As ransomware attacks rise, the security and accessibility of data backups have become a critical focus for organizations. While backups are primarily designed for recovery, protecting them is now essential to any effective cyber defense strategy. Threat actors increasingly target backup systems to prevent data recovery or exfiltrate that data, which increases the chances of ransom payment.

Why ransomware groups target backups

Cybercriminals know that disabling an organization's ability to restore data increases leverage. During many attacks, one of the first steps is identifying and disrupting backup processes. According to cybersecurity reports, up to 90% of backups are compromised during ransomware incidents. This tactic forces victims to consider paying to regain access to their own data.

Some ransomware operators tamper with cold backup routines to save empty files while falsely generating success reports. Others exploit legitimate backup software to exfiltrate data, using it as a double-extortion strategy.

What makes a resilient backup strategy

Effective backup strategies are based on the principle of redundancy: maintaining three copies of your data, hot, warm, and cold.

• Hot backup: Actively used live data, instantly accessible within the system.

• Warm backup: A near-real-time copy of hot data, often refreshed every 15 minutes. This enables recovery to a recent point in time. Volume shadow copies (VSS) can assist here but are often disabled by attackers. Security tools that restrict access to VSS by applications like PowerShell can improve reliability. Internal SQL backups are also helpful for restoring databases.

• Cold backup: An off-site, typically disconnected backup. Although slower to restore, it is more resistant to attack. These backups may reside on physical media or cloud services that are not continuously online.

Five ways to protect backup data from ransomware

Protecting backups requires more than just storage. It involves isolating backup systems, enforcing strict access controls, and ensuring recoverability.

1. Restrict access to backup locations

Limit access to backup folders to specific, trusted programs and users. Only backup software or approved scripts should write to these folders. This prevents ransomware or common tools from altering or deleting backups. If only one program needs access to a backup location, all others should be blocked.

2. Regularly test backups for integrity and restoration

Review daily backup reports to detect changes in file counts or sizes. Cold backups should be verified to ensure they are storing valid, complete data—not empty or corrupted files.

3. Use multi-factor authentication for backup systems

Enable 2FA on backup software and related servers. Without it, an attacker who gains access could delete backup data with minimal resistance.

4. Isolate backup software from internet traffic

Contain backup software with ThreatLocker Ringfencing™ so it communicates only with its assigned backup server. Preventing open internet access reduces the risk of data exfiltration or redirection. Document these rules carefully so they can be followed during an incident.

5. Create clear data retention policies

Maintain monthly backups for at least a year, even if hot and warm backups are retained for shorter periods. Annual backups are especially valuable for regulatory or historical needs, such as in financial services. Always align retention with privacy policies and compliance requirements.

The bottom line: backup protection is essential for cyber resilience

Backups are not a security strategy by themselves, but securing them is essential. Ransomware attackers often focus on backup systems to disrupt recovery and force payment. By proactively protecting backup data, organizations strengthen their overall cyber resilience and reduce downtime during attacks.

Learn more about containing your backup software to keep out threats.

Take me to Ringfencing™

‍