On Tuesday, the first day of VeeamON 2022, Veeam released the results of its 2022 Ransomware Report, the first such study that they have done. Quite frankly, most vendor reports released at their own events tend to have fairly marginal news value, especially when covering a topic like ransomware that most in the industry are obsessed with. This report seems to be the exception to the rule, however. It is quite a large study, with 1000 IT leader respondents that fell into four specific personas – CISOs, Security Professionals, Backup Administrators and IT Operations. More significantly, each of these organizations was successfully attacked by ransomware over the past 12 months. Finally, the Veeam team responsible for designing the focus of the report asked some interesting questions, and got some answers that aren’t always intuitive and may surprise some readers.
“We are releasing the finding of the industry’s most comprehensive ransomware study, and thedata is stunning,” said Anand Eswaran, who took over as Veeam CEO six months ago. “It shows that almost three of four organizations [72%] have had at least one attack on their backup repositories.” While 94% of these successful attacks targeted backup repositories, 80% targeted production platforms and 80% targeted known vulnerabilities, reinforcing the importance of patching and upgrading software. . Most of these attacks got in through the tried and true method of phishing.
“Cyberattacks are the most catastrophic ones that a company can face, but they can reduce the risk through modern data protection strategies,” Eswaran said.
Danny Allan, Veeam’s CTO, referred to some of the findings as remarkable. Only 19% of companies attacked achieved the nirvana of results. Through proper protection, they recovered their data successfully without paying a ransom. However, the vast majority, 76%, paid the ransom to end an attack and recover data. 52% of these paid the ransom and were able to recover data. However, 24% paid the ransom but were still not able to recover data. So effectively one victim in three paid the ransom, but didn’t get their data back anyway.
“This shows that paying the ransom is a very poor strategy,” Allan said.
Interestingly, 5% of victims didn’t receive a ransom demand at all, suggesting that they were a victim not of ransomware, but of arson, with the culprit most likely to be an unhappy insider.
Allan noted that of the 94% of attackers who attempted to destroy backup repositories, in 72% of cases this strategy was at least partially successful. The only way to protect against this scenario is to have at least one immutable or air-gapped tier within the data protection framework. 95% of those surveyed indicated they now have that, one of the positive findings in the report. In contrast, 74% use cloud repositories that offer immutability; 67% use on-premises disk repositories with immutability or locking; and 22% use tape that is air-gapped. 45% of production data is still stored on tape and 62% goes into a cloud at some point in their data lifecycle.
Orchestration is not used enough as a defense.
“25% have orchestrated workflows that will connect resources that are or running remotely,” said Dave Russell, VP Enterprise Strategy at Veeam. Only one in six [16%] IT teams automate the validation and recoverability of their backups to ensure their servers are restorable. Then, during remediation of a ransomware attack, 46% of respondents use an isolated “sandbox” or staging/test area to ensure their restored data is clean prior to reintroducing the systems into production.
Russell concluded by raising an important point, that while ransomware gets most of the attention these days in cybersecurity, there are a lot more issues that also need to be addressed.
“We focus on ransomware because it resonates very well, but security is about much more that just ransomware,” he emphasized. “There are a lot more things that can take down a server.”