The affect of compromised backups on ransomware outcomes – Sophos Information

Click on above to obtain the total report

There are two essential methods to get well encrypted knowledge in a ransomware assault: restoring from backups and paying the ransom. Compromising a corporation’s backups allows adversaries to limit their sufferer’s potential to get well encrypted knowledge and dial-up the stress to pay the ransom.

This evaluation explores the affect of backup compromise on the enterprise and operational outcomes of a ransomware assault. It additionally shines mild on the frequency of profitable backup compromise throughout a variety of industries.

The findings are based mostly on a vendor-agnostic survey commissioned by Sophos of two,974 IT/cybersecurity professionals whose organizations had been hit by ransomware within the final yr. Carried out by impartial analysis company Vanson Bourne in early 2024, the research displays respondents’ experiences over the earlier 12 months.

Govt abstract

The evaluation makes clear that monetary and operational implications of getting backups compromised in a ransomware assault are immense. When attackers reach compromising backups, a corporation is sort of twice as prone to pay the ransom and incurs an total restoration invoice that’s eight instances increased than for these whose backups usually are not impacted.

Detecting and stopping malicious actors earlier than your backups are compromised allows you to cut back significantly the affect of a ransomware assault in your group. Investing in stopping backup compromise each elevates your ransomware resilience whereas additionally decreasing the general Whole Price of Possession (TCO) of cybersecurity.

Download the report PDF.

Studying 1: Ransomware actors nearly at all times try and compromise your backups

94% of organizations hit by ransomware previously yr stated that the cybercriminals tried to compromise their backups through the assault. This rose to 99% in each state and native authorities, and the media, leisure and leisure sector. The bottom price of tried compromise was reported by distribution and transport, nonetheless even right here greater than eight in ten (82%) organizations hit by ransomware stated the attackers tried to entry their backups.

Studying 2: Backup compromise success price varies significantly by trade

Throughout all sectors, 57% of backup compromise makes an attempt had been profitable, that means that adversaries had been in a position to affect the ransomware restoration operations of over half of their victims. Apparently, the evaluation revealed appreciable variation in adversary success price by sector:

  • Attackers had been most definitely to efficiently compromise their victims’ backups within the power, oil/gasoline, and utilities (79% success price) and schooling (71% success price) sectors
  • Conversely, IT, expertise and telecoms (30% success price) and retail (47% success price) reported the bottom charges of profitable backup compromise

There are a number of attainable causes behind the differing success charges. It might be that IT, telecoms and expertise had stronger backup safety in place to begin with so was higher ready to withstand the assault. They could even be simpler at detecting and stopping tried compromise earlier than the attackers may succeed. Conversely, the power, oil/gasoline and utilities sector might have skilled a better proportion of very superior assaults. Regardless of the trigger, the affect might be appreciable.

Studying 3: Ransom calls for and funds double when backups are compromised

Information encryption

Organizations whose backups had been compromised had been 63% extra prone to have knowledge encrypted than those who didn’t: 85% of organizations with compromised backups stated that the attackers had been in a position to encrypt their knowledge in contrast with 52% of these whose backups weren’t impacted. The upper encryption price could also be indicative of weaker total cyber resilience which leaves organizations much less in a position to defend towards all levels of the ransomware assault.

Ransom demand

Victims whose backups had been compromised obtained ransom calls for that had been, on common, greater than double that of these whose backups weren’t impacted, with the median ransom calls for coming in at $2.3M (backups compromised) and $1M (backups not compromised) respectively. It’s possible that adversaries really feel that they’re in a stronger place in the event that they compromise backups and so are in a position to demand a better fee.

Ransom fee price

Organizations whose backups had been compromised had been nearly twice as prone to pay the ransom to get well encrypted knowledge than these whose backups weren’t impacted (67% vs. 36%).

Ransom fee quantity

The median ransom fee by organizations whose backups had been compromised was $2M, nearly double that of these whose backups remained intact ($1.062M). They had been additionally much less in a position to negotiate down the ransom fee, with these whose backups had been compromised paying, on common, 98% of the sum demanded. These whose backups weren’t compromised had been in a position to cut back the fee to 82% of the demand.

Studying 4: Ransomware restoration prices are 8X increased when backups are compromised

Not all ransomware assaults end in a ransom being paid. Even after they do, ransom funds are simply a part of the general restoration prices when coping with a ransomware assault. Ransomware-led outages ceaselessly have a substantial affect on day-to-day enterprise transactions whereas the duty of restoring IT methods is usually advanced and costly.

The median total ransomware restoration prices for organizations whose backups had been compromised ($3M) got here in eight instances increased than that of organizations whose backups weren’t impacted ($375K). There are possible a number of causes behind this distinction, not least the extra work that’s sometimes wanted to revive from decrypted knowledge relatively than well-prepared backups. It might even be that weaker backup safety is indicative of much less strong defenses and larger ensuing rebuilding work wanted.

These whose backups had been compromised additionally skilled significantly longer restoration time with simply 26% totally recovered inside every week in contrast with 46% of these whose backups weren’t impacted.


Backups are a key a part of a holistic cyber danger discount technique. In case your backups are accessible on-line, it is best to assume that adversaries will discover them. Organizations could be smart to:

  • Take common backups and retailer in a number of areas. You’ll want to add MFA (multi-factor authentication) to your cloud backup accounts to assist forestall attackers from gaining entry.
  • Follow recovering from backups. The extra fluent you’re within the restoration course of, the faster and simpler it is going to be to get well from an assault.
  • Safe your backups. Monitor for and reply to suspicious exercise round your backups as it could be an indicator that adversaries are trying to compromise them.

How Sophos may help

Sophos MDR: Over 500 specialists monitoring and defending your group

Sophos MDR is a 24/7 expert-led managed detection and response service that focuses on stopping superior assaults that expertise alone can’t forestall. It extends your IT/safety crew with over 500 specialists who monitor your atmosphere, detecting, investigating, and responding to suspicious actions and alerts.

Sophos MDR analysts leverage telemetry from the safety instruments you already use – together with your backup and restoration resolution – to detect and neutralize assaults earlier than injury is completed. With a mean risk response time of simply 38 minutes, Sophos MDR works sooner than your subsequent risk.

Sophos XDR: Enabling IT groups to detect and reply to assaults

In-house groups can use Sophos XDR to get the visibility, insights, and instruments they should detect, examine, and reply to multi-stage threats, throughout all key assault vectors, within the shortest time. With Sophos XDR you possibly can leverage telemetry out of your backup and restoration resolution, in addition to your wider safety stack, to shortly see and reply to assaults.