Emerging ThreatsMalware & Ransomware

Ransomware Attacks Expose Backup Vulnerabilities

Analyst 207||Source: BleepingComputer
Darkened server room with damaged server rack and scattered cables, backup storage system blurred in background.

"Your backup plan probably won’t survive a ransomware attack. Why? Because backups fail during ransomware attacks when attackers deliberately target and destroy backup systems before launching encryption." — Subramani Rao, Senior Manager, Cybersecurity Solutions Strategy at Acronis.

How attackers systematically break backup strategies

Acronis describes a predictable sequence seen in modern ransomware operations: Initial access → credential theft → lateral movement → backup discovery → backup destruction → ransomware deployment. By the time malicious encryption runs, defenders often discover that the recovery path has already been removed. The company’s analysis says attackers aim to enumerate backup servers and storage, access backup consoles with stolen credentials, delete or encrypt backup files and snapshots, disable backup agents and jobs, and even modify retention policies to erase recovery points.

The most common backup failures in ransomware incidents

  • No isolation between production and backup: Backup systems frequently sit in the same domain, use the same credentials and remain reachable from compromised hosts, removing meaningful separation between production and recovery systems.
  • Weak access controls: Shared administrative credentials, absent multifactor authentication, and overprivileged service accounts give attackers easy entry into backup infrastructure.
  • No immutability: Traditional backups that can be modified or deleted offer little resistance once attackers are inside.
  • Untested recovery processes: Organizations often discover during an incident that backups are incomplete, corrupted or too slow to restore at scale.
  • Siloed security and backup tools: When backup systems operate independently of security monitoring, attacks on backup infrastructure can go undetected.

Why immutability is critical for ransomware protection

Acronis frames immutability as an essential layer: if backups can be changed or deleted, attackers will remove them. Immutable backups — described in the source as write-once, read-many (WORM) storage with time-based retention locks and enforcement at the storage layer — prevent modification or deletion for a defined period and can be protected against API and credential misuse. The vendor argues that even full administrative compromise should not permit erasure of immutable recovery points, though immutability must sit alongside access control, monitoring and recovery validation to be effective.

Five ways to protect backups from ransomware

For managed service providers (MSPs) and enterprise IT teams running multiple environments, Acronis recommends a set of standardized controls:

  • Enforce identity separation: use dedicated credentials and multifactor authentication.
  • Isolate backup environments: segment networks and limit access to backup infrastructure.
  • Use immutable backups: prevent deletion or modification of recovery points.
  • Monitor backup activity: detect abnormal behavior early.
  • Test recovery regularly: ensure backups can be restored at scale and are not corrupted.

The source positions integrated platforms — combining backup, endpoint protection, credential monitoring and backup protection — as a way to reduce complexity and detect threats before backups are compromised.

What MSPs, enterprise IT teams, and security teams should standardize

The source specifically addresses MSPs and enterprise IT teams, urging consistency and standardization across multiple environments. Key operational changes include automating protection and recovery workflows, enforcing identity separation for administrative tasks, and providing end-to-end visibility so security teams can see backup status and anomalies from a central console. The Acronis material argues automation and consolidation reduce human error during crisis and help validate recovery points automatically.

What to do if backups are already compromised

When backups are impacted, recovery becomes more complex. Options listed in the source include identifying older untouched backup copies, leveraging off-site or cloud-based immutable storage, rebuilding systems from clean baselines, and using forensic analysis to determine the last known good state. The central point: recovery is not simply having backups, but having trustworthy backups that can survive an active attack.

The Acronis reporting also cites a broader trend: "The number of attacks rose 50% last year," according to the Acronis Cyberthreats Report H2 2025, underscoring the pressure on teams to move beyond traditional backup assumptions. As Subramani Rao puts it, "Backups fail because they are exposed" — and the prescribed remedy is to rethink architecture with security built into the backup layer: immutability, isolation, monitoring and integration.

Link to original story: https://www.bleepingcomputer.com/news/security/why-ransomware-attacks-succeed-even-when-backups-exist/

Data ProtectionEmerging ThreatsEncryptionRansomwareThreat ActorsMalware OperationsBackup VulnerabilitiesMFA Bypass Is Not Relevant But Nation State Is Not Mentioned But Could BeSo Just Ransomware
Related Intelligence

Continue Reading

Law enforcement officials stand near a podium with symbolic objects, including a laptop and papers, in a brightly-lit…

FBI dismantles $1.9B China cybercrime network

In a major breakthrough, the FBI, with the help of Google and Lumen Technologies, has dismantled a massive $1.9 billion China-based cybercrime network that impersonated trusted brands to scam hundreds of thousands of victims. This coordinated takedown, part of Operation Riptide, seized key infrastructure and domains used by the group.

Analyst 207
University campus scene with students walking near a building, laptop on a bench.

ShinyHunters Exploits Oracle Flaw to Breach Universities

A zero-day flaw in Oracle PeopleSoft PeopleTools, known as CVE-2026-35273, has been exploited by ShinyHunters, potentially infiltrating over 100 organizations, with universities being the hardest hit. This vulnerability allows attackers to execute remote code and take over affected servers, posing a significant threat to higher education institutions.

Analyst 207
Defendant sits in federal court with blurred face, hands visible, in front of judge's bench and US flag.

Conti Ransomware Member Pleads Guilty to Cybercrimes

A longtime member of the notorious Conti ransomware group has pleaded guilty to cybercrimes in federal court, marking a major win for justice after the defendant's attacks caused millions of dollars in damage to people and businesses worldwide. Oleksii Oleksiyovych Lytvynenko, a 44-year-old Ukrainian national, admitted to developing malware and participating in Conti's ransomware campaign.

Analyst 207
Federal officials stand near a large screen in a government briefing room.

Authorities Disrupt Massive Deepfake Porn Site in Global Operation

In a major global crackdown, authorities have shut down a notorious deepfake porn site that was profiting from the humiliation, exploitation, and violation of personal privacy of thousands of women, including celebrities and public figures. The site's massive collection of AI-altered images and videos has been seized, putting an end to its large-scale trafficking of digital forgeries.

Analyst 207