Businesses are losing the battle when it comes to defending against ransomware attacks, according to the Veeam® 2022 Ransomware Trends Report, which found that 72% of organizations experienced full or partial attacks on their backup repositories, which drastically affects the ability to recover data without paying the ransom. Veeam Software, the leader in backup, recovery and data management solutions delivering Modern Data Protection, found that 80% of successful attacks targeted known vulnerabilities, reinforcing the importance of patching and updating software. Nearly all of the attackers tried to destroy the backup repositories to disable the victim’s ability to recover without paying the ransom.
Veeam’s 2022 Ransomware Trends Report reveals the results of an independent research firm that surveyed 1,000 IT leaders whose organizations had been successfully attacked by ransomware at least once in the past 12 months, making it one One of the largest reports of its kind. The first-of-its-kind study examines the key learnings from these incidents, their impact on IT environments, and the steps taken to implement Contemporary Data Protection strategies that ensure business continuity well into the future. The research project specifically surveyed four IT profiles (CISOs, Security professionals, backup administrators, and IT Operations staff) to understand the alignment of cyber readiness across organizations.
“Ransomware has democratized data theft and requires collaborative replication from organizations across industries to maximize their ability to remediate and recover without paying the ransom,” said Danny Allan, CTO of Veeam. “Paying cybercriminals to restore data is not a data protection strategy. There is no warranty that these will be recovered, the risks of reputational damage and loss of customer trust are high, and more importantly, this fuels a self-fulfilling prophecy that rewards crook activity.”
Paying the ransom is not a recovery strategy
Of the organizations surveyed, the majority (76%) of cyber victims paid the ransom to end an attack and recover their data. Unfortunately, while 52% paid the ransom and were able to receive the data back, 24% paid the ransom but couldn’t get it back, resulting in a 1 in 3 chance that even paying the ransom, there is no data. . Notably, 19% of organizations did not pay the ransom because they were able to receive their data back. This is what the remaining 81% of cyber victims should aspire to: recover data without paying the ransom.
“One of the hallmarks of a strong Modern Data Protection strategy is a commitment to a lucid policy that the organization will never pay the ransom, but will do everything in its power to prevent, remediate, and recover from attacks. Allan added. “Despite the ubiquitous and unavoidable threat of ransomware, the narrative that businesses are helpless against it is not accurate. Employees need to be educated and ensure they practice impeccable digital hygiene; regularly conduct rigorous testing of its data protection solutions and protocols, and create detailed business continuity plans that prepare key stakeholders for worst-case scenarios.”
Prevention requires diligence from both IT and users
The “attack surface” for criminals is diverse. In most cases, cyber villains first gain access to production environments through errant users who clicked on malicious links, visited unsafe websites, or got involved with phishing emails, again exposing the preventable nature of many incidents. After successful access to the environment, there is very little difference in infection rates between data center servers, remote office platforms, and cloud-hosted servers. In most cases, intruders take advantage of known vulnerabilities, including common operating systems and hypervisors, as well as NAS platforms and database servers, exploiting any outdated or unpatched software they can find. Notably, security professionals and backup administrators reported significantly higher infection rates, compared to IT Operations or CISOs, implying that “those closest to the problem see even more problems.”
Remediation begins with immutability
Survey respondents confirmed that 94% of attackers attempted to destroy backup repositories, and in 72% of cases this strategy was partially successful. This removal of an organization’s recovery lifeline is a popular attack strategy, as it increases the likelihood that victims will have no choice but to pay the ransom. The only way to protect against this scenario is to have at least an immutable or air-gapped level within the data protection framework, which 95% of respondents said they now have. In fact, numerous organizations reported having some level of immutability or air gap media at more than one level of their disk, cloud, and tape strategy.
Other key findings from Veeam’s 2022 Ransomware Trends Report include:
- Orchestration matters: To proactively ensure the recoverability of their systems, one in six (16%) IT teams automate the validation and recoverability of their backups to ensure their servers are restorable. Then, during the remediation of a ransomware attack, 46% of respondents use an loney “sandbox” or staging/testing area to ensure their restored data is clean before bringing systems back into production.
- Organizational alignment needs to be unified – 81% believe their organizations’ cyber and business continuity/disaster recovery strategies are aligned. Notwithstanding, 52% of those surveyed consider that the interactions between these teams require improvement.
- Diversifying repositories is key: Nearly all organizations (95%) have at least a level of data protection that is immutable or air-gapped, 74% use cloud repositories that offer immutability; 67% use local disk repositories with immutability or locking, and 22% use air-gapped tape. Immutable or not, organizations noted that aside from disk repositories, 45% of production data is still stored on tape and 62% is stored in the cloud at some point in the data lifecycle.
The full Veeam Ransomware Trends Report 2022 is available for download on the Veeam site (registration required).