Can Ransomware Infect Backups?

Recovering encrypted data in a ransomware incident usually involves either using backups or paying the ransom. Using backups is, undoubtedly, the best choice. Backups provide a quick recovery solution and ensure that organizations can restore their systems and data to a previous state, minimizing downtime and reducing the impact of security incidents.

 However, what if ransomware infects backups? 

The 2024 Sophos Impact of Compromised Backups on Ransomware Outcomes Report says that 94% of organizations targeted by ransomware report that cybercriminals tried to compromise their backups during the attack. Of these attempts, 57% were successful, affecting the ransomware recovery efforts of over half of the victims.

Ransomware variants like Ryuk and Sodinokibi prove that backups can be attacked and encrypted. In most cases, backup compromise is extremely painful for organizations. The same report says that the median ransomware recovery costs for organizations with compromised backups are $3 million, which is eight times higher (!) than the $375,000 median for those with unaffected backups. Additionally, organizations with compromised backups face longer recovery times, with only 26% fully recovering within a week compared to 46% of those with intact backups.

Find out why ransomware criminals affect backups, how they do it, when, and, more importantly, how to ensure backup data is safe from ransomware.

Why do Ransomware Actors Target Backups?

Financial gain is the main driver for ransomware actors to target backups. By compromising an organization’s backups, adversaries limit the victim’s ability to restore encrypted data and amplify the pressure to pay the ransom. As a result, victims are more likely to pay a ransom while the ransom amounts increase:

Victims are more likely to pay a ransom if their backups are encrypted

Compromised backups deprive victims of the possibility to recover quickly after a ransomware attack. By encrypting backups, attackers amplify the consequences of a ransomware attack, causing more significant operational disruption and a heightened need for a swift resolution. Simply speaking, the absence of clean backups makes victims more likely to pay to regain data access. 

Compromised backups cause an increase in a ransom amount

Compromised backups put adversaries in a stronger position, as victims often have nothing to do but pay a ransom. So, they demand higher ransom payments. Victims with compromised backups face twice bigger ransom demands than those with intact backups, with median demands being $2.3 million for compromised backups and $1 million for unaffected backups.

NOTE: No generally applicable law prohibits individuals or organizations from paying the ransom (except for cases when the ransom is demanded by entities that are on U.S. Sanctions Lists). However, businesses should think twice before paying a ransom to adversaries, even if backups are compromised. For example, the U.S. Department of the Treasury says in their ransomware advisories that companies could face future legal trouble being involved in ransomware payments. FBI does not support paying a ransom in response to a ransomware attack because it just escalates the problem.

When Ransomware Infects Backups?

Organizations with undetected or unpatched vulnerabilities are more likely to have their backups infected by ransomware. Let’s see the most common ones: 

• Unpatched software, whether in the backup application or the operating system, provides entry points for attackers. 
• Weak authentication mechanisms, such as simple passwords and lack of multi-factor authentication, further expose backup systems to unauthorized access. 
• Inadequate network segmentation allows ransomware to spread easily from infected devices to backup storage.
• Misconfigured backup systems, including open network shares and default configurations, increase the risk of infection. 
• The lack of offline or air-gapped backups makes all backup copies susceptible to encryption. Unsecured remote access and VPN vulnerabilities offer additional routes for attackers to infiltrate backup systems. 

Addressing these vulnerabilities is essential to safeguard backups from ransomware infections and ensure effective data recovery.

How can Ransomware Infect Backups?

Ransomware can corrupt backup data along with the data it is supposed to protect. Depending on your backup strategy, this probability can be higher or lower. Below are the common ways how ransomware infects backups:

Ransomware targets NAS to wipe backups

Many businesses invest in a network-attached storage (NAS) device to centralize their storage, manage data more efficiently, and implement on-site backups. The spread and accessibility of NAS make them a common target for cybercriminals. Some ransomware versions, such as DarkSide, are explicitly designed to target NAS. As noted by Kaspersky Lab, this type of attack is dangerous, and a successful ransomware infection on NAS devices could limit organizations’ ability to recover. 

For example, the Akira ransomware actively targeted NAS in its ransomware attacks. The ransomware group, first detected in Finland in June 2023, pinpointed and targeted organizations with vulnerable firewalls and intrusion detection functionalities and wiped target organizations’ backups before deploying the ransomware. NAS servers used for backups on the organizations’ networks have been hacked and wiped. In almost every known case, all backups have been lost.

Ransomware infiltrates backup software

Some ransomware variants are designed to identify and encrypt backup files and software. Thus, even if the backups are untouched, encrypted backup software hinders the restoration of the encrypted files even if a backup is available.

For example, in 2023, the Cuba ransomware gang exploited flaws in Veeam’s backup solution, leading to attacks on organizations in the critical infrastructure sector of the United States and an IT integrator in Latin America. The specific Veeam vulnerability, CVE-2023-27532, had a high severity rating with a CVSS score of 7.5. According to NIST, this flaw in the Veeam Backup and Replication component allowed attackers to extract encrypted credentials from the configuration database, potentially granting them access to the backup infrastructure hosts.

Ransomware exploits connected external drives

A typical approach involves exploiting network shares or connected external drives. When a backup drive or network share is accessible from an infected computer, ransomware can readily extend and encrypt backup files.

Google-owned Mandiant Managed Defense has been tracking UNC4990, a malicious actor who heavily uses USB devices for initial infection. The infection starts when a victim double-clicks on a malicious LNK shortcut file on a removable USB device. This action triggers a PowerShell script that downloads EMPTYSPACE (also known as BrokerLoader or Vetta Loader) from a remote server via an intermediary PowerShell script hosted on Vimeo. Once an organization’s networks are accessible from an infected computer, ransomware can quickly spread and encrypt backup files.

Ransomware exploits cloud backup vulnerabilities to infect backups

Many individuals and businesses use cloud storage to back up their data, but if the cloud storage account is linked to an infected computer, the ransomware can also encrypt the files stored in the cloud.

Best Practices for Backup and Data Protection from Ransomware

To protect against ransomware infecting backups, following the best practices on backup security is highly recommended. Spin.AI ransomware backup strategy provides the following recommendations on data backup security:

• follow the 3-2-1 backup rule (having 3 separate copies of your data stored on 2 different kinds of media, with at least 1 copy stored off-site);
• keep multiple backup versions;
• make backups frequently;
• use additional anti-ransomware software
• update backup software regularly

CISA #StopRansomware Guide also contains valid, regularly updated backup security best practices to follow: 

• regularly test the backup procedures;
• test availability and integrity of backups in a disaster recovery scenario;
• Always have offline backups, as most ransomware actors attempt to find and subsequently delete or encrypt accessible backups to make restoration impossible unless the ransom is paid.
• Maintain and regularly update “golden images” of critical systems, which includes maintaining image “templates” with a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
• Retain backup hardware to rebuild systems if the primary system is not preferred.
• Consider using a multi-cloud solution to avoid vendor lock-in for cloud-to-cloud backups if all accounts under the same vendor are impacted.

Using these practices together makes your backups as secure from ransomware as possible. However, other vulnerabilities allow ransomware actors to encrypt backups. 

Can Ransomware Encrypt Google Drive or OneDrive?

Sometimes, organizations use cloud services like Google Drive or OneDrive as the only backup solutions for important data. This is not the best option, and here’s why.

According to the UK’s National Cyber Security Centre, cloud syncing services (like Dropbox, OneDrive, SharePoint, or Google Drive) should not be your only backup because they may automatically synchronize immediately after your files have been ‘ransomwared.’ Then you’ll lose your copies as well.

Sync is not the only way for cloud services to get infected with ransomware; apps and extensions may also lead to a ransomware infection. You can read about it in our article about ransomware infecting Google Drive. In a nutshell, an app or extension may contain malicious code. Giving permissions to corrupted software may result in your files being attacked.

Backing up data to an external drive is not the best solution either. Hackers may know that the backup storage is connected to the Internet and can easily choose the right time and place to hit the target. 

That’s why you may ask a natural question: “Is there a ransomware-proof backup solution?” Yes, there is.

Ransomware-proof Backup Solutions for Google Workspace (G Suite) and Microsoft Office 365

SpinBackup for safe automated backups

Ensuring backups are safe from ransomware is a difficult yet possible task. A reliable backup provider plays a crucial role here. SpinBackup offers highly secured backup services that help your organization avoid data loss due to a ransomware attack.

SpinBackup provides advanced features to keep your data safe and secure from ransomware:

• automated 1X/3X daily backup;
• backup data is stored in the cloud of your choice;
• data recovery with folder hierarchy preservation;
• multiple backup versions;
• customizable backup frequency and retention;
• advanced search options and reporting.

SpinRDR for ransomware detection and recovery 

Early detection is crucial for effective ransomware response. Spin.AI’s SaaS Ransomware Detection and Response solution, SpinRDR, for Google Workspace and Microsoft 365, is an AI-based ransomware detection solution that detects any early signs of ransomware attacks based on users’ behavioral patterns. SpinDRD handles ransomware detection and response in 4 easy steps:

1. proactively detects ransomware patterns and stops an in-progress ransomware attack;
2. blocks the source of a ransomware attack by revoking API access to the malicious application;
3. Isolates damaged files once a ransomware attack is detected, preventing further encryption of your SaaS data.
4. recovers any affected files from the last successfully backed-up version after stopping a ransomware attack, maintaining folder hierarchy, and sharing permissions.

With such an approach, SpinDRD reduces downtime from 21 days to 2 hours and helps organizations recover from ransomware incidents quickly. 

Try these and other SpinAI solutions to secure your data and systems from hazards. 

Frequently Asked Questions