Why 93% of hackers now target backups

“Your data was stolen and encrypted. If you do not pay the ransom, they will be posted on our TOR sites in the dark web. Keep in mind that once your data appears on our leak site, your competitors could buy it at any time.”

It looks like a message from a science fiction movie but that’s exactly what the message said. ransom note you received two weeks ago Bizlandthe company that manages online authorizations for the purchase of medicines with discounts in pharmacies in Argentina.

The Lockbit group hijacked company data, which ultimately resulted in pharmacies not being able to sell medicines as they usually did. Argentines were left without validated recipes or without discounts… the chaos lasted six days.

Now it became known that 93% of cyberattacks carried out globally target backup storage. In other words, they not only seek to encrypt the information, but also the backup of that information, in order to force the payment of the ransoms they demand. The other worrying fact is that in 75% of cases they manage to infect the backup.

The data comes from a study carried out on 1,200 affected organizations and almost 3,000 attacks.

“This report shows that today It’s not a question of whether your organization will be targeted by a cyberattack, but how often it will be. While security and prevention remain very important, it is critical that all organizations focus on how quickly they can recover from an attack,” said Danny Allan, Chief Technology Officer of Veeam, the company in the sector that presented in Miami. its 2023 Trend Report at its annual meeting with clients, analysts and journalists.These were two days with a full schedule of talks and sessions on digital security.

The key tactic now then is to ensure that backup repositories cannot be deleted or corrupted. And if that happens, that the recovery is in minutes and not in days.

Control

“The most important thing is to be in control. Backup control, with the 3, 2, 1, 1, 0 rule. What does this mean? It states that there should always be at least three copies of the data, on at least two different types of media, at least one on external media and one offline, with zero unverified or failed backups.” Clarion Rick Vanover, Senior Director of Product Strategy de Veeam.

“If the criminals now also attack the backup -Vanover added- what must be done is permanently test those backups to find out as quickly as possible.

Ransomware attacks have skyrocketed in the pandemic and are still on the rise. “From SMEs to large corporations and state organizations, we even provide services to Argentine security forces. We are the last layer of defense, like car insurance. When you have been attacked, we must lift the service in minutes We are essentially a data backup and recovery company, but today we prefer to talk about being a company that guarantees business continuity,” he explained to Clarion Martín Colombo, Director of Strategy for Latin America at Veeam.

For second consecutive Year, the majority (80%) of surveyed organizations paid the ransom to put an end to an attack and recover data -4% more than the previous year-, despite the fact that 41% of organizations claim to have a “no payment” policy against ransomware. However, while 59% paid the ransom and were able to recover the data, 21% paid the ransom and still did not get their data back seized by cybercriminals. Furthermore, only 16% of organizations avoided paying the ransom because they were able to recover thanks to the backup they had.

“Attacks are becoming more complex and so what you have to do is have a robust solution: if your backup repository is attacked, you must have it protected with a system that is equally complex and efficient,” added Tomás Dacoba, Director Marketing for Latin America.

hacker patience

It transpired in the meeting that a university in Mexico had ransomware on its systems for eight months without knowing it. During all this time the criminals studied the movements of the organization until eight months later they considered that it was time to encrypt and demand the ransom. It is estimated that they entered through a “poorly patched” server.

“In many cases they filter out the ransomware and don’t attack right away. They take several days to analyze how the company works, what is the CEO’s account, what do they do. And once they have a complete picture, they encrypt the data and send the extortion message,” Vanover told this newspaper.

Most of the attacks continue to come from Eastern Europe and Asia. Latin America suffers like the rest of the regions from the problem but is hardly a producer of ransomware. In the corridors of the meeting, the Royal Group was named as the one that is giving the most strong blows these days.