Why backups are less effective in a ransomware attack than they used to be

Backups have been used by organizations to deal with ransomware attacks by allowing them to restore their systems and data to a point in time before the attack occurred. This can help the organization continue operating while minimizing the impact of the attack.

The approach to dealing with a ransomware attack given an effective backup and restoration plan used to be:

  1. Identify the scope of the attack: Determine which systems and data were affected by the ransomware.
  2. Isolate the affected systems: Disconnect the affected systems from the network to prevent the ransomware from spreading further.
  3. Restore from backups: Use the organization’s backups to restore the affected systems and data to a point in time before the attack occurred. This may have involved restoring the entire system or just specific files or directories.
  4. Clean up the systems: Once the systems had been restored, it was important to clean up any remaining traces of the ransomware. This may have involved running a malware scanner and removing any remaining malicious files.
  5. Review and update security measures: After the attack had been dealt with, it was important to review the organization’s security measures to identify any weaknesses that may have contributed to the attack. This may have involved updating software and systems, implementing new security protocols, or increasing employee awareness and training.

By following these steps, an organization was able to effectively use their backups to minimize the impact of a ransomware attack and get their systems and operations back up and running as quickly as possible.

Why backups have become less effective

Modern ransomware tactics have made backups a less effective measure in preventing damage in a ransomware attack in several ways:

  1. Double extortion: Some ransomware variants are now using a technique called “double extortion,” where they not only encrypt the data on the infected system, but also steal a copy of the data and threaten to release it publicly unless the victim pays a ransom. In this case, even if the organization has a backup, they may still be forced to pay the ransom to prevent the release of sensitive data.
  2. Encrypting backups: Some ransomware variants are now able to encrypt not only the data on the infected system, but also any connected backups. This means that even if the organization has a recent backup, it may be useless if it has also been encrypted by the ransomware.
  3. Destroying backups: Some ransomware variants are designed to delete or destroy backups as part of the attack, making it impossible for the organization to restore from a backup even if one is available.

Overall, while backups can still be a useful measure for dealing with ransomware attacks, modern ransomware tactics have made them less effective in preventing damage and organizations need to be prepared to take additional steps to protect themselves.

What can we do?

There are several ways that organizations can adjust to the decreased effectiveness of backups during a ransomware attack:

  1. Implement multiple backup solutions: By implementing multiple backup solutions, such as on-premises backups, cloud backups, and offline backups, organizations can increase the chances that they will have a usable backup available in the event of a ransomware attack.
  2. Regularly test and verify backups: It is important for organizations to regularly test and verify their backups to ensure that they are functioning properly and that the data can be restored in the event of a ransomware attack.
  3. Keep backups offline or in a separate location: By keeping backups offline or in a separate location, organizations can reduce the chances that they will be affected by a ransomware attack.
  4. Regularly educate and train employees: Training employees on how to identify and avoid phishing attacks, suspicious emails, and other common vectors for ransomware can help organizations reduce the chances of a successful ransomware attack.

By taking these steps, organisations can increase their resilience to ransomware attacks and minimize the impact of an attack even if backups are less effective.