Backups Are Under Attack
- Attackers are increasingly targeting network backups to remove last-resort recovery options and boost ransom leverage. (x.com) - Security expert Dennis Ludena says basic defenses matter: EDR with whitelisting, strict asset/software inventories, and process monitoring. (x.com) - This tactic shrinks recovery choices for victims and raises urgency around immutable backups and faster detection. ( )
Criminal hackers are going after backups first, turning the system meant to restore data into another target in ransomware attacks. (cisa.gov) Backups are copies of files and systems kept so a company can recover after an outage or attack. Microsoft said one ransomware group, Storm-0501, was observed destroying data and backups inside victim environments while carrying out extortion. (microsoft.com) Microsoft said Storm-0501 targeted U.S. government, manufacturing, transportation, and law-enforcement organizations in a multistage campaign that moved from on-premises networks into cloud systems. The company said the group has been active since 2021 and has used several ransomware brands as an affiliate. (microsoft.com) The pressure point is simple: if the last clean copy is gone, victims have fewer ways to restore operations without paying. CISA’s ransomware guide tells organizations to plan for prevention, response, and recovery because ransomware can leave them without the data needed to run critical services. (cisa.gov) That problem is showing up in recovery data. Sophos said in its 2025 ransomware survey of 3,400 affected organizations across 17 countries that 97% recovered encrypted data somehow, but recovery through backups fell to its lowest level in six years, while 49% paid the ransom to get data back. (sophos.com) Sophos said exploited vulnerabilities were the most common technical root cause in 32% of attacks, followed by compromised credentials at 23%. Those are the kinds of openings attackers use before they move deeper into a network and reach backup systems. (sophos.com) Security practitioner Dennis Ludeña said defenders still need basic controls: endpoint detection and response, strict allowlists for trusted software, complete asset inventories, and monitoring for unusual processes. Ludeña describes himself as a cybersecurity team manager and holds a Ph.D. in computer science focused on information security. (dennisludena.info) CISA’s guidance also points organizations toward tested recovery plans, incident-response checklists, and stronger backup practices as part of ransomware preparation. The race is no longer only to stop encryption on employee computers, but to keep recovery systems alive long enough to use them. (cisa.gov)
