• Great Question Podcast
  • (R)Evolutionizing Manufacturing
  • Crystal Ball Report 2025
    • Niall Wiggan
    6797ea76a566c5920d3edc78 Dreamstime M 237968415
    1. Benefits of Transformation
    2. Cybersecurity

    Why ransomware attackers target backups—and how to ensure your data is protected

    Jan. 28, 2025
    What if the bad guys manage to destroy, damage, or encrypt your backup data in addition to your production data? In that case, you're pretty much out of luck.

    At first glance, the fundamentals of ransomware protection may seem simple enough: You back up your data, then use the backups to recover just in case attackers compromise your IT systems and hold your data for ransom. But a critical risk still exists: Attackers target backups themselves.

    IDC reports that 51% of ransomware attacks in 2023 attempted to destroy backups, with 60% of these attempts succeeding. Data points like these underscores the importance of protecting backups in addition to production to minimize the risk of falling victim to ransomware. Here's another: Manufacturers in 2023 were the target of ransomware attacks 70% of the time.

    Production data vs. backup data in ransomware attacks

    Historically, ransomware focused on encrypting "live" production data like databases and email servers to disrupt business.

    But in addition to production data, businesses typically also possess data backups—point-in-time copies of production data that can be used to restore systems if the original data is compromised. Backup data typically is not identical to production data because following a backup, production data will change.

    Crystal Ball 2025: Trends that will reshape private content security

    But if you create backups frequently enough (and by "frequently enough," we mean factoring in your organization's RPO needs), the difference between backup data and production data will not be significant enough to prevent successful recovery using backups.

    As long as you can access your backups, and they are recent enough to restore systems to an operational state, you'll be able to recover using backups in the event of a ransomware attack with the need to pay a ransom.

    Why threat actors target backups

    But what if the bad guys manage to destroy, damage or encrypt your backup data in addition to your production data? In that case, you're pretty much out of luck—you either have to fork over cash to the attackers and hope they actually give you a decryption key (which they don't in 35% of cases), or accept that your data is gone forever.

    Cybersecurity for operational technology: A guide for 2025

    Unfortunately, ransomware attackers aren't dumb. They realize that compromising backups places much more pressure on organizations to pay ransoms—the only thing attackers really care about.

    How vulnerable are your backups?

    Backups' vulnerability depends on factors like:

    • Whether they share the same IT environment or infrastructure as production data
    • How easily they are identifiable (e.g., labeled "backup")
    • The security of backup tools and infrastructure and whether security controls like multifactor authentication (MFA) are in place
    • Employee awareness of social engineering attacks

    How are backups targeted?

    The means that attackers use to compromise backup data vary, but common techniques include:

    • Stolen admin credentials for direct access to delete backups
    • Social engineering tactics like phishing to trick employees into deleting backup data
    • Exploiting vulnerabilities in backup tools, storage infrastructure or operating systems

    The list could go on; indeed, there is no end to the ways in which clever attackers could potentially breach backup data.

    Best practices for protecting backups from ransomware

    To minimize the risk of having your backups compromised, consider the following best practices as part of your overall ransomware protection strategy.

    1. Perform a backup risk assessment: Assess the level of risk that your backups face to identify attack paths or techniques that threat actors might use.
    2. Eliminate unnecessary risks: Determine which risks you can mitigate within your capabilities. Understand that eliminating all risks may not be feasible due to budget or other constraints.
    3. Air-gap backups: Air-gapping involves disconnecting backup data from the network to substantially reduce the risk of network-based attacks. This can slow down data restoration, so choose innovative solutions that can ensure you restore immediately for maximum data protection.
    4. Encrypt backups: Encrypting backups can make it harder for attackers to find backups because it prevents them from viewing the contents of the data. File contents are unreadable to anyone who does not have the decryption key.
    5. Create multiple copies of backups: Create multiple copies and storing each set in a different location. This ensures recovery capability even if one set is compromised. A challenge here, of course, is that your backup storage costs will typically increase. However, using cost-saving best practices like storing only the latest backup data in a cold storage tier is made easy using innovative long-term retention automation tools.
    6. Store backups across clouds and across accounts: To increase backup reliability even further, spread backups across multiple accounts and clouds. Your data will remain safe if attackers manage to take over the account that managed your production environment, or one cloud environment is compromised.
    7. Create immutable backups: Immutable backups are backup data that is impossible to modify. This both stops attackers from encrypting or deleting backups and protects against the risk that your own employees might accidentally make changes.
    8. Use read-only storage: Most storage systems make it possible to store data in read-only mode where the data can be viewed, but not modified. Read-only storage isn't a hard guarantee against compromised backups because attackers could potentially find ways to remount the backups in read-write mode. But it does make it that much harder for them to damage backup data.
    9. Restrict backup access: The fewer users and services who have permission to access backups, the lower the risk that attackers can use a technique like stolen account credentials to destroy the backups. Follow the principle of least privilege—only users and services (like backup tools) that have a specific reason to be able to read and/or write to backup storage should be able to do so.
    10. Perform regularly scheduled recovery tests: Recovery drills and tests will help you verify backup integrity, identify potential compromises and ensure all network settings are recovered for a healthy failover state. Choose third-party tools that not only automate this process but produce audit logs for compliance controls.

    By implementing these practices, you can significantly enhance the protection of your backups against ransomware attacks and greatly improve your overall data recovery strategy.

    About the Author

    Sebastian Straub

    Sebastian Straub is principal solutions architect for N2WS and has more than two decades of experience in enterprise technology, data protection, and cybersecurity. He’s also held roles at Dell and Oracle and the FBI and the Defense Department. He is an expert in enterprise security, backup and DR and identity management solutions.

    Continue Reading

    Sponsored Recommendations