Ransomware victims permanently lose 43% of the data affected by an attack on average, according to a report published by Veeam Tuesday.
The Veeam Ransomware Trends Report 2024, based on a survey of 1,200 CISO, security professionals and backup administrators who experienced a ransomware attack in 2023, reveals that many organizations are unprepared to recover from an attack despite the vast majority having incident response plans and policies in place.
With backup repositories targeted in 96% of attacks, and successfully breached in 76% of cases, organizations should consider having alternate backup sites, ensure backup repositories are immutable and/or physically separated, and work to better harmonize the involvement of cybersecurity, IT and backup administration teams, the report suggested.
“The attack will be worse than you imagined and cost more than you’re expecting,” the Veeam report stated. “Organizations should make cyber preparedness plans that include broadening the use of immutable repositories, isolation and authentication of backup systems, and verifying the recoverability of the backups within the organization to ensure the established SLAs.”
Most ransomware victims pay ransom, but many still lose data
Among the respondents to Veeam’s 2024 ransomware trends survey, 81% reported their organization paid a ransom, but only two-thirds of those respondents actually recovered their data. On the other hand, 15% of respondents did not pay a ransom but were still able to recover their data, reaping the benefits of reliable backup.
While the average ransomware payment was about $568,000 in Q4 2023, according to Coveware, the ransom itself only made up about 32% of the total cost of an attack on average, according to the Veeam report.
Survey responses indicate that cyber insurance was not always an effective cost-recovery solution, with only 65% of respondents using their insurance to cover the costs despite 86% reporting they could have done so; alternatively, 21% paid a ransom without making a claim to their cyber insurance provider.
Best backup practices for recovering from a ransomware attack
Veeam made three key recommendations based on its findings of its Ransomware Trends Report, the first emphasizing the importance of alignment between security teams, backup teams and executive leadership.
More than 60% of survey takers said the alignment between IT backup teams and cybersecurity teams needed significant improvement or a complete overhaul, with the most common problem being “a lack of integration between backup tools and cybersecurity tools.” Backup administrators specifically reported the lowest satisfaction with the alignment between teams.
The second recommendation made in the report urged better preparedness, specifically focusing on the reliability of backup infrastructure, with a diverse range of backup sources including disks, tapes and clouds being suggested by Veeam. While 97% of respondents said their organization had a “ransomware response playbook,” only 33% said their plan included arrangements for alternative backups and just 20% had an isolation plan.
Finally, organizations are urged to ensure their backup data is clean and can be recovered reliably. Just having a backup does not guarantee the data can be effectively recovered, as shown by the fact that only 57% of data affected in an attack is recovered on average. Orgs should regularly test the recoverability of their backup data and use immutable repositories to ensure the data is “clean.”
Additionally, ransomware victims should not restore data directly to their production environment after an attack; despite the risk of reinfection, the survey found 63% of organizations did not quarantine or sandbox their backups prior to restoration. Despite pressure to restore operations as quickly as possible, organizations should take the time to properly scan and test their backup environment to ensure a full recovery.