More and more organizations, of all sizes, are falling victim to attacks known as ransomware, where ransom demands are made for information that has been “hijacked” by a cybercriminal. According to new data from the 2023 Veeam Ransomware Trends Report, one in seven organizations will see nearly all of their data compromised as a result of a ransomware attack, indicating a significant gap in protection. The study found that attackers almost always (93%+) focus on backups during cyberattacks and manage to weaken their victims’ resilience in 75% of those cases, demonstrating the critical importance of immutability and air gap to ensure that backup repositories are protected.

The study examines the main conclusions of each incident, its impact on IT environments and the measures taken or necessary to implement data protection strategies that ensure business resilience. This research report covers four different roles in cyber preparedness and/or mitigation: security professionals, CISOs or equivalent IT managers, generalists of IT operations, and backup administrators.

“The report shows that today is not about ‘yes’ are organization will be the target of a cyber attack, but how often it will be. While security and prevention remain very important, it is critical that all organizations focus on how quickly they can recover from an attack, making their organization more resilient,” said Danny Allan, CTO of Veeam. “We must focus on effective ransomware preparation by focusing on the basics, including strong security measures and testing of both original data and backups, ensuring the survivability of backup solutions, and ensuring alignment between backup up and cyber teams, for a unified point of view.”

Paying the ransom does not guarantee recovery

For the second consecutive year, the majority (80%) of organizations surveyed paid the ransom to end an attack and recover data – 4% more than the previous year – despite 41% of organizations insuring a “no payment” policy against ransomware. While 59% paid the ransom and were able to recover the data, 21% paid the ransom and were still unable to recover the data seized by cybercriminals. In addition, only 16% of organizations were able to avoid ransom because they were able to recover thanks to a backup Unfortunately, the overall statistic of organizations able to recover data on their own without paying the ransom is lower than the 19% in last year’s survey.

To avoid paying the ransom, your backups should be kept safe

After a ransomware attack, IT leaders have two options: pay the ransom or restore data from the latest backup. In terms of recovery, the study shows that in nearly all cyberattacks (93%), criminals attempt to attack backup repositories, leading 75% to lose at least some of their repositories during the attack, and more than a third (39%) of backup repositories are completely lost.

By attacking the backup solution, the attackers remove the restore option and essentially force you to pay the ransom. While good practices such as securing backup credentials, automating backup detection scans, and automatically verifying that backups are recoverable are great benefits in protecting against attacks, the most important tactic to ensure that the backup backup repositories cannot be deleted or corrupted. To do this, organizations must focus on immutability.

Do not become infected again during recovery

When respondents were asked how they ensured data was “clean” during recovery, 44% completed some sort of isolated staging to reanalyze data from backup repositories before bringing it back into production. Unfortunately, this means that the majority (56%) of organizations are at risk of re-infecting the production environment by not having the means to ensure data cleanliness during recovery. Therefore, it is important to scan the data thoroughly during the recovery process.

Other key findings of the report include:

· Cyber ​​insurance is becoming too expensive: 21% of organizations stated that ransomware is now specifically excluded from their policies, and those with cyber insurance saw changes in their latest policy renewals: 74% saw premiums increase, 43% saw deductibles increased and 10% saw cover benefits reduced.

· Incident response programs rely on backups: 87% of organizations have a risk management program that improves their security roadmap; however, only 35% believe their program is working well, while 52% are trying to improve their situation and 13% have no set program yet. The results show that the most common “playbook” items in preparing for a cyberattack are clean backups and recurring verification that they can be recovered.

· Organizational alignment continues to suffer: While many organizations view ransomware as a disaster and therefore include cyberattacks in their Business Continuity of Disaster Recovery (BC/DR) planning, 60% of organizations say they still need significant improvements or full assessments between your backup teams and cyber teams to be prepared for this scenario.