Ransomware Is Now Targeting Your Backups – How Do You Prevent Attackers From Compromising Your Data Contingency Plans?

The cost of ransomware attacks is staggering, with Cybersecurity Ventures estimating it to reach USD $20 billion in 2021 alone. That figure is expected to balloon to USD $265 billion by 2031 based on a staggering 30% increase in ransomware attacks year on year.

Just this year, in fact, the syndicated cybercrime group DarkSide extorted some USD $4.4 million out of Colonial Pipeline, the largest fuel pipeline in the U.S., in a brazen cyber attack that underpins why ransomware is becoming big business and why it will be the attack of choice for cybercriminals. Most recently and closer to home, ransomware attacks were carried out on on local organisations such as Eye & Retina Surgeons, Tokio Marine Insurance Singapore and Pine Labs, signifying that attacks are escalating and becoming more rampant.

What Happens in a Ransomware Attack and What Are Its Implications?

In an attack, the ransomware encrypts a system’s files and locks its users out. The perpetrators of the attack then demand a ransom or payment—sometimes in cryptocurrency—in exchange for a decryption key. Organisations victimised by a ransomware attack can maybe stall to give their IT staff time to decrypt the files themselves or to call a cybersecurity team to do so.

However, in more recent iterations of ransomware attacks, operators have also been stealing often sensitive information and threatening to either publish them on the dark web or sell them to a third party (the double-barrelled “encrypt and exfiltrate”). This data breach element adds pressure on the organisation to pay the ransom, and that might be happening more and more nowadays—with Colonial the most recent and most publicised case to date.

Either way, organisations hit by ransomware will pay a heavy price, as there will be significant expenses aside from paying that ransom. Some of these attendant costs include hiring consultants for both internal reviews and computer forensics, regulatory fines for data breaches, decreased staff productivity due to downtime, losing customers and stakeholders and securing expensive cybersecurity insurance premiums. Repairing brand reputation is equally costly, especially when sensitive data is lost or compromised.

Traditional Backups No Longer a Safe Bet

Exacerbating matters is that ransomware itself is evolving, with cybercriminals having created ransomware strains that can target not only the main systems but also the backups too. This makes perfect sense on two fronts: First, compromising data on both the front and back ends will cripple an organisation enough to force its hand in terms of paying a ransom. Second, traditional backups are vulnerable, to begin with as they are designed specifically to restore data in case of computer or hard drive failure or data corruption, not to protect it from cyber attacks. 

How cybercriminals are attacking backups has something to do with reconfiguring the stages of a ransomware attack, which would otherwise be infection, detonation and destruction/decryption in that order. Modern backup-targeting ransomware, however, has five stages—infection, detonation, gestation, dormancy and destruction/decryption—with an additional two steps that enable a more effective attack on enterprise backups.

To illustrate:                                                             

Put simply, traditional backups are more vulnerable than ever to getting attacked by ransomware. According to data management and backup specialist Cohesity, there are five factors that contribute to this, and they are as follows:

  1. Ransomware targets shadow copies of backup data, entering the system’s primary environment from one endpoint and then seeking out the backups almost immediately.

  2. The attack surface of ransomware is much larger now with increasing dependence on multiple point products.

  3. Lack of constant monitoring makes it easier to target backups.

  4. Lack of visibility leads to more difficult clean restores.

  5. Legacy-dependent backup and recovery cycles take very long, which adds to an organisation’s ransomware plan. 

Meeting the Threat

While ransomware can now attack even backups, that does not mean organisations should stop backing up their data, especially considering that it is still one of the vital keys to mitigating the crippling consequences of a ransomware attack. A common recommendation among cybersecurity experts, in this case, is for an organisation to follow the 3-2-1 rule in which they make three copies of every piece of data on at least two devices, with one of them being off-site.

Organisations can likewise leverage a modern data protection solution that adds a layer of security to their backup infrastructure. One such solution is Cohesity, whose end-to-end, multi-layered data security solution prevents backup data from being encrypted, modified or deleted. This is achieved through three vital stages:

Cohesity utilises machine-learning to continuously monitor and potentially detect anomalies in data within an organisation’s network, giving it an added layer of protection even against the most invasive of ransomware, like Locky and Crypto.

Among Cohesity’s features is the creation of an immutable file system in which it takes countless read-only state snapshots at frequent intervals and stores them with very low overhead. These snapshots again are immutable and will not be adversely affected by ransomware. Cohesity also offers DataLock capability where an organisation’s security officer can store those immutable snapshots in WORM format.   Another of Cohesity’s key features is strong multifactor authentication that helps protect one of the most common ransomware access points; the organisation’s staff themselves.

In worst-case scenarios, which are very possible given the ever-evolving nature of ransomware, Cohesity can also assist in data recovery at scale, specifically speeding it up using its global search capability. Its CyberScan feature also ensures a “clean” recovery by scanning each immutable snapshot for residual vulnerability and giving actionable points on how to address potential weaknesses.

That being said, a robust backup infrastructure bolstered by these advanced anti-ransomware capabilities is just part of the backup security equation. An equally vital plan is to craft a holistic data resiliency plan that must run the gamut from data protection itself to disaster planning to data recovery. The worst thing an organisation can do is to be reactive to the times and sit idle even as cybercriminals grow increasingly more sophisticated. Having a data resiliency plan will compel the organisation to consistently inspect its data and test its backups, making sure that recovery will be possible even with a ransomware attack.


Cybercriminals are evolving and so are their means to perpetrate all kinds of cyberattacks, and this is necessitating a forward-thinking approach on the part of organisations. This is true even in terms of having a backup infrastructure given the very real threat of ransomware and the potential damage it can inflict on an organisation’s backups. To this end, it should be noted that backup technology is evolving as well, and companies will need to maximise whatever solutions are available if they are to best protect their data from ransomware and other similar threats.

Indeed, ransomware is a very serious threat to any organisation, especially in this era of big data. It is thus imperative that organisations of all sizes plan ahead and think about implementing a comprehensive data protection solution that will protect not only the main system but also the backups. With that being said, Cohesity is exactly what your organisation needs to protect itself from today’s dangerous and ever-evolving ransomware.

To find out how you can fortify your backups against ransomware attacks with Cohesity, click here.

share us your thought

0 Comment Log in or register to post comments