coveware's client base and countered by data across all incidents which shows an increase in amounts paid, propelling the total amount of ransom paid to a record $1.1 billion in 2023.

Conclusion

An effective backup and recovery capability that is resilient in the face of a ransomware attack should be viewed as a weapon in the battle against malicious actors. It is likely the only viable avenue to pursue other than paying the ransom. A resilient backup capability extends beyond traditional backup approaches and must include security, multi-environment distribution, and rigorous testing.

In our experience, the tools and capabilities offered by vendors have evolved tremendously over the last two years. We have dramatically increased the probability that client's will have access to viable and uncompromised data and system images in the event of a ransomware attack.