Why Ransomware Attacks on Backups Should Terrify You

You found the backup wrap up your go-to podcast for all things

backup recovery and cyber recovery.

In this episode, we're talking about something that keeps me up at night,

ransomware attacks on backups.

A recent study showed that 96% of ransomware attacks.

Now target your backup infrastructure.

96%. Why do they do this?

Well, it's simple.

I think, uh, if they can take out your ability to recover,

they've got you over a barrel.

You're way more likely to pay that ransom if your backups are toast.

Sadly, that same study showed that only about 25% of organizations

actually felt confident that they could defend against those attacks.

That's a serious gap.

Persona and I break down the numbers, talk about what immutability is and

why it's your friend, and discuss what you could do right now to stop handing

over the keys to your backup kingdom.

By the way, if you don't know who I am, I'm w Curtis Preston, AKA, Mr.

Backup, and I've been passionate about backup and recovery for over 30 years.

Ever since.

I had to tell my boss that there were no backups of the production

database that we had just lost.

I don't want that to happen to me.

I don't want that to happen to you, and that's why I do this.

On this podcast, we turn unappreciated backup admins into Cyber Recovery Heroes.

. This is the backup wrap up.

Hi, and welcome to the backup wrap up.

I'm your host w Curtis Preston, AKA, Mr. Backup, and I have with

me a guy who is so proud of me in my recent car maintenance Attempt.

Attempt.

Yeah.

Prasanna Malaiyandi.

How's it going?

Prasanna,

I am good.

But to

wait, you're not gonna tell me you weren't proud of me.

no, no.

To be fair, your current vehicle requires almost zero maintenance.

Yeah.

Except for what I did to it.

could do that.

You could do.

Yeah, yeah.

Well, there is what I told you I discovered there, there is actually,

uh, people highly recommend changing the, the, I don't know,

gear, oil or whatever for the, the.

For the motor.

Um, uh, but like at a hundred thousand miles, which I have passed.

Yes.

um,

do you also do your air filters?

um, uh, no I haven't done that.

I know I'm supposed to do that, but

At like 20,000 miles and how

yeah.

You blew past that Justice sco.

Yeah, just a, six times past that.

Um, I have been doing the tires though.

Uh,

haven't been doing it though.

I was saying, versus like before your previous car, you

used to do everything on that

Yeah, I had to do a lot, right.

Um, brake jobs and I haven't needed a brake job on this because of the way

the brakes work on the, uh, Tesla.

Um, but yeah, but I get, but I had, I got to crank my car up.

Uh, which for those that don't know Teslas, they gotta be just a

little different with everything.

And there's these pressure points that, you know, you don't just

have a little pinch weld where you put the, the jack on you.

You have a pressure point that you, you have to use that.

And so it's, it's more difficult than normal to

reason you do that though is because the battery pack, right?

The battery

Yeah.

I, I, I get it.

of the body, and so it's down there because low center of

It just, it just would've been nice for them to give us two pressure points

on the same area so that we could.

do that

Huh,

Most cars don't do that.

well, most cars you would lift it up and then you would put the jacks stand

underneath like the wheel infrastructure.

But this doesn't have that, right?

and you

I survived, car survived.

I have the new, the new pan on there.

Um, yeah.

Very exciting.

Um, uh, yeah, yeah.

Speaking of surviving,

about today?

yeah.

So this episode, um, we're going to, uh, just talk a little bit

about, you know, we, we, we, we, what, what are you laughing at?

As I said, surviving.

Do you know what song popped into my head?

I got nothing.

Destiny's Child.

I'm a survivor.

I'm a survivor.

Yeah, I like it.

Um, and we want you to be a survivor too, right?

Uh, we want your environment to.

Survive, uh, a ransomware attack, right?

That is the whole point of the book that I just finished, uh, writing,

which is coming out, it's gonna be like right after the, the first of the year.

Um.

By the way, I have to, I have to reminisce.

Um, this is very reminiscent of my very first book that was going to

come out in the Christmas of 99.

Right.

And we did all this work because there was a trade show called Lisa Large

Installation System Administration.

And the company that I worked for at the time was a.

Sponsor it, Lisa.

And, uh, so we really wanted to have the book to come out in time

for that show so that we could like give it away at the show and all,

you know, that kind of stuff, right?

And, um, we, we, we, we succeeded, right?

Uh, the, the show was like in the first half of December and.

The, and it was in San Diego, by the way, interestingly enough, and I, because the

company that I worked for was a sponsor.

I was able to go back, um, into the sponsorship area

when nobody else was there.

And, uh, true story, the first copy of my book that I ever saw and, uh, obtained

was stolen from the O'Reilly booth.

Boo.

I literally went in there, I saw my own book, and I was so excited.

I just had to take one.

And I'm pretty sure the statute of limitations on petty theft is,

has, uh, uh, ran out at this point?

that you also, uh, nearly lost the

is.

because

No, not, no.

Yeah, it is the, it is the same book that I nearly lost, uh, the Yeah.

Yep.

Absolutely.

At Disney.

Yeah.

Uh, anyway, so, uh, just, just reminiscent of that, but.

We talk a lot about, um, the fact that you need to prepare your infrastructure,

your specifically your backup infrastructure for a ransomware attack.

And so, uh, I thought that, uh, I, I, I went out and I looked for a couple

of, uh, articles or, or studies to see if I could, you know, back that up.

But before we get to sort of the studies, right?

I

it's probably useful to talk about like, why should a person care

about their backup infrastructure?

Because isn't ransomware all about cyber criminals attacking production

instances, encrypting data, stealing data from production, right?

All that sort of stuff.

So yes it is,

Everything that you said is correct except for the word all.

So if you take out, when you said it's all about attacking, uh,

primary infrastructure, it's not, um, it is very much about also

attacking your backup infrastructure.

So why would they do that?

It, I think the answer is obvious, but perhaps it's not.

If they can take out your backup infrastructure, if they can encrypt

that, if they can delete that.

If they can expire your backups right, um, then they take the backup

infrastructure out of the equation, uh, from a ransomware perspective,

and thus increasing the chance that you would, uh, then pay the ransom.

Is, is the number one reason.

Do you remember the second reason?

I know we've talked about it a few, a

think, uh, if I recall from prior podcasts, it was the fact that.

All like what is backup?

It is taking all of your production environment and protecting

it somewhere else, right into the backup infrastructure.

What does that mean?

of your data is in one place,

don't need to go compromise a hundred different production applications.

If you can compromise the backup infrastructure, you have access

to all the data stored in those a hundred production applications.

Yeah, and I, I should have pulled up.

Um, I know that I, I don't have a stat, but I know that a

significant percentage of, um.

Of of modern ransomware attacks include exfiltration, right?

Because if they're able to exfiltrate your data, it then once again increases

the chance that you'll pay the ransom because you're thinking, I.

They have, not only have they prevented my access from important data, they

have my 11 herbs and spices, and they're gonna release it to the

public, uh, if I don't pay the ransom.

Or either they've got, you know, IP that they're going to release

or they've got damning evidence.

Do you remember the Sony hack?

Yep.

Where they were talking about artists And

not go over well.

yeah.

And that one, uh, was very damaging to Sony at the time.

Right.

To their relationship with their, uh, with their talent and all of that.

Um, and that was a successful meaning, like they didn't pay

the ransom and so they ended up actually, uh, releasing the data.

Yeah.

Yeah.

Just two things to add.

So I know in past episodes when we talk about sort of encrypting

data plus exfiltrating and then threatening you, again, we've

referred to that as double extortion.

We didn't make up that term.

That's.

Kind of what

referring to.

Uh, the other thing, you also mentioned IP in terms of like

company's data being stolen.

In that case, you're not talking about IP addresses, you're talking

about intellectual property,

Thank you very much for clarifying.

Yeah.

Yeah.

We're talking about intellectual property, right?

So your 11 herbs and spices is the one I I I like to use a lot.

those who are not US based,

dude.

KFC's everywhere.

I have been in many countries and I see KFC everywhere.

We have exported that horrible, like, I love it.

I love the restaurant.

Right?

I love KMC.

It's been, it's been like a, a year since I've had it, but, um, I think

raising canes I think has taken over my, my, uh, need for fried chicken.

But, um, yeah, we, we, we've exported that quite a bit, but yeah, so the 11

herbs and spices was the phrase that was always up in the, in the advertisements.

And so they've got your company intellectual property, whatever it is,

it makes your company, your company, and they're threatening to release it

or, uh, they're, they've got damning uh, information on, um, you know.

Either your executives or perhaps just, uh, the behavior of your

company and in and in a modern, in our modern world, the threat there is

the threat of being canceled, right?

Right now, like I can think of what's that?

What,

which.

you're the one who told me the uh, Campbell Soup.

Oh yeah.

Yeah.

That's just crazy, right?

The this, this crazy thing that a Campbell suit, allegedly, a Campbell soup

executive, he was supposedly the head of cybersecurity or something, and emails

from him leaked out that he was saying.

Very unflattering things, both about his own product, uh,

or their, their own product.

And, uh, also being highly racist about his, uh, his interest,

interestingly enough, Indian coworkers.

Um, basically anything, anything that is negative about your company or the

executives of your company in the current.

Shoot, first ask questions later world that we live in.

Um, you don't want that kind of stuff to get out because you don't know the degree

to which that that is going to be, um, you know, negatively impact your company.

Right?

So go back to the question at hand.

The worry is that either or the, the desire on the part of the

threat actor is to either take out the backup infrastructure so

that you have to pay the ransom.

Or use the backup infrastructure to exfiltrate data.

Um,

also a third one.

what's the third one?

If a company is using SaaS and decides not to back up their

data, they don't have to worry.

Hopefully you're not that company,

Hopefully you're not that company.

Yeah.

Um, yeah, I, I was just thinking about.

Yeah, I mean, if you're, if you have a, if you have a SaaS infrastructure

and you, you don't have a third party backup of that, and then the, the

threat actor attacks that infrastructure then, uh, you know, like for example,

the Rackspace incident where they were a SaaS provider of, uh, hosted

exchange and then, uh, the entire thing got attacked by ransomware and they

basically had to give up and move on.

They basically moved the entire.

Uh, infrastructure over to Microsoft 365.

Right.

because yeah.

and I would say if we go back in history, right, not even that far back.

Ransomware, actors ignored backups.

Right.

didn't care about their backup infrastructure, but because of all

these things, people getting smarter, people not paying the ransomware 'cause

they could recover their environment.

Backup actors are like, Hey, let me go after that.

Yeah.

And so, uh, you know, and this is just because not, maybe not

everybody, maybe everybody doesn't believe what we're saying, right?

And so I thought it would be interesting.

to this podcast.

Come on.

Yeah.

Well, I like some of the people who listen to this podcast, think I'm an idiot.

Right.

So, um, you know, my wife, uh, being one of them anyway, no, she

just uses it to, to go to sleep.

The, um, the, there's a couple of different reports here that I thought

were, uh, really telling the, the biggest of which was this, um, ransomware

trends report from 2024, which was, um.

Cited in in vio, it's 25 Disaster Recovery Statistics.

And they were saying that 96% of modern ransomware attacks attempt

to infect the backup repositories.

Um, 96% is basically everything.

Yeah.

It's like what are those other 4% doing?

Yeah, it's like the, it's like the one out of, what is it?

The, the four out of five recommend sugarless gum for their patients.

Chew, chew gum.

What's with the one guy, like, he doesn't like you.

You don't think they should chew sugarless gum anyway?

so do you remember Dwayne

Of course.

and he was like, because he was a red teamer

Yep.

What is a red team or Prasanna?

It is someone that a company hires to attack their infrastructure and

pretend like they're a hacker, so then they can figure out what the

flaws are and what the vulnerabilities are that they should probably fix.

As depicted in the amazing movie sneakers.

Yes.

And so he actually mentioned, he's like, I love going after backup infrastructure

because that has everything I, I

remember him saying that, and that's like stuck with me all this time.

yeah.

And, and, and some of it is not as obvious as you might think.

So we talked about.

Uh, we talked about that the, the backup system is this honeypot from

which you can get basically everything.

He also looked at it from a different standpoint.

He also looked at service accounts, for example, service accounts that

are often unmonitored, that often don't have the, none of the limits.

Uh, for typical accounts are applied to these service accounts because,

well, it's the backup service account and so of course, uh, it's gonna

be transferring ridiculous tons of.

So if they can get access to that service account, they can then, uh, gain direct

access to that host and, and transfer the data just like the backup system.

Which is interesting when you think about it because on the podcast we

talk about, least privilege access.

And if you think about backup, it's the exact opposite.

Yeah, it is.

It is it really?

Yeah.

Because backup, in order to do its job, um, it has to basically be all powerful.

It has to have access to every file, every database, everything on the system.

Which is why, by the way, right.

iPhone backup is so challenging because, um, the, because of the way that, that the

security is done, uh, within the iPhone.

Right.

Yep.

so you can't.

For example, backup third party apps in the iPhone from a, from a third party

app, because one third party app can't see another third party app's data.

And so if, if that problem existed in regular IT infrastructure,

this would be a problem.

And so you do have these service accounts that are essentially all

powerful, that are typically unmonitored.

And, and if they are monitored, they're all the, the alerts

and everything are turned off.

Um, what, what are you laughing about now?

it's, it's, it's, I was going back to that story.

Sorry.

Maybe we don't have time for another story, but the story you would

always tell about how you worked at a company where they went the

opposite way and locked everything down and you could never do your job

Yes, yes.

to everything and they would not allow you access.

That story is at the exact same time as my, uh, book story.

Um, 'cause it was literally in, in 1999, we were preparing for Y 2K and

that company, the, the cybersecurity people took their job seriously.

And it's the most, it's the, it's the organization.

That had the crunchiest internal infrastructure that I've ever seen before

or since, uh, that it, that even once you were inside, it was not assumed that

you could get from anywhere to anywhere.

And here I was, this, this jerk that was good, trying to

transfer data from everywhere.

I was setting off all kinds of bells and whistles, and they, they kept

telling 'em to, to shut it off.

So here's an interesting thing.

Here's another reason why we're having this conversation now, is you

got the first statistic, 90, 96% of.

Ransomware attacks include targeting the backup system.

Couple that with the following data.

So this is from a Kaseya, uh, study, , well, let me ask you a question.

What do you think?

So, you know, we've been p we've been preaching ransomware and

we're not the only ones, right?

This, this is like the biggest thing ever, right?

For years, right?

So what percentage do you think.

Of, of, uh, the, the, the environments that they have.

What percentage of youth of these environments do you think have any

policies or controls to prevent malicious access to the back of infrastructure?

What do you think that percentage is?

Oh,

so being.

An optimist would.

Right.

I would hope for like 80%, but I know that is probably way too high.

Yeah, that would be, that would be a correct, uh, assumption.

The, the percentage that was in this study was 25%.

Oof.

Ugh.

So we have, we have some work to do.

Right.

And so that's why we're starting here.

It's like just number one, um, you know, what do you call it?

Um.

You, you need to, um, you, you need to do something about this, right?

96% of the attacks and 25% of people are ready for those attacks.

This, this is a problem, right?

Um, and, uh, which is why, here's a third statistic.

This said, uh, this is from, uh, another, from the Nvidia OIT study.

Less than 7% of companies recover within a day from ransomware.

Right.

Over a third, take more than a month.

That makes perfect sense to me.

Right?

Because as we covered a lot in the book, the hardest part of the ransomware

recovery is not the restore part, it's the what the hell happened part.

Right.

Um, and if you.

Have something happen to your backup infrastructure, then, you

know, it's just everything's out.

Everything's out the window.

And, and that, and it's interesting everything we've talked about,

I know we've had Mike on the podcast, Mike Saylor, who's

your co-author for this book.

Um,

talk about how.

Difficult it is to do the forensics and or time consuming, right?

It's not like you're going to just say, oh, everything's good.

I'm just gonna blow away everything and recover my data and start going again,

So.

Is it just unrealistic to even have a one day stat?

Why does that even make sense?

No, I, I think that's a perfectly, uh, reasonable question.

I, I actually, I thought of, I was thinking about that as I was,

um, as I was reading it, right?

Because I, I don't think it is, um, unless you have like the smallest of attacks

or you really spend a lot of money for.

Um, XDR tools and, um, you know, uh, SEIM and SOAR tools and you're, and

you, and you catch it at that moment.

You catch it at the initial infection and, and it sets off all the triggers and

then you, you quarantine it at that one.

Computer that got, um, attacked then.

Sure.

Right.

If you're able to, to figure that out.

But you still, you know what, even in that situation, you have to

still go around and look everywhere.

You, you can figure out, you can quarantine that server or that

laptop and say, all right, we know what they put on that laptop.

Let's go look everywhere else to see if that thing is everywhere else.

Yeah.

And, um.

else they might have dropped elsewhere in your environment, which

signature.

right.

And you, you know, and so it's, you can't assume that you, you caught

it and therefore, oh, well we caught it early, and so we're good.

You don't know what you didn't catch.

Right.

And so, you know, you, you, it, it, it's just, it's just not easy.

Right.

And so going back to the topic at hand.

The one thing I just want to make sure that we do is at least let's make the

backup infrastructure impervious and

how, how can we do that?

And the, the real answer, the only answer in my opinion is actual immutability.

Right.

Um, and because you cannot, as long as the computer, if it's a

computer and it's plugged into the network, it's hackable, right?

You can reduce the risk, right?

We, we can do two things.

One is like guaranteed the other is like, let's not make it, let's not,

let's not leave the keys in the ignition of the car sitting in, you know,

in the worst neighborhood, right?

Um.

And so because we know it's a target and so we do things like separate

the backup infrastructure, right?

To use a different, uh, IAM system.

That's identity access management use a different IAM system.

So don't you don't have it just be part of the, uh, Intra ID domain.

Don't have it be part of whatever.

Whatever.

Centralized.

Password system that you have, don't make it be part of that.

Make it various different, perhaps even a different kind of infrastructure, not

just a different, uh, domain in intra, but perhaps don't even use that over there.

Right?

It's only like four systems.

So do you really need active directory over there?

Right.

So consider perhaps a local password management system, uh, with a third

party password management system.

Um, you know, separate that backup infrastructure as much as possible.

Obviously, turn on MFA or turn on, uh, PA keys.

That's something that we talk a lot about.

Um, but if your backups, if, if the actual data.

Of the backups is sitting on truly immutable storage where that even

you can't delete it if you wanted to, then at least you know you will

have that data when you need it.

Yes, I agree with everything you said.

I sense a big but.

No, I, but yes, I want to talk about in a separate podcast episode,

because it is gonna be more detailed.

Yeah.

I want to talk about immutability

and why it's difficult in backups

Yeah,

don't think it's as simple because otherwise everyone would turn the switch,

and so I think we should cover it in an episode we talk about immutability,

the different kinds and.

to other technologies.

Yeah.

Yeah.

I, I think it is simple as long as you choose the right product.

Choosing the right product is the difficult part, right?

Because there are many products that call themselves immutable that don't meet

the definition that I just said, right?

And, um, um, you know, I can think of a we'll cover that on a future episode.

So,

all right, so your backup systems are under attack, 96%.

How many times?

I gotta say that.

96. You round that up, that's a hundred percent

let's just hundred, nearly a hundred.

I

Yeah, nearly a hundred percent.

Couple that with the other stats that we've seen in other, uh, studies of

like the number of companies that will be attacked by ransomware, right?

So you basically, , if you don't have a method and a process to block.

The threat actors from your backup system, then, uh, basically you're, you know,

you're just gonna hand over the keys.

Yep,

Yeah,

I agree.

yeah,

It.

It's one of those things too.

I know everyone's like, oh, ransomware is never gonna attack me, which is

probably what people were saying three years ago, but just look at the news

and how many people get hit every day,

other day.

It's just keeps going up and up and up and up, and up, and up

It's, it's why we took the approach we took in the book, right?

It's not a matter of if, but when,

Yep.

you know, statistically speaking, this is, this is the most likely kind

of thing that's gonna happen to your environment from a cyber perspective.

Right.

So, um, uh, that's why we took the, the, the tack that we took in the

book, which is you're going to get ransomware, so let's make sure that

you're gonna be able to respond to it.

Yep.

All right, well thanks for chatting Prasanna.

No, I, I'm looking forward to our next episode on Immutability.

Me too.

And hopefully you folks are listening to it or looking forward to it.

Hopefully you folks are looking forward to it too for some reason.

That was tying my tongue, but uh, that is a wrap.

I.