The rise of ransomware attacks poses a significant threat to organizations of all sizes, as highlighted by the latest findings in the Veeam® 2023 Ransomware Trends Report. This report reveals that approximately one in seven organizations will experience the compromise of almost all their data (over 80%) due to ransomware attacks, indicating a glaring gap in protection. Veeam Software, a leader in Data Protection and Ransomware Recovery, discovered that attackers primarily target backups during cyber-attacks, succeeding in crippling victims’ recovery capabilities in 75% of such incidents. These findings underscore the critical importance of employing immutability and air gapping techniques to safeguard backup repositories.
With insights derived from 1,200 affected organizations and nearly 3,000 cyber-attacks, the Veeam 2023 Ransomware Trends Report stands as one of the most extensive studies of its kind. The survey delves into the key takeaways from these incidents, their impact on IT environments, and the necessary steps to implement robust data protection strategies that ensure business resiliency. The report encompasses the perspectives of four key roles involved in cyber-preparedness and mitigation: security professionals, CISOs or similar IT executives, IT Operations generalists, and backup administrators.
According to Danny Allan, CTO at Veeam, the report serves as a stark reminder that organizations should no longer question if they will be targeted by cyber-attacks but rather how frequently they will be targeted. While emphasizing the continued importance of security measures and preventive measures, Allan emphasizes the urgency of prioritizing rapid recovery and enhancing organizational resilience. This can be achieved through a comprehensive ransomware preparedness approach, which includes robust security protocols, rigorous testing of both original data and backups, ensuring the resilience of backup solutions, and fostering alignment between backup and cyber teams for a unified response.
Paying the ransom does not ensure recoverability
For the second year in a row, the majority (80%) of the organizations surveyed paid the ransom to end an attack and recover data – now up 4% compared to the year prior – despite 41% of organizations having a “Do-Not-Pay” policy on ransomware. Still, while 59% paid the ransom and were able to recover data, 21% paid the ransom yet still didn’t get their data back from the cyber criminals. Additionally, only 16% of organizations avoided paying ransom because they were able to recover from backups. Sadly, the global statistic of organizations able to recover data themselves without paying ransom is down from 19% in last year’s survey.
To avoid paying ransom, your backups must survive
Following a ransomware attack, IT leaders have two choices: pay the ransom or restore-from-backup. As far as recovery goes, the research reveals that in almost all (93%) cyber-events, criminals attempt to attack the backup repositories, resulting in 75% losing at least some of their backup repositories during the attack, and more than one-third (39%) of backup repositories being completely lost.
By attacking the backup solution, attackers remove the option of recovery and essentially force paying the ransom. While best practices – such as securing backup credentials, automating cyber detection scans of backups, and auto verifying that backups are restorable – are beneficial to protect against attacks, the key tactic is to ensure that the backup repositories cannot be deleted or corrupted. To do so, organizations must focus on immutability. The good news is that based on lessons learned from those who had been victims – 82% use immutable clouds, 64% use immutable disks, and only 2% of organizations do not have immutability in at least one tier of their backup solution.
Do not re-infect during recovery
When respondents were asked how they ensure that data is ‘clean’ during restoration, 44% of respondents complete some form of isolated-staging to re-scan data from backup repositories prior to reintroduction into the production environment. Unfortunately, that means that the majority (56%) of organizations run the risk of re-infecting the production environment by not having a means to ensure clean data during recovery. This is why it is important to thoroughly scan data during the recovery process.
Other key findings from the Veeam 2023 Ransomware Trends Report include:
-
Cyber-insurance is becoming too expensive: 21% of organizations stated that ransomware is now specifically excluded from their policies, and those with cyber insurance saw changes in their last policy renewals: 74% saw increased premiums, 43% saw increased deductibles, 10% saw coverage benefits reduced.
-
Incident response playbooks depend on backup: 87% of organizations have a risk management program that drives their security roadmap, yet only 35% believe their program is working well, while 52% are seeking to improve their situation, and 13% do not yet have an established program. Findings reveal the most common elements of the ‘playbook’ in preparation against a cyberattack are clean backup copies and recurring verification that the backups are recoverable.
-
Organizational alignment continues to suffer: While many organizations may deem ransomware to be a disaster and therefore include cyberattacks within their Business Continuity or Disaster Recovery (BC/DR) planning, 60% of organizations say they still need significant improvement or complete overhauls between their backup and cyber teams to be prepared for this scenario.
The full Veeam 2023 Ransomware Trends Report is available for download at https://www.veeam.com/ransomware-trends-report-2023, and as part of sessions at VeeamON 2023, the community event for data recovery experts, taking place online May 22-24 and in person in Miami, Fla. Designed by and built for the backup and recovery professional, attendees will expand their skills, learn how to protect their businesses from ransomware, and share industry knowledge with exclusive content from Microsoft, AWS, Hewlett Packard Enterprise and more. Registration for the in-person event and the virtual option is now open.
