Compromised backups send ransomware recovery costs soaring

There's a common misperception that to defeat ransomware attacks, organizations must simply back up their systems and data. Unfortunately, that’s not necessarily the case. Organizations must back up their systems and data, but they must also protect those backups as if their business survivability depended on it, because it likely does.

Consider a report from cybersecurity firm Sophos, published last month, revealing an alarming trend: Ransomware attackers increasingly target and compromise victims' backups. And, in doing so, they are increasingly crippling the victim's ability to recover maliciously encrypted files without having to pay the ransom demand.  

Based on a survey of nearly 3,000 organizations hit by ransomware in the past year, the study found that a staggering 94% of respondents reported attempts by cybercriminals to compromise their backups during the attack. In specific sectors such as state and local government as well as media and entertainment, this figure soared to 99%.

Attackers know that when potential victims can simply recover their systems and data from backups, the attacker loses their leverage. However, by successfully compromising backups, the script is flipped: Victims lose any leverage they may have. And this drives the costs of ransomware relatively high. Data from Sophos's survey shows that organizations whose backups were compromised faced the following:

  • 63% higher rate of data encryption, 85% vs 52% if backups are not compromised.
  • More than double the median ransom demand at $2.3 million compared to $1 million if backups remain intact
  • 67% paid the ransom, compared to just 36% if backups were available
  • A median ransom payment of $2 million is nearly double the $1.062 million paid by those with secure backups

Backups are the start

There is good news here: Lots of organizations are backing up their data. That's a great start in the successful recovery from a ransomware attack. The bad news is that not enough organizations are protecting these backups from attack. Sophos found that attackers have very high success rates in some industries. For instance, the success rate of energy utilities' backup compromises reached 79%. However, in IT/technology companies, that figure is "only" 30%.

How often do ransomware attackers try to disrupt or corrupt backup files? According to survey respondents, 94% of those organizations hit by ransomware in the past year reported that cybercriminals try to compromise their backups as part of the attack.

How attackers target backups

There are many ways attackers work to stop their targeted organizations from being able to recover their data from their backups successfully.

One of the most common ways attackers try to stop organizations in their recovery efforts is by deleting or corrupting existing backup files, typically shared locally or on network shares. Often, they will do this by stealing backup administrator credentials, perhaps through a phishing attack.

Attackers may also try to restrict access to backup systems and services, such as disabling the backup software agents that run on infected machines. They will also delete the backup indexes that track backup contents.

Finally, attackers will also try to infect backups with ransomware so that even when backups survive attacks and the targeted organization manages to restore their systems, the ransomware can be repropagated.

Undefended backups send ransomware recovery costs soaring

While the doubling ransomware demands and payments should be motivation enough to defend backups from attack, Sophos found further reason backups must be secured: The overall costs of recovering from a ransomware attack are exponentially higher when backups are lost. The median total recovery bill came to $3 million for victims whose backups were compromised — a staggering eight times higher than the $375,000 for those able to restore from backups.

Also, only 26% of organizations with compromised backups could fully recover within a week, compared to 46% of those with intact backups. The prolonged downtime and recovery efforts drives up costs substantially.

The report's findings underscore the critical importance of securing backup systems against compromise by adversaries. Sophos strongly recommends measures like multi-factor authentication, monitoring for suspicious activity, and regularly practicing recovery from backups.

"If your backups are accessible online, you should assume that adversaries will find them," warns the report. It highlights how managed detection and response and extended detection and response services can help defend backups and neutralize ransomware attacks.

As ransomware attacks continue escalating, investing in backup protection is essential to minimize the devastating impacts when cybercriminals inevitably strike. Organizations can no longer afford to neglect this critical defense.

George V. Hulme

An award winning writer and journalist, for more than 20 years George Hulme has written about business, technology, and IT security topics. He currently freelances for a wide range of publications, and is security blogger at InformationWeek.com. From

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.