Skip to Content

How Ransomware Targets Backups

How Ransomware Targets Backups

cybersecurity ransomware attack

Photo by Ann H on Pexels

Ransomware has evolved from blunt "encrypt everything" attacks to surgical strikes that specifically target and destroy backups first. Modern ransomware operators know that if they can eliminate your backups, you have no choice but to pay. Understanding their playbook is your first line of defense.

The Ransomware Attack Playbook

Advanced ransomware (like LockBit, BlackCat, and Royal) follows a multi-stage process:

  1. Initial Access: The attacker enters through phishing, RDP brute-force, or exploiting unpatched vulnerabilities. Average dwell time: 11 days before encryption begins.
  2. Reconnaissance: The attacker maps your network, identifies servers, storage devices, and backup systems. They look for file shares, NAS devices, and backup software consoles.
  3. Credential Theft: Using tools like Mimikatz, attackers extract credentials to access backup repositories, cloud storage, and admin consoles.
  4. Backup Destruction: Before encrypting production data, the attacker deletes or encrypts your backups. This is deliberate — they want to eliminate your escape route.
  5. Data Exfiltration: The attacker copies sensitive data before encrypting. They threaten to publish it if you don't pay (double extortion).
  6. Mass Encryption: With backups destroyed, the attacker encrypts all production data and displays the ransom note.

How Attackers Find and Destroy Backups

  • Network shares: Ransomware scans for mapped drives (Z:, Y:, etc.) and network shares. If your backup target is on a network share, it gets encrypted along with everything else.
  • Backup software agents: If your backup software's agent runs on the production server, the ransomware can use its credentials to access the backup repository.
  • Cloud storage credentials: Attackers search for cloud storage keys in configuration files, environment variables, and password stores. They use these to delete cloud backups.
  • Volume Shadow Copies: Ransomware routinely deletes Windows VSS snapshots using vssadmin delete shadows /all or PowerShell commands before encrypting files.
  • Backup console access: If the backup management console is accessible from the infected network, attackers log in and delete backup jobs or repositories.

Real-World Example: The Veeam Credential Attack

In 2023, attackers exploited credentials stored in Veeam backup consoles to delete entire backup repositories before triggering encryption. Businesses that thought their backups were safe discovered that both their production data and backups were gone simultaneously. The lesson: backup systems must not be accessible from the same network as production systems.

Warning Signs Your Backups Are Being Targeted

  • Backup jobs failing unexpectedly or running at unusual times.
  • Backup storage filling up or files disappearing from backup repositories.
  • Unusual login attempts on backup console or cloud storage.
  • Credential changes on backup service accounts.
  • VSS shadow copies being deleted (check Windows Event Logs for Event ID 8224).

Free Tools to Detect Ransomware Activity

  • Sysmon (Windows): Monitor process creation, file deletions, and network connections. Log to a central SIEM.
  • rkhunter / chkrootkit (Linux): Scan for rootkits and unusual system modifications.
  • Auditd (Linux): Log file access and modifications: auditctl -w /backups -p wa -k backup_access.
  • CrowdSec (free tier): Community-driven threat intelligence that detects and blocks attack patterns in real-time.

Key Takeaways

  • Modern ransomware deliberately destroys backups before encrypting — it's step 4 of their playbook.
  • Backups on network shares, accessible via agents, or using stored cloud credentials are all vulnerable.
  • Isolate backup systems from the production network — air gap or network segmentation is essential.
  • Watch for warning signs: failed backup jobs, deleted shadow copies, unusual console logins.
  • Use monitoring tools (Sysmon, Auditd, CrowdSec) to detect ransomware reconnaissance early.

How Ransomware Targets Backups

cybersecurity ransomware attack

Photo by Ann H on Pexels

Ransomware has evolved from blunt "encrypt everything" attacks to surgical strikes that specifically target and destroy backups first. Modern ransomware operators know that if they can eliminate your backups, you have no choice but to pay. Understanding their playbook is your first line of defense.

The Ransomware Attack Playbook

Advanced ransomware (like LockBit, BlackCat, and Royal) follows a multi-stage process:

  1. Initial Access: The attacker enters through phishing, RDP brute-force, or exploiting unpatched vulnerabilities. Average dwell time: 11 days before encryption begins.
  2. Reconnaissance: The attacker maps your network, identifies servers, storage devices, and backup systems. They look for file shares, NAS devices, and backup software consoles.
  3. Credential Theft: Using tools like Mimikatz, attackers extract credentials to access backup repositories, cloud storage, and admin consoles.
  4. Backup Destruction: Before encrypting production data, the attacker deletes or encrypts your backups. This is deliberate — they want to eliminate your escape route.
  5. Data Exfiltration: The attacker copies sensitive data before encrypting. They threaten to publish it if you don't pay (double extortion).
  6. Mass Encryption: With backups destroyed, the attacker encrypts all production data and displays the ransom note.

How Attackers Find and Destroy Backups

  • Network shares: Ransomware scans for mapped drives (Z:, Y:, etc.) and network shares. If your backup target is on a network share, it gets encrypted along with everything else.
  • Backup software agents: If your backup software's agent runs on the production server, the ransomware can use its credentials to access the backup repository.
  • Cloud storage credentials: Attackers search for cloud storage keys in configuration files, environment variables, and password stores. They use these to delete cloud backups.
  • Volume Shadow Copies: Ransomware routinely deletes Windows VSS snapshots using vssadmin delete shadows /all or PowerShell commands before encrypting files.
  • Backup console access: If the backup management console is accessible from the infected network, attackers log in and delete backup jobs or repositories.

Real-World Example: The Veeam Credential Attack

In 2023, attackers exploited credentials stored in Veeam backup consoles to delete entire backup repositories before triggering encryption. Businesses that thought their backups were safe discovered that both their production data and backups were gone simultaneously. The lesson: backup systems must not be accessible from the same network as production systems.

Warning Signs Your Backups Are Being Targeted

  • Backup jobs failing unexpectedly or running at unusual times.
  • Backup storage filling up or files disappearing from backup repositories.
  • Unusual login attempts on backup console or cloud storage.
  • Credential changes on backup service accounts.
  • VSS shadow copies being deleted (check Windows Event Logs for Event ID 8224).

Free Tools to Detect Ransomware Activity

  • Sysmon (Windows): Monitor process creation, file deletions, and network connections. Log to a central SIEM.
  • rkhunter / chkrootkit (Linux): Scan for rootkits and unusual system modifications.
  • Auditd (Linux): Log file access and modifications: auditctl -w /backups -p wa -k backup_access.
  • CrowdSec (free tier): Community-driven threat intelligence that detects and blocks attack patterns in real-time.

Key Takeaways

  • Modern ransomware deliberately destroys backups before encrypting — it's step 4 of their playbook.
  • Backups on network shares, accessible via agents, or using stored cloud credentials are all vulnerable.
  • Isolate backup systems from the production network — air gap or network segmentation is essential.
  • Watch for warning signs: failed backup jobs, deleted shadow copies, unusual console logins.
  • Use monitoring tools (Sysmon, Auditd, CrowdSec) to detect ransomware reconnaissance early.
Rating
0 0

There are no comments for now.

to be the first to leave a comment.