For Enterprises, Secure Data Backup Is The Only Alternative To Ransomware Payments
Survey shows that while 80% of victim organisations paid ransom, a quarter still couldn’t recover their data.
When an enterprise is hit by a ransomware attack, it’s usually left with two choices: pay the ransom and decrypt the data, or retrieve the data from a secure backup. Although the appropriate response to a ransomware attack should be a no-pay policy and data recovery from a safe repository, almost 80% of victim organisations paid the ransom, finds a recent report by Veeam Software Holding Inc.
The 2023 Global Report on Ransomware Trends surveyed 1,200 IT leaders, whose organisations suffered at least one ransomware attack in 2022. The survey was conducted on enterprises of all sizes, covering 14 countries across Asia Pacific and Japan, Europe, the Middle East and Africa, and the Americas. Below are the key findings.
Backup The Most Common Element In Ransomware Playbook
Incident response teams in 37% organisations said that backup copies —survivable data without malicious code — were the most common element in their ransomware response playbook. The other element was recurring backup verification, in 36% of organisations.
Even though 87% of enterprises had a risk management programme for driving their security roadmap, only 35% trust their programme to be working well. The survey shows that 52% are working to improve their programme, while 13% lack an established programme against ransomware risks.
The State Of Ransom Payments
Even though 41% of respondents had a “do not pay” policy, 80% of victim organisations eventually shelled out the ransom to retrieve data. However, a quarter of them couldn’t decrypt data, despite the ransom payment. The right thing for enterprises to do should be recovery of data without paying the ransom, but only 16% of organisations responded that way when asked.
Two probable reasons are behind the trend of enterprises paying off the ransom: ransom was paid with insurance money and backup repositories were affected by attack too, so a recovery option wasn’t in the picture.
As per the survey, 77% of ransoms were paid via insurance. But with the increasing incidents of cyberattacks, the cost of insurance is also rising. Organisations with cyber insurance witnessed important changes in their last policy renewals: 74% saw increased premiums, 43% saw increased deductibles, and 10% saw reduced coverage benefits.
Production Data And Backup Both Attacked
The scale of data loss or data affected was also significant. Organisations said that a cyber attack affected 45% of their production data. Only 66% of affected data was recoverable, and 15% of the production data was irrecoverably lost. But, what if the attackers targeted the backups as well?
Backup repositories became the target of at least 93% of attacks in 2022. In 75% of attacks, malicious agents were able to affect the backup repositories too, which means that only a quarter of the organisations had safe backups to restore data from. When affected, 39% of repositories were rendered unusable.
Survey respondents estimated that it took at least three weeks to recover their data. This is in addition to the time required to identify the servers affected and assess the safety of backup data, lest it might reintroduce malware.
Use Of Immutable Backups
One of the most useful deterrents to data loss by ransomware is immutable backups. This comprises creating a copy of production data in write-once-read-many-times format on backup devices, such as network-attached storage, solid-state drive, tape or optical disks. Immutable backups cannot be mutated, altered or destroyed, thus providing robust protection against ransomware attacks.
According to the survey, 82% of organisations used immutable clouds, 64% used immutable disks, and many used tape, with many reporting of having immutability or air gaps across multiple tiers.
To the question of how to ensure that data is “clean” during restoration, 31% said they relied on immutable repositories. However, even though this may be best practice, it doesn’t guarantee clean data, and 56% of organisations run the risk of re-infecting their production environment during recovery.
Cloud and data centres remain the preferred sites of ransomware recovery at scale, with 71% of organisations recovering data to a cloud and 81% to a data centre.
Conclusion
With the probability of ransomware attacks rising and organisations losing, on average, 15% of their production data, businesses are scaling investments in the areas of cyberattack prevention and remediation.
A secure backup remains the only solution to circumvent ransom payments. For enterprises preparing against the next attack, three technologies will be critical:
Immutable storage within disks and clouds, along with air-gapping, to ensure recoverable data.
Staged restorations to avoid re-infection during data retrieval.
Hybrid IT architectures for recovering the servers to alternative platforms.