Ransomware Gangs Targeting Backups To Maximize Payoffs

Data backups have become a must-hit target for ransomware actors, according to a report released by a cybersecurity company.

The research, sponsored by Sophos and based on a survey of nearly 3,000 IT and security professionals across 14 countries, found that 94% of organizations hit by ransomware in the past year said that the threat actors attempted to compromise their backups during the attack.

For organizations in the government, media, leisure and entertainment sectors, the numbers were even higher: 99%.

The report explained that there are two main ways to recover encrypted data in a ransomware attack: restoring from backups and paying the ransom.

“Compromising an organization’s backups enables ransomware actors to restrict their victim’s ability to recover encrypted data and, in doing so, dials up the pressure to pay,” the researchers wrote.

“It’s become a common part of the script these guys go through in their attacks,” said Curtis Fechner, the threat cyber leader at Optiv, a cybersecurity solutions provider headquartered in Denver.

“They always try to find where the backups are and make them inaccessible,” he told TechNewsWorld. “Part of their calculus for getting paid is finding the backups because they want to maximize the amount of revenue they can get from an attack.”

“If I’ve taken your backups offline and as a means to recover, I’ve made you more likely to pay, but I can also squeeze you more because I know you’re desperate. I know you’re in a bind,” Fechner added.

Evolving Menace

When enterprise ransomware began about 10 years ago, it wasn’t too sophisticated, explained Ilia Sotnikov, a security strategist and the vice president of user experience at Netwrix, an IT security software company headquartered in Frisco, Texas.

“The ransomware malware exploited insecure configurations or system vulnerabilities to propagate rapidly across the environment and encrypted all the data this malware managed to access. As a result, the victim was extorted to pay the ransom for a decryption key to restore their operations,” he told TechNewsWorld.

“The cybersecurity industry responded to this threat with a multi-layered security approach based on better protection and detection capabilities, as well as established backup and recovery discipline,” he said. “As a result, organizations deflected most of the attacks, minimized the number of successful ones, and learned how to effectively recover systems and operations without paying a ransom.”

In turn, he continued, the ransomware strategy evolved to increase the chance of success by looking for new ways to counter the security measures. Malware became more evasive. The criminals started to spend more time in the reconnaissance stage to identify and target the most sensitive data. Gangs like Maze and LockBit started to exfiltrate the company data and added the threat of a public data leak on top of the encryption — a scheme known as double extortion.

“Since then,” he added, “ransomware attackers have also started to target the backups to make recovery impossible or excessively costly, forcing the victims to pay the ransom.”

Backups Down, Ransom Up

Sophos reported that victims whose backups were compromised received ransom demands that were, on average, more than double that of those whose backups weren’t impacted. Median ransom demands for victims with compromised backups were US$2.3 million, compared to $1 million for victims with uncompromised backups.

“Backups provide a safety net for organizations. However, if that backup is compromised and the organization suffers a cyberattack, it may be more desperate to recover access to their networks and data,” said Darren Guccione, CEO of Keeper Security, a password management and online storage company in Chicago.

“Attackers realize that by removing access to a backup, organizations are left more vulnerable and with few options except to meet exorbitant ransom demands to get their data back,” he told TechNewsWorld.

That inability of organizations with compromised backups to negotiate with ransomware actors was supported by the Sophos research. It found that those with compromised backups paid an average of 98% of the ransom demanded, compared to 82% without compromised backups.

The report also noted that organizations whose backups were compromised were almost twice as likely to pay the ransom to recover encrypted data (67%) than those whose backups were not impacted (36%).

Higher Price of Recovery

Not only do victims with compromised backups pay higher ransoms, but they also pay more to recover from an attack.

The median overall ransomware recovery costs for organizations whose backups were compromised came in eight times higher ($3 million) than those whose backups were not impacted ($375,000).

Guccione explained that recovery costs for organizations that fall victim to ransomware attacks include loss of revenue due to operational disruption and damage to brand reputation, immediate and long-term recovery efforts, the cost of the ransom payment itself, as well as the possibility of fines and other potential legal liabilities.

“When the ransomware attack also includes backups, the restoration process is significantly prolonged, as organizations must rebuild their systems, data, and other critical configurations,” he said. “If the breach includes a loss of sensitive data, particularly if it involves Personal Identifiable Information, or falls under data protection regulations, such as GDPR or HIPAA, organizations can incur additional legal and regulatory expenses.”

According to the Sophos report, recovery times from ransomware attacks are also longer for organizations with compromised backups. Only 26% of those with compromised backups recovered within a week of an attack, compared to 46% of those without compromised backups.

Offline Backups: Security vs. Cost

There are likely multiple reasons behind the discrepancy in restoration times between organizations with compromised and uncompromised backups, the report noted, not the least being the additional work typically needed to restore from decrypted data rather than well-prepared backups. It may also be that weaker backup protection is indicative of less robust defenses and greater resulting rebuilding work needed, it added.

“Backups typically don’t have the same level of security controls as production systems,” said Narayana Pappu, CEO of Zendata, a San Franciso-based data collection, management, and sharing company.

“Implementing similar logging, security and access controls, and testing on backup systems would help a lot,” he told TechNewsWorld. “On top of that, having multiple copies of backups in multiple places — both in the cloud and offline — with a disaster recovery plan would reduce downtimes.”

While offline backups are a good way to foil threats to backups, they can be expensive, pointed out Fechner. “If you have backups that are offline and not accessible to an attacker, then you’ve got something to backup from,” he said. “But since many organizations can’t afford that, especially when so many victims are in the small to medium business category, attacking backups is still fruitful for attackers.”

Editor’s Note: The Sophos report is available in PDF format. No form fill is required.