Why Ransomware Attacks Succeed Despite Backups

Background and Significance of the Issue

In the world of cybersecurity, one of the most fundamental defense mechanisms against ransomware attacks has always been considered to be regular and reliable data backups. The logic is simple: if an attacker encrypts your systems, you can resume operations by restoring from your last clean backup instead of paying the ransom. However, a new report published by BleepingComputer, based on analysis from the cybersecurity firm Acronis, reveals that this traditional mindset is no longer sufficient. According to the report, modern ransomware groups are aware of this line of defense and have evolved their attack strategies accordingly. The first step of an attack is no longer to encrypt data, but to find and completely destroy the company's lifeline: its backup systems.

The Technical Dimension and Stages of the Attack

The targeting of backup systems by attackers is part of a multi-stage, carefully planned operation. This process begins long before the ransomware itself is activated on the network. Here is the typical anatomy of these attacks:

• Network Infiltration and Reconnaissance: Attackers gain initial access to the target network, typically through methods like phishing emails, vulnerable Remote Desktop Protocols (RDP), or stolen credentials. Once inside, they do not immediately begin the encryption process. Instead, they enter a "reconnaissance" phase that can last for weeks or even months. During this time, they map out the network, identify critical servers, databases, and most importantly, the backup infrastructure.
• Identification of Backup Infrastructure: Attackers search for the management consoles of popular backup software such as Veeam, Commvault, Acronis, or Windows Server Backup. They identify backup servers, storage units (NAS/SAN), and cloud backup accounts on the network. They focus on compromising the administrative credentials required to access these systems.
• Destruction of Backups: Once they have the necessary access, the attackers systematically eliminate all recovery points. This can be accomplished through several different methods:
  • Deletion of Local Backups: They connect to the backup server and delete all existing backup sets and their catalogs.
  • Destruction of Snapshots: They disable operating system-level snapshot mechanisms like Windows' Volume Shadow Copy Service (VSS) and delete all existing shadow copies. This prevents the system's self-recovery capabilities.
  • Targeting Cloud Backups: If the company uses cloud-based backups, the attackers use the compromised credentials to log into the cloud account and permanently delete all backup data stored there.
• Deployment of Ransomware: After all backups and recovery options have been eliminated, the attackers take the final step and deploy the ransomware to all critical systems on the network, encrypting the data. At this point, the victim company is cornered. They have no backup to restore from and begin to feel they have no option other than to pay the ransom.

Why Are Backup Systems So Vulnerable?

The Acronis report highlights that many companies have serious deficiencies in protecting their backup infrastructure. The fact that backup systems are often on the same network and managed with the same administrative credentials as the main production environment makes the attackers' job easier. Once an attacker infiltrates the network and gains administrative rights, they can easily access both live systems and backups. Furthermore, the failure to regularly test backups can lead to the late realization that they are unrecoverable in a disaster. In such cases, using a Data Breach Search service to check what personal data may have been exfiltrated before or during the ransomware attack can be a crucial step in damage assessment.

Defense Strategies for Organizations and Individuals

To protect against these new-generation threats, it is necessary to go beyond the traditional concept of backup. Here are the critical measures that organizations and technical staff should take:

• Implement the 3-2-1 Rule: Always keep three copies of your data, on two different types of media, with one copy stored off-site. This prevents a single point of failure from destroying all your data.
• Immutable Backups: Use backup solutions that create backups that cannot be deleted or altered for a specific period. Even if an attacker compromises the admin account, they cannot destroy these backups.
• Air-Gapped Backups: Keep one copy of your backups on a medium that is not physically connected to the network (e.g., external drives, tape cartridges). This makes network-based access completely impossible.
• Privileged Access Management (PAM): Ensure that the accounts used to manage backup systems are different and much more restricted than the main network administrator accounts. Multi-factor authentication (MFA) must be mandatory for these accounts.
• Zero Trust Architecture: Do not trust any user or device on your network by default. Do not approve any access request without verifying who it is and what it is trying to access. This makes it harder for attackers to move laterally within the network.
• Regular Testing and Drills: Ensure your backups are restorable by testing them regularly. Conduct disaster recovery drills to ensure your team knows what to do in a crisis.

In conclusion, backups are still the cornerstone of cyber resilience, but they are no longer sufficient on their own. The backup infrastructure itself must be treated as one of the company's most valuable assets and be protected as rigorously as the production systems. As attackers' tactics evolve, so too must our defense strategies. Thinking of backups not just as an insurance policy, but as a fortress to be actively defended, is vital in today's threat landscape.

Kaynak

https://www.bleepingcomputer.com/news/security/why-ransomware-attacks-succeed-even-when-backups-exist/