Veeam: Ransomware keeps rising, and paying fraudsters is still not the right approach

This syndicated post originally appeared at Zeus Kerravala – SiliconANGLE.

Veeam used its annual user event, VeeamON, in Miami this week to release the results of some research on ransomware highlighting some alarming statistics that raise concerns for businesses of all sizes.

Veeam is a backup and recovery company, so one might wonder why it’s releasing research in cyber security. The reality is, that ransomware recovery has become a top use case for backup and recovery.

Although companies will continue to spend on security tools to keep the bad guys out, when they are breached and their data is locked up, their ability to restore data quickly can make the difference between being able to maintain business operations with minimal disruption or shelling out bitcoin and hoping for the best. The Veeam 2023 RansomwareTrends Report provides a great reality check on the increasing threat of ransomware and how businesses are coping.

An independent research firm surveyed 1,200 information technology leaders whose organizations, across 14 countries, experienced at least one ransomware attack in 2022. It’s important to note that Veeam did this as a blind survey across a wide base of companies rather than just focusing on its customers. This gave a truer indication of the state of ransomware.

The respondent breakdown was as follows: security professionals (37%), chief information security officers or other IT executive stakeholders (21%), IT operations generalists (21%) and backup administrators (21%). They explained how ransomware affected their organizations, IT strategies and future data protection initiatives.

One of the most glaring report findings is that one in seven organizations could potentially have over 80% of their data compromised from a ransomware attack. This reflects a major deficiency in the protection measures currently implemented by many businesses. Even worse, 93% of these attacks target backups, and in three out of four cases, the attackers succeed in crippling an organization’s ability to recover. On average, it takes at least three weeks to recover, per attack, after triage.

In 2022, most organizations (80%) paid the ransom to recover their data, a 4% increase from the previous year. The data is surprising, considering 41% of organizations have a policy against such payments. Yet paying the ransom doesn’t always guarantee data recovery since 21% of organizations failed to regain access to their data.

This data point might shock people, but it’s a story I’ve heard many times. Once the threat actors have the money, they have little incentive to help the business. Only 16% of organizations avoided paying the ransom by restoring data from their backups.

The report stresses the importance of data backup as a strategy against ransomware attacks, especially because cyber criminals often target backup repositories. Almost all (93%) attacks attempted to compromise backups, resulting in 75% of organizations losing some data and 39% losing all their backup data.

Given the risks, it’s imperative that businesses ensure their backups are “immutable” or incapable of being changed or deleted. The good news is that 82% of organizations already use immutable clouds, while 64% use immutable disks. Only 2% don’t employ any form of immutability in their backup solution. Veeam is optimistic about more organizations achieving immutable data backup across their entire data protection lifecycle this year.

Another promising statistic shows that 87% of organizations have a risk management program, a plan designed to protect against cyberattacks. But only 35% of these organizations believe their plan is working well, while more than half (52%) are looking for ways to improve it. That is why organizations need to have a playbook or a set of steps that need to be followed in case a cyberattack occurs.

Organizations should at least have these two steps in their playbook. First, they should keep clean extra copies of their data stored somewhere safe. The backup copies should be protected from attacks and not contain any harmful or malicious code. Second, data in the backup copies should be used to get the organization up and running if the main systems are attacked. Additionally, there should be a cohesive approach to dealing with ransomware across the organization since a separation often exists between backup and cyber teams.

Another worrying trend uncovered in the report is the increasing cost and declining coverage of cyber insurance. A fifth of IT leaders reported that ransomware is now excluded from their company policies, while most experienced increased premiums and deductibles, as well as reduced coverage benefits. The vast majority (96%) of cyberattack victims could pay the ransom using insurance in 2022. Half of them used insurance specifically designed for cyber incidents.

However, 28% of victims used insurance that wasn’t specifically for cyber incidents, while 18% didn’t use insurance at all even though they had it. That’s because getting insurance to cover cyberattacks is becoming more difficult and expensive, just like how it’s getting harder to get flood insurance because of more frequent storms. In fact, 21% of organizations said their insurance policies no longer cover ransomware attacks.

What to do

The report strongly recommends that businesses take a more proactive approach to ransomware. Given the high probability of cyberattacks and the significant data loss that can occur with each attack, organizations should place a high emphasis on both preventing cyberattacks and preparing effective recovery strategies.

In conclusion, Veeam advises businesses to maintain clean backup copies and regularly verify their recoverability as a part of their risk management strategy. Other recommendations include the use of “staged restorations” to gradually bring back data and prevent system re-infection during recovery. This is important because if infected data is restored, a second ransom event will likely occur. Lastly, implementing hybrid IT architectures can help organizations with their overall disaster recovery strategy by recovering servers to different platforms.

One recommendation I would like to make is that backup and recovery funding and policy should be done in conjunction with the security team. Historically, backup and recovery is one of those poorly funded areas as no one cares about it until it’s an issue. On the other hand, security is a top area of focus for organizations as everyone, including business leaders, is concerned about a breach.

All of the money put into cyber protection is to prevent a breach. Zero trust, security information and event management, security orchestration, automation and response, extended detection and response, next-generation firewalls and other tools protect the company differently.

This does not account for the worst-case scenario, which is that a breach occurs, data is encrypted and a ransom is requested. At that moment, backup and recovery will be put to the test. If it has been well-funded, tested and retested, data can be recovered quickly and the ransom ignored.

If not, well, the data points in the Veeam report highlight what happens. CISOs and chief information officers must work together to ensure that data protection, backup and recovery are all on the same page.

Author: Zeus Kerravala

Zeus Kerravala is the founder and principal analyst with ZK Research. Kerravala provides a mix of tactical advice to help his clients in the current business climate and long term strategic advice.