Alexander Moiseev, chief business officer for threat intelligence firm Kaspersky, warned of complications in backups, especially for businesses that operate in complex, heterogenous IT environments. (Alexxsun/CC BY-SA 4.0)

One of the best ways for a business to protect itself from ransomware is by having dedicated backups in place for their systems and data. It’s one of many reasons that more than 90 percent of respondents in a 3,000 person survey conducted earlier this year reported that they back up the systems and data they’re responsible for protecting.

But while backups are a great insurance policy, they are not always a panacea. In fact, they’re often the first thing a ransomware actor targets once they gain sufficient access to a network. How a company sets up their IT environment, where they place their backups in relation to the rest of their network and how they communicate with their cloud providers all make a difference in how effectively a business can insulate itself from ransomware.

According to Alexander Moiseev, chief business officer for threat intelligence firm Kaspersky, restoring from backups doesn’t always go smoothly, especially for businesses that operate in complex, heterogenous IT environments. Depending on how often the company backs up its data, a jarring switch to an older version can lead to interoperability issues among different systems and lead to lengthier and costlier periods of downtime during the recovery process. If a business isn’t doing practice runs to test how a recovery plays out in a staged environment, they could be in for an unpleasant surprise when attempting to restore operations following a ransomware attack.

“Experienced IT pros have all probably faced a backup not quite restoring everything, or not restoring everything quite as expected. The process is certainly never as quick as they hope. And sometimes backups don’t work at all,” Moiseev wrote in a blog this month.

Where you choose to place your backup and recovery services within your IT hierarchy also matters. If the same compromise that got threat actors into the network in the first place also provides a doorway to backup and recovery services, they’ll just get encrypted along with everything else. It’s why experts recommend the 3-2-1 approach: creating three versions of your data (one for production, two for backup), on two different kinds of media and at least one copy stored offsite. It’s also why organizations like the UK’s National Cyber Security Centre have updated their ransomware guidance in recent months to emphasize the importance of offline backups.

“We've seen a number of ransomware incidents lately where the victims had backed up their essential data (which is great), but all the backups were online at the time of the incident (not so great). It meant the backups were also encrypted and ransomed together with the rest of the victim's data,” the organization advised in September.

Companies that rely on cloud backups might be particularly vulnerable because it largely removes much of the IT management and oversight that takes place with on-premise data storage. Henry Baltazar, research director for 451 Research, said during a recent virtual panel that many companies who rely on cloud-based backups don’t regularly backup their data and instead leave it up to their cloud provider, something Baltazar called “a dangerous proposition and definitely not the best way of doing things.”

“I think part of the misconception comes into play because when people think ‘Ok I’m going to move this workload to the cloud or use this SaaS workload’ you’re not really thinking about traditional things, like what happens if the hard drive dies, or the server goes down or the network goes down, because those things are being handled by the cloud provider,” he said. “The thing is a lot of other bad things can happen that are not on a hardware level that you won’t be protected from. For example, if somebody does get access to a machine or account and winds up corrupting or deleting data. That’s not a hardware issue.”

Lastly, while a good offline backup can largely defang the threat of data deletion, it’s not much help to an organization if ransomware actors deploy one of their favorite new tactics: threatening to leak your stolen data to the broader public.

“If an intruder decides to leak corporate secrets or users’ personal data, having backups won’t help you,” writes Moiseev. “Furthermore, if you store backups in a place, such as a cloud, that’s relatively easily reached by an insider, they too could provide attackers with the information they need to blackmail you.”