Data Backups Targeted in 94% of Ransomware Attacks


April 1, 2024

World map

A new study confirms that ransomware operators almost always target data backups in attacks, which forces targets to pay more in ransom demands.

Nearly all of the security professionals surveyed (94%) said the attackers attempted to or successfully compromised data backups, forcing them to pay on average more than twice the ransom demand ($2.3 million versus $1 million), and doubling the likelihood the victim will pay the ransom demand.

"Organizations with compromised backups were almost twice as likely to pay the ransom, compared to those with safe backups (67% compared to 36%). The median ransom payment for organizations with compromised backups was also double - $2 million versus $1.062 million,” TechRadar reports.

“These firms were also unable to negotiate down the ransom payment, as the attackers were well-aware of the strong position they held during the negotiations.”

Takeaway: The targeting of data backups, whether stored on-site or in the cloud, has increasingly become a favored tactic of ransomware attackers.  

Early in the evolution of ransomware attack sequences, malicious payloads would simply encrypt files and demand payment for decryption keys. Security teams found success in either restoring from backups or accepting loss of data as an acceptable consequence.  

But today’s attacks typically include the exfiltration of sensitive data, so even if systems can be restored without having to pay the ransomware operators for a decryption key, there is no guarantee that a ransom payment will prevent the stolen data from being exploited.

This challenge is further complicated by a common tactic where the attackers use legitimate network tools like the Windows Vssadmin process to delete shadow copy backup files.  

Many vendors tout a “rollback” feature dependent on shadow copies that they claim will easily reverse encryption on an infected machine, and while automatic rollbacks are a nice feature to call out in marketing materials, it gives customers a false sense of security.

Today, it is increasingly likely that ransomware operators will wipe backups during the attack, so backups have limited utility regarding ransomware attacks. Even when uncorrupted backups are available, restoration of every infected device is an arduous task involving a manual wiping and re-imaging process that can take weeks or months, and at great cost.

For example, last year a manufacturing company with revenues nearing $1B annually was attacked by the Akira ransomware group. Akira encrypted all Windows workstations and servers halting their business and operations. All backups were destroyed and were not recoverable.  

Not only was the company almost completely unable to conduct business or proceed with production, they also faced the unpleasant reality that they would need to rebuild all their systems from scratch which would require multiple technology partners and take months to complete.

While some larger companies can weather disruption like this, it may be an existential event for most small to medium organizations who may not have the resources required to spend weeks getting systems back up and running.

Data backups are still highly recommended for disaster recovery, but organizations cannot depend on them as the primary means of recovering from a successful ransomware attack. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.