Study: One-Third Still Unable to Recover Data After Paying Ransomware Criminals

According to the Veeam 2022 Ransomware Trends Report, 72 percent of enterprises suffered partial or total attacks on their backup repositories, the majority of ransomware attack cyber-victims (76 percent) paid the ransom to halt an assault and recover data, according to the report. Unfortunately, while 52 percent of those who paid the ransom were able to retrieve their data, 24 percent paid the money but were still unable to do so.

It would leave a one-in-three possibility that paying the ransom will result in no data being recovered.

It is worth noting that 19 percent of businesses did not pay the ransom since they were able to restore their data on their own. The remaining 81 percent of cyber-victims must strive for this: data recovery without paying the ransom.

Photo Danny Allan, CTO at Veeam
“Paying cybercriminals to restore data is not a data protection strategy,” said Danny Allan, CTO at Veeam.

The Veeam 2022 Ransomware Trends Report details the findings of an independent research agency that polled 1,000 IT executives whose companies had been successfully targeted by ransomware at least once in the previous 12 months, making it one of the most comprehensive publications of its type.

The cybersecurity research project specifically surveyed four IT personas (CISOs, Security Professionals, Backup Administrators and IT Operations) to understand cyber-preparedness alignment across organizations.

Attacks on backup repositories occurred in 72 percent of firms, severely limiting the capacity to restore data without paying the ransom. Veeam Software, a pioneer in backup, recovery, and data management solutions that enable Modern Data Protection, discovered that 80 percent of successful assaults targeted known vulnerabilities, emphasizing the need of patching and updating software. Almost all of the attackers tried to delete backup repositories in order to prevent the victim from recovering without paying the ransom.

OS, Hypervisor, NAS, Database Server

The ‘attack surface’ for criminals is diverse. Cybercriminals usually obtain access to production settings by wayward users clicking malicious links, visiting unsafe websites, or responding to phishing emails, revealing the preventable nature of many occurrences once again. There was minimal difference in infection rates between data center servers, remote office platforms, and cloud-hosted servers after successfully gaining access to the environment. In most cases, the invaders exploited known vulnerabilities in operating systems, hypervisors, NAS platforms, and database servers, leaving no stone untouched and abusing whatever unpatched or obsolete software they could discover.

It’s worth noting that Security Professionals and Backup Administrators reported considerably higher infection rates than IT Operations or CISOs, meaning that ‘those closer to the problem saw even more concerns.’

“Ransomware has democratized data theft and requires a collaborative doubling down from organizations across every industry to maximize their ability to remediate and recover without paying the ransom,” said Danny Allan, CTO at Veeam. “Paying cybercriminals to restore data is not a data protection strategy. There is no guarantee of recovering data, the risks of reputational damage and loss of customer confidence are high, and most importantly, this feeds a self-fulfilling prophecy that rewards criminal activity.”

Remediation Starts with Immutability

According to study respondents, 94 percent of attackers attempted to delete backup repositories, and 72 percent of the time they were partially successful. The elimination of an organization’s recovery lifeline is a common assault method since it raises the chances that victims would be forced to pay the ransom. The only way to avoid this scenario is to have at least one immutable or air-gapped tier in your data protection structure, which 95 percent of those being polled said they have presently. In fact, several companies said they have immutability or air-gap media in more than one tier of their disk, cloud, or tape approach.

The Veeam 2022 Ransomware Trends Report also includes the following major findings:

  • Orchestration matters – One in six (16%) IT teams automate the validation and recoverability of their backups to verify that their servers are recoverable. Following that, 46 percent of respondents utilize an isolated ‘sandbox’ or staging/test area to confirm their recovered data is clean before bringing the systems into production during ransomware repair.
  • Organization alignment must unify – 81 percent of respondents say their company’s cyber and business continuity/disaster recovery plans are in sync. However, 52% of respondents felt that the interactions between these teams should be better.
  • Diversifying the repositories holds the key – Nearly all (95%) organizations have at least one immutable or air-gapped data protection tier, 74% use cloud repositories that offer immutability; 67% use on-premises disk repositories with immutability or locking; and 22% use tape that is air-gapped. Immutable or not, organizations noted that in addition to disk repositories, 45% of production data is still stored on tape and 62% goes into a cloud at some point in their data lifecycle.