Backups now a target

Attackers are going after backups now, not just production systems, to make recovery harder and raise the odds that victims will pay. (cisa.gov) A backup is the copy an organization keeps so it can rebuild after files are deleted, encrypted, or corrupted. Microsoft said ransomware crews now work to neutralize backup software and Windows features such as Volume Shadow Copy before the victim can recover. (microsoft.com) Microsoft’s ransomware guidance says attacks on backups are meant to cripple an organization’s ability to respond without paying and often hit recovery documentation too. CISA, the Federal Bureau of Investigation, the National Security Agency, and the Multi-State Information Sharing and Analysis Center all include backup protection in their joint ransomware playbook. (microsoft.com) (cisa.gov) That changes the old assumption that “having backups” is enough. CISA’s guide tells organizations to maintain offline, encrypted backups of critical data, test them regularly, and keep them separate from source systems. (cisa.gov) Security vendors have been quantifying the pressure on backup systems for several years. Veeam said in its 2023 ransomware trends research that 93% of cyber attacks it studied targeted backup repositories to force ransom payment. (veeam.com) The defensive answer starts with isolation: keep at least one copy where an intruder on the main network cannot easily alter or delete it. Microsoft’s Azure guidance says backups should be inaccessible to a malicious attacker, and its backup service recommends soft delete and multi-user authorization for critical changes. (microsoft.com 1) (microsoft.com 2) Another layer is immutability, which means a backup cannot be changed for a set period even by an administrator. Veeam and Microsoft both describe immutable or air-gapped copies as a way to keep recovery data untouched if ransomware reaches the environment. (veeam.com) (microsoft.com) Detection matters too, because attackers often use normal administrative tools before they touch the backups. Dennis Ludena said organizations should pair endpoint detection and response with whitelisting, asset and software management, and monitoring for unauthorized processes. (x.com) Restore testing is the step many organizations skip. CISA says backups should be tested regularly, and Microsoft says recovery plans should assume attackers will try to damage both the data and the tools needed to bring systems back online. (cisa.gov) (microsoft.com) The practical question is no longer whether a company has backups. It is whether those backups are isolated, immutable, monitored, and proven to restore after an attacker has already tried to break them. (cisa.gov) (x.com)