Organisations that have backed up their sensitive data may believe they are relatively safe from ransomware attacks; however, this is not the case based on findings from a new study from IT security company Sophos. The report showed that cybercriminals attempted to compromise the backups of 94% of companies hit by ransomware in the past year.

Attackers are aware that those who fall victim to ransomware must choose to either pay the ransom or recover their now-encrypted systems from a backup. To put more pressure on decision-makers to pay up, it is becoming more common for them to target the duplicated data as well as the production data. Indeed, the report showed the victim is almost twice as likely to pay up if their backup is compromised, and recovery from the attack is eight times more expensive.

The Sophos research revealed the extent of the popularity and effectiveness of ransomware groups targeting corporate backups (Figure A).

Figure A

Percentage of ransomware victims that paid the ransom to recover their data from cyber criminals.
Percentage of ransomware victims that paid the ransom to recover their data from cyber criminals. Image: Sophos

SEE: What is ransomware? Read this TechRepublic cheat sheet

How much does it cost to recover from a ransomware attack on the backup?

The Sophos research found that the median ransom demand for organisations whose backups are compromised is $2.3 million (£1.8 million) (Figure B). When the backup is not compromised, the median ransom demand is $1 million (£790k), as the attacker has less leverage.

Figure B

The median ransom demanded by cyber criminals when they have access or don’t have access to their victim’s backups.
The median ransom demanded by cyber criminals when they have access or don’t have access to their victim’s backups. Image: Sophos

“Ransomware-led outages frequently have a considerable impact on day-to-day business transactions while the task of restoring IT systems is often complex and expensive,” Sally Adam, the senior director of marketing at Sophos, wrote in the report.

Companies without compromised backups are also more likely to be able to negotiate the ransom payment down, paying out an average of 82% of the initial demand. Those whose backups are compromised will pay 98% of the demanded sum, on average.

The total cost of a ransomware attack is often more than just the ransom, as it incorporates the recovery of any impacted systems and the losses incurred by any downtime. Companies with compromised backups paid eight times more on the total recovery effort than those whose backups remained untouched.

Furthermore, only 26% of companies with compromised backups were fully recovered within a week, compared to 46% of those without compromised backups. Sophos analysts predicted this is because of the additional work necessary to restore systems from decrypted backup data, and organisations with vulnerable backups are less likely to have a strong recovery plan in place.

Which industries are most at risk of having their backups targeted during ransomware attacks?

State and local governments and the media, leisure and entertainment sectors are the most at risk of having their backups compromised during a ransomware attack; the study found that 99% of the organisations in these industries that were hit by ransomware in the last 12 months had their backups targeted by cybercriminals (Figure C).

Figure C

The percentage of ransomware attacks where adversaries attempted to compromise backups in different industries.
The percentage of ransomware attacks where adversaries attempted to compromise backups in different industries. Image: Sophos

Despite the distribution and transport sector experiencing the lowest rate of attempted backup compromise during a ransomware attack, 82% of organisations were still affected. A September 2023 report from the U.K.’s National Cyber Security Centre and National Crime Agency highlighted that the logistics sector is a particular target for ransomware because it relies heavily on data.

What are the success rates of backup compromise attempts?

The average success rate of backup compromise attempts was 57%, though this varied significantly by sector (Figure D). The energy, oil/gas and utilities sector and the education sector were the easiest targets, with success rates of 79% and 71%, respectively.

Figure D

The success rate of backup compromise attempted in different industries.
The success rate of backup compromise attempted in different industries. Source: Sophos

Sophos analysts suspected that the former may have experienced a larger proportion of sophisticated cyber attacks given that compromising critical national infrastructure can lead to widespread disruption, making it a prime target for ransomware. The NCSC stated that it is “highly likely” the cyber threat to the U.K.’s CNI increased in 2023, in part due to its reliance on legacy technology.

Education facilities tend to harbour a lot of sensitive data about staff and students, which can be valuable to attackers, while having a limited budget for preventative cyber security measures. Their networks are often accessible to a large number of people and devices, and this openness makes them more difficult to protect. According to the U.K. government, 85% of universities in the country identified security breaches or attacks in 2023.

The lowest rate of successful backup compromise was reported by the IT, technology and telecoms sector, with a 30% success rate. Sophos stated that this is likely a result of stronger backup protection by virtue of its expertise and resources.

In addition, the Sophos report found that organisations whose backups were compromised during the ransomware attack were 63% more likely to have their data encrypted by the cyber criminals (Figure E). Sophos analysts speculated that having vulnerable backups is indicative of a weaker overall security posture, so organisations that do have them compromised are more likely to fall victim at other stages of the ransomware attack.

Figure E

Rate of encryption.
The rate cyber attackers encrypted their victim’s data during a ransomware attack. If attackers can access the backup, they are more likely to also apply encryption. Image: Sophos

The rising threat of ransomware

Ransomware is a growing threat all over the world, with the number of enterprises attacked increasing by 27% last year and payouts exceeding $1 billion (£790 million). In January 2024, the U.K.’s National Cyber Security Centre warned that this threat was expected to rise even further due to the new availability of AI technologies, decreasing the barrier to entry.

Ransomware-as-a-service is also becoming more widespread, as it allows amateur cyber criminals to make use of malware developed by another group. The effects of ransomware attacks can go beyond financial, impacting the mental and physical health of staff.

How businesses can defend their backups against ransomware attacks

The reality is that the majority of U.K. businesses are vulnerable to cyberattacks. However, there are measures that can be taken to protect production and backup data from ransomware, especially as the latter typically does not benefit from the same level of protection as the former.

3-2-1 strategy and offline backups

“The 3-2-1 strategy involves keeping three copies of (production) data on two different media types, with one copy stored offsite,” explained Shawn Loveland, the chief operating officer at cyber security company Resecurity, in an email to TechRepublic. Offsite storage could be through cloud services or on a tape or disc.

It is also important to consider an offline backup, according to Sam Kirkman, the EMEA director at IT security services firm NetSPI. He told TechRepublic in an email: “Although these are more challenging to manage and integrate within business operations, offline backups are impervious to hacking since they are disconnected from live systems. This makes offline backups — when implemented correctly — the single strongest defence against ransomware attacks.

“The NCSC recommends specific practices for effective offline backups, such as limiting connections to live systems to only essential periods and ensuring that not all backups are online simultaneously. However, it’s also critical to validate each offline backup before reconnecting it for data updates to prevent potential corruption by attackers.”

Immutable storage and snapshots

Immutable storage refers to a data storage method where, once data is written, it cannot be altered or deleted, protecting it against tampering or ransomware. “Ideally, each backup should be immutable to prevent modification and simply expire when it is no longer relevant,” said Kirkman.

Immutable snapshots — a read-only copy of data taken at a specific point in time — can be taken from immutable storage. Don Foster, the chief customer officer at cloud data management platform provider Panzura, told TechRepublic in an email: “With the ability to restore a pristine data set in the event of a ransomware attack, you can make a full recovery to a specific point in time without losing data.

“Reverting to a previous snapshot takes a fraction of the time to restore from a backup, and it allows you to get precise about which files and folders to revert. The average time it takes for organisations to recover from a ransomware attack and get back to business as usual is 21 days, but it can often take much longer.”

Regular backup testing

“Regular (backup) testing ensures functional and complete backups and various types of restores,” Loveland told TechRepublic.

Practising recovery from backups will also make the process easier if it is ever necessary to do so after a ransomware incident. Kirkman added: “Backup testing is essential to ensure effectiveness in restoring systems post-attack. Testing every backup confirms its capability to facilitate recovery from a ransomware incident.

“However, it is imperative to conduct these tests securely, ensuring that backup environments remain protected from direct attack during recovery attempts. Otherwise, your initial attempts to recover from an attack may enable an attacker to render further recovery impossible.”

Access controls and backup usage policies

Loveland told TechRepublic: “Access controls limit access to backup data and reduce the risk of ransomware spreading to backup systems.” They include setting up user permissions and authentication mechanisms to ensure only authorised individuals and systems can access backup files.

Kirkman added: “Privileged Access Management (PAM) is vital in preventing unauthorised access to online backups, a common initial target for ransomware groups. Effective PAM involves granting time-limited and independently authorised access, where requests must be verified by another person within the organisation through a trusted communication channel. This approach significantly raises the bar for attackers attempting to breach backup environments.”

SEE: 6 Best Open Source IAM Tools in 2024

But it is not enough to just have access controls in place, as the credentials that unlock them could still easily fall into the wrong hands. Foster said: “Closely guard the keys to backend storage — especially when that sits in the cloud. While attacks on file systems and backup files are common, ransomware attacks can include accessing cloud storage using stolen admin credentials.”

Robust policies governing backup usage are also essential to ensuring the access controls’ strength against ransomware attackers. Kirkman said: “A good backup implementation cannot be achieved with technology alone. The practices surrounding backup usage influence both their effectiveness and security, and should be given as much, if not greater, attention than the technology itself.”

Backup encryption and real-time monitoring

Advanced encryption of the backup data and ensuring the backup software is up-to-date and patched are the most fundamental steps businesses can take to protect it from attackers. Monitoring for suspicious activities that might indicate a compromise attempt was also highlighted by the experts TechRepublic spoke to.

Foster told TechRepublic: “Deploy a product with near real-time ransomware detection to minimise data impact and speed up recovery by identifying the earliest signs of suspicious file activity, which often takes place well before the main attack.”

Study methodology

Sophos commissioned the independent research agency Vanson Bourne to survey 2,974 IT/cyber security professionals whose organisations had been hit by ransomware in the last year. Participants were surveyed in early 2024, and their responses are reflective of their experiences in the 12 months prior.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday