{"id":24227,"date":"2024-04-15T08:27:34","date_gmt":"2024-04-15T16:27:34","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/04\/15\/news-17957\/"},"modified":"2024-04-15T08:27:34","modified_gmt":"2024-04-15T16:27:34","slug":"news-17957","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/04\/15\/news-17957\/","title":{"rendered":"The impact of compromised backups on ransomware outcomes"},"content":{"rendered":"<p><strong>Credit to Author: Sally Adam| Date: Tue, 26 Mar 2024 09:42:37 +0000<\/strong><\/p>\n<div class=\"entry-content lg:prose-lg mx-auto prose max-w-4xl\">\n<figure id=\"attachment_954344\" aria-describedby=\"caption-attachment-954344\" style=\"width: 300px\" class=\"wp-caption alignright\"><a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/539j6fwcmx6wk6whnhxc47\/sophos-the-impact-of-compromised-backups-on-ransomware-outcomes-wp.pdf\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-954344 size-medium\" style=\"border: 3px solid gray\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backups.png?w=300\" alt=\"\" width=\"300\" height=\"250\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backups.png 956w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backups.png?resize=300,250 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backups.png?resize=768,639 768w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-954344\" class=\"wp-caption-text\">Click above to download the full report<\/figcaption><\/figure>\n<p>There are two main ways to recover encrypted data in a ransomware attack: restoring from backups and paying the ransom. Compromising an organization\u2019s backups enables adversaries to restrict their victim\u2019s ability to recover encrypted data and dial-up the pressure to pay the ransom.<\/p>\n<p>This analysis explores the impact of backup compromise on the business and operational outcomes of a ransomware attack. It also shines light on the frequency of successful backup compromise across a range of industries.<\/p>\n<p>The findings are based on a vendor-agnostic survey commissioned by Sophos of 2,974 IT\/cybersecurity professionals whose organizations had been hit by ransomware in the last year. Conducted by independent research agency Vanson Bourne in early 2024, the study reflects respondents\u2019 experiences over the previous 12 months.<\/p>\n<h2><strong>Executive summary<\/strong><\/h2>\n<p>The analysis makes clear that financial and operational implications of having backups compromised in a ransomware attack are immense. When attackers succeed in compromising backups, an organization is almost twice as likely to pay the ransom and incurs an overall recovery bill that is eight times higher than for those whose backups are not impacted.<\/p>\n<p>Detecting and stopping malicious actors <em>before<\/em> your backups are compromised enables you to reduce considerably the impact of a ransomware attack on your organization. Investing in preventing backup compromise both elevates your ransomware resilience while also lowering the overall Total Cost of Ownership (TCO) of cybersecurity.<\/p>\n<p><a href=\"https:\/\/assets.sophos.com\/X24WTUEQ\/at\/539j6fwcmx6wk6whnhxc47\/sophos-the-impact-of-compromised-backups-on-ransomware-outcomes-wp.pdf\">Download the report PDF.<\/a><\/p>\n<h2><strong>Learning 1: Ransomware actors almost always attempt to compromise your backups <\/strong><\/h2>\n<p>94% of organizations hit by ransomware in the past year said that the cybercriminals attempted to compromise their backups during the attack. This rose to 99% in both state and local government, and the media, leisure and entertainment sector. The lowest rate of attempted compromise was reported by distribution and transport, however even here more than eight in ten (82%) organizations hit by ransomware said the attackers tried to access their backups.<\/p>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-attempt-rate.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-954126 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-attempt-rate.png\" alt=\"\" width=\"1069\" height=\"475\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-attempt-rate.png 1069w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-attempt-rate.png?resize=300,133 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-attempt-rate.png?resize=768,341 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-attempt-rate.png?resize=1024,455 1024w\" sizes=\"auto, (max-width: 1069px) 100vw, 1069px\" \/><\/a><\/p>\n<h2><strong>Learning 2: Backup compromise success rate varies greatly by industry<\/strong><\/h2>\n<p>Across all sectors, 57% of backup compromise attempts were successful, meaning that adversaries were able to impact the ransomware recovery operations of over half of their victims. Interestingly, the analysis revealed considerable variation in adversary success rate by sector:<\/p>\n<ul>\n<li>Attackers were most likely to successfully compromise their victims\u2019 backups in the energy, oil\/gas, and utilities (79% success rate) and education (71% success rate) sectors<\/li>\n<li>Conversely, IT, technology and telecoms (30% success rate) and retail (47% success rate) reported the lowest rates of successful backup compromise<\/li>\n<\/ul>\n<p><a href=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-success-rate.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-954127 size-full\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-success-rate.png\" alt=\"\" width=\"1033\" height=\"451\" srcset=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-success-rate.png 1033w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-success-rate.png?resize=300,131 300w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-success-rate.png?resize=768,335 768w, https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Backup-compromise-success-rate.png?resize=1024,447 1024w\" sizes=\"auto, (max-width: 1033px) 100vw, 1033px\" \/><\/a><\/p>\n<p>There are several possible reasons behind the differing success rates. It may be that IT, telecoms and technology had stronger backup protection in place to start with so was better able to resist the attack. They may also be more effective at detecting and stopping attempted compromise before the attackers could succeed. Conversely, the energy, oil\/gas and utilities sector may have experienced a higher percentage of very advanced attacks. Whatever the cause, the impact can be considerable.<\/p>\n<h2><strong>Learning 3: Ransom demands and payments double when backups are compromised <\/strong><\/h2>\n<h4><strong>Data encryption<\/strong><\/h4>\n<p>Organizations whose backups were compromised were 63% more likely to have data encrypted than those that didn\u2019t: 85% of organizations with compromised backups said that the attackers were able to encrypt their data compared with 52% of those whose backups were not impacted. The higher encryption rate may be indicative of weaker overall cyber resilience which leaves organizations less able to defend against all stages of the ransomware attack.<\/p>\n<h4><strong>Ransom demand<\/strong><\/h4>\n<p>Victims whose backups were compromised received ransom demands that were, on average, more than double that of those whose backups weren\u2019t impacted, with the median ransom demands coming in at $2.3M (backups compromised) and $1M (backups not compromised) respectively. It is likely that adversaries feel that they are in a stronger position if they compromise backups and so are able to demand a higher payment.<\/p>\n<h4><strong>Ransom payment rate<\/strong><\/h4>\n<p>Organizations whose backups were compromised were almost twice as likely to pay the ransom to recover encrypted data than those whose backups were not impacted (67% vs. 36%).<\/p>\n<h4><strong>Ransom payment amount<\/strong><\/h4>\n<p>The median ransom payment by organizations whose backups were compromised was $2M, almost double that of those whose backups remained intact ($1.062M). They were also less able to negotiate down the ransom payment, with those whose backups were compromised paying, on average, 98% of the sum demanded. Those whose backups weren\u2019t compromised were able to reduce the payment to 82% of the demand.<\/p>\n<h2><strong>Learning 4: R<\/strong><strong style=\"font-size: inherit\">ansomware recovery costs are 8X higher when backups are compromised<\/strong><\/h2>\n<p>Not all ransomware attacks result in a ransom being paid. Even when they do, ransom payments are just part of the overall recovery costs when dealing with a ransomware attack. Ransomware-led outages frequently have a considerable impact on day-to-day business transactions while the task of restoring IT systems is often complex and expensive.<\/p>\n<p>The median overall ransomware recovery costs for organizations whose backups were compromised ($3M) came in eight times higher than that of organizations whose backups were not impacted ($375K). There are likely multiple reasons behind this difference, not least the additional work that is typically needed to restore from decrypted data rather than well-prepared backups. It may also be that weaker backup protection is indicative of less robust defenses and greater resulting rebuilding work needed.<\/p>\n<p>Those whose backups were compromised also experienced considerably longer recovery time with just 26% fully recovered within a week compared with 46% of those whose backups were not impacted.<\/p>\n<h2><strong>Recommendations<\/strong><\/h2>\n<p>Backups are a key part of a holistic cyber risk reduction strategy. If your backups are accessible online, you should assume that adversaries will find them. Organizations would be wise to:<\/p>\n<ul>\n<li>Take regular backups and store in multiple locations. Be sure to add MFA (multi-factor authentication) to your cloud backup accounts to help prevent attackers from gaining access.<\/li>\n<li>Practice recovering from backups. The more fluent you are in the restoration process, the quicker and easier it will be to recover from an attack.<\/li>\n<li>Secure your backups. Monitor for and respond to suspicious activity around your backups as it may be an indicator that adversaries are attempting to compromise them.<\/li>\n<\/ul>\n<h2><strong>How Sophos can help<\/strong><\/h2>\n<h4><strong>Sophos MDR: Over 500 experts monitoring and defending your organization <\/strong><\/h4>\n<p><a href=\"mailto:https:\/\/www.sophos.com\/en-us\/products\/managed-detection-and-response\">Sophos MDR<\/a> is a 24\/7 expert-led managed detection and response service that specializes in stopping advanced attacks that technology alone cannot prevent. It extends your IT\/security team with over 500 specialists who monitor your environment, detecting, investigating, and responding to suspicious activities and alerts.<\/p>\n<p>Sophos MDR analysts leverage telemetry from the security tools you already use \u2013 including your backup and recovery solution \u2013 to detect and neutralize attacks before damage is done. With an average threat response time of just 38 minutes, Sophos MDR works faster than your next threat.<\/p>\n<h4><strong>Sophos XDR: Enabling IT teams to detect and respond to attacks<\/strong><\/h4>\n<p>In-house teams can use <a href=\"mailto:https:\/\/www.sophos.com\/en-us\/products\/extended-detection-and-response\">Sophos XDR<\/a> to get the visibility, insights, and tools they need to detect, investigate, and respond to multi-stage threats, across all key attack vectors, in the shortest time. With Sophos XDR you can leverage telemetry from your backup and recovery solution, as well as your wider security stack, to quickly see and respond to attacks.<\/p>\n<\/p><\/div>\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/03\/26\/the-impact-of-compromised-backups-on-ransomware-outcomes\/\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/news.sophos.com\/wp-content\/uploads\/2024\/03\/Ransomware-Outcomes-1.png\"\/><\/p>\n<p><strong>Credit to Author: Sally Adam| Date: Tue, 26 Mar 2024 09:42:37 +0000<\/strong><\/p>\n<p>Insights into the financial and operational implications of having backups compromised in a ransomware attack.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[11885,129,24562,3765,1931],"class_list":["post-24227","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-backups","tag-featured","tag-products-services","tag-ransomware","tag-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24227","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24227"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24227\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24227"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24227"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24227"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}