Organizations of all sizes are increasingly falling victim to ransomware attacks and inadequately protecting against this cyber threat, according to the Veeam 2023 Ransomware Trends Report.
The report states that one in seven organizations will see almost all (>80 percent) data affected as a result of a ransomware attack – pointing to a significant gap in protection; and attackers almost always target backups during cyber attacks. Attacks are successful in debilitating their victims’ ability to recover in 75 percent of those events, reinforcing the criticality of immutability and air gapping to ensure backup repositories are protected.
“The report shows that today it’s not about IF your organization will be the target of a cyber-attack, but how often. Although security and prevention remain important, it’s critical that every organization focuses on how rapidly they can recover by making their organization more resilient,” said Danny Allan, CTO at Veeam. “We need to focus on effective ransomware preparedness by focusing on the basics, including strong security measures and testing both original data and backups, ensuring survivability of the backup solutions, and ensuring alignment across the backup and cyber teams for a unified stance.”
Paying the ransom does not ensure recoverability
For the second year in a row, the majority (80 percent) of the organizations surveyed paid the ransom to end an attack and recover data – now up 4 percent compared to the year prior – despite 41 percent of organizations having a ‘Do-Not-Pay’ policy on ransomware. Still, while 59 percent paid the ransom and were able to recover data, 21 percent paid the ransom yet still didn't get their data back from the cyber criminals. Additionally, only 16 percent of organizations avoided paying ransom because they were able to recover from backups. Sadly, the global statistic of organizations able to recover data themselves without paying ransom is down from 19 percent in last year’s survey.
To avoid paying ransom, your backups must survive
Following a ransomware attack, IT leaders have two choices: pay the ransom or restore-from-backup. As far as recovery goes, the research reveals that in 93 percent of cyber-events, criminals attempt to attack the backup repositories, resulting in 75 percent losing at least some of their backup repositories during the attack, and more than one-third (39 percent) of backup repositories being completely lost.
By attacking the backup solution, attackers remove the option of recovery and essentially force paying the ransom. While best practices – such as securing backup credentials, automating cyber detection scans of backups, and auto verifying that backups are restorable – are beneficial to protect against attacks, the key tactic is to ensure that the backup repositories cannot be deleted or corrupted. To do so, organizations must focus on immutability, says the report. The good news is that based on lessons learned from those who had been victims – 82 percent use immutable clouds, 64 percent use immutable disks, and only 2 percent of organizations do not have immutability in at least one tier of their backup solution.
Do not re-infect during recovery
When respondents were asked how they ensure that data is ‘clean’ during restoration, 44 percent of respondents complete some form of isolated-staging to re-scan data from backup repositories prior to reintroduction into the production environment. Unfortunately, that means that the majority (56 percent) of organizations run the risk of re-infecting the production environment by not having a means to ensure clean data during recovery. This is why it is important to thoroughly scan data during the recovery process.
Other key findings include:
- Cyber insurance is becoming too expensive: 21 percent of organizations stated that ransomware is now specifically excluded from their policies, and those with cyber insurance saw changes in their last policy renewals: 74 percent saw increased premiums, 43 percent saw increased deductibles, 10 percent saw coverage benefits reduced.
- Incident response playbooks depend on backup: 87 percent of organizations have a risk management program that drives their security roadmap, yet only 35 percent believe their program is working well, while 52 percent are seeking to improve their situation, and 13 percent do not yet have an established program. Findings reveal the most common elements of the ‘playbook’ in preparation against a cyber attack are clean backup copies and recurring verification that the backups are recoverable.
- Organizational alignment continues to suffer: while many organizations may deem ransomware to be a disaster and therefore include cyber attacks within their business continuity or disaster recovery planning, 60 percent of organizations say they still need significant improvement or complete overhauls between their backup and cyber teams to be prepared for this scenario.