Blog

Ransomware has become a highly coordinated and pervasive threat, and traditional defenses are increasingly struggling to neutralize it. Today’s ransomware attacks initially target your last line of defense — your backup infrastructure. Before locking up your production environment, cybercriminals go after your backups to cripple your ability to recover, increasing the odds of a ransom payout.

Notably, these attacks are carefully engineered takedowns of your defenses. The threat actors disable backup agents, delete snapshots, modify retention policies, encrypt backup volumes (especially those that are network accessible) and exploit vulnerabilities in integrated backup platforms. They are no longer trying just to deny your access but erase the very means of recovery. If your backup environment isn’t built with this evolving threat landscape in mind, it’s at high risk of getting compromised.

How can IT pros defend against this? In this guide, we’ll uncover the weak strategies that leave backups exposed and explore actionable steps to harden both on-site and cloud-based backups against ransomware. Let’s see how to build a resilient backup strategy, one that you can trust 100% even in the face of sophisticated ransomware attacks.

Common pitfalls that leave backups exposed

Inadequate separation and the lack of offsite or immutable copies are among the most common weaknesses in backup strategies. Snapshots or local backups alone aren’t enough; if they reside in the same on-site environment as production systems, they can be easily discovered, encrypted or deleted by attackers. Without proper isolation, backup environments are highly susceptible to lateral movement, allowing ransomware to spread from compromised systems to backup infrastructure.

Here are some of the most common lateral attack techniques used to compromise backups:

• Active Directory (AD) attacks: Attackers exploit AD to escalate privileges and gain access to backup systems.
• Virtual host takeover: Malicious actors utilize a misconfiguration or vulnerability in the guest tools or hypervisor code to control the hypervisor and virtual machines (VMs), including those hosting backups.
• Windows-based software attacks: Threat actors exploit built-in Windows services and known behaviors across versions for entry points into backup software and backup repositories.
• Common vulnerabilities and exposures (CVE) exploit: High-severity CVEs are routinely targeted to breach backup hosts before patches are applied.

Another major pitfall is relying on a single cloud provider for cloud backups, which creates a single point of failure and increases the risk of total data loss. For instance, if you’re backing up Microsoft 365 data in the Microsoft environment, your backup infrastructure and source systems share the same ecosystem, making them easy to discover. With stolen credentials or application programming interface (API) access, attackers can compromise both at once.

Build backup resilience with the 3-2-1-1-0 strategy

The 3-2-1 backup rule has long been the gold standard in data protection. However, as ransomware increasingly targets backup infrastructure, it’s no longer enough. Today’s threat landscape calls for a more resilient approach, one that assumes attackers will try to destroy your ability to recover.

That’s where the 3-2-1-1-0 strategy comes in. This approach aims to keep three copies of your data and store them on two different media, with one copy offsite, one immutable copy and zero backup errors.

Here’s how it works:

3 copies of data: 1 production + 2 backups

When backing up, it’s critical not to rely solely on file-level backups. Use image-based backups that capture the full system — the operating system (OS), applications, settings and data — for more complete recovery. Look for capabilities, such as bare metal recovery and instant virtualization.

Use a dedicated backup appliance (physical or virtual) instead of standard backup software for greater isolation and control. When looking for appliances, consider ones built on hardened Linux to reduce the attack surface and avoid Windows-based vulnerabilities and commonly targeted file types.

2 different media formats

Store backups on two distinct media types — local disk and cloud storage — to diversify risk and prevent simultaneous compromise.

1 offsite copy

Ensure one backup copy is stored offsite and geographically separated to protect against natural disasters or site-wide attacks. Use a physical or logical airgap wherever possible.

1 immutable copy

Maintain at least one backup copy in an immutable cloud storage so that it cannot be altered, encrypted or deleted by ransomware or rogue users.

0 errors

Backups must be regularly verified, tested and monitored to ensure they’re error-free and recoverable when needed. Your strategy isn’t complete until you have full confidence in recovery.

To make the 3-2-1-1-0 strategy truly effective, it’s critical to harden the environment where your backups live. Consider the following best practices:

• Deploy the backup server in a secure local area network (LAN) environment to limit accessibility.
• Restrict access using the principle of least privilege. Use role-based access control (RBAC) to ensure no local domain accounts have admin rights over the backup systems.
• Segment backup networks with no inbound traffic from the internet. Only allow outbound. Also, only protected systems should be able to communicate with the backup server.
• Employ a firewall to enforce network access controls and use port-based access control lists (ACLs) on network switch ports.
• Deploy agent-level encryption so data written to the backup server is encrypted using a unique key that only you can generate with your own passphrase.
• Disable unused services and ports to reduce the number of potential attack vectors.
• Enable multifactor authentication (MFA) — preferably biometric rather than time-based one-time password (TOTP) — for all access to the backup environment.
• Keep backup systems patched and up to date to avoid exposure to known vulnerabilities.
• Physically secure all backup devices with locked enclosures, access logs and surveillance measures.

Best practices for securing cloud-based backups

Ransomware can just as easily target cloud platforms, especially when backups live in the same ecosystem. That’s why segmentation and isolation are critical.

Data segmentation and isolation

To build a true air gap in the cloud, backup data must reside in a separate cloud infrastructure with its own authentication system. Avoid any reliance on production-stored secrets or credentials. This separation reduces the risk of a compromised production environment impacting your backups.

Use private cloud backup architecture

Choose services that move backup data out of the source environment and into an alternative cloud environment, such as a private cloud. This creates a logically isolated environment that’s shielded from original access vectors, delivering the air-gapped protection needed to withstand modern ransomware. Shared environments make it easier for attackers to discover, access or destroy both source and backup assets in a single campaign.

Authentication and access control

Cloud-based backups should use a completely separate identity system. Implement MFA (preferably biometric), RBAC and alerting for unauthorized changes, such as agent removal or retention policy modifications. Credentials must never be stored in the same ecosystem being backed up. Keeping access tokens and secrets outside of the production environment (like Azure or Microsoft 365) eliminates any dependency on them for backup recovery.

Is it time to rethink you backup strategy?

Cyber resilience starts with backup security. Before ransomware strikes, ask yourself: Are your backups truly separated from your production systems? Can they be deleted or encrypted by compromised accounts? When was the last time you tested them?

Now is the time to evaluate your backup strategy through a risk-based lens. Identify the gaps, fortify the weak points and make recovery a certainty — not a question.

https://thehackernews.com/2025/06/how-to-protect-your-backups-from-ransomware-attacks.html?m=1#1-offsite-copy

Hackers are brute-forcing older Asus routers

Thousands of Asus routers were compromised and turned into a malicious botnet after hackers uncovered a troubling security vulnerability, experts have warned.

“This appears to be part of a stealth operation to assemble a distributed network of backdoor devices — potentially laying the groundwork for a future botnet,” noted cybersecurity researchers GreyNoise, who first spotted the attacks in mid-March 2025.

Using Sift (GreyNoise’s network payload analysis tool) and a fully emulated ASUS router profile running in the GreyNoise Global Observation Grid, the researchers determined that the threat actors were first breaching routers with brute force and authentication bypassing.

Advanced operations

These poorly configured routers were easy pickings for the attackers, who then proceeded to exploit a command injection flaw to run system commands.

This flaw is tracked as CVE-2023-39780 and carries a severity score of 8.8/10 (high).

The vulnerability was first published in the National Vulnerability Database (NVD) on September 11, 2023, and since then ASUS released firmware updates to address it.

“The tactics used in this campaign — stealthy initial access, use of built-in system features for persistence, and careful avoidance of detection — are consistent with those seen in advanced, long-term operations, including activity associated with advanced persistent threat (APT) actors and operational relay box (ORB) networks,” GreyNoise further explains.

“While GreyNoise has made no attribution, the level of tradecraft suggests a well-resourced and highly capable adversary.”

The attackers use the ability to run system commands, to install a backdoor that’s stored in non-volatile memory (NVRAM).

This means the access they establish survives both reboots and firmware updates. The attackers can maintain long-term access without dropping stage-two malware, or leaving other obvious traces.

We don’t know exactly how many devices are compromised, other than that there are “thousands”, with the number “steadily increasing”.

UPDATE: Asus has issued a statement noting the flaws can be fixed, advising users to update their firmware and create a strong password. A factory reset is also a good idea, as this will clear values, ensuring extra safety.

“Devices that have been updated with the latest firmware and secured with a strong administrator password can prevent future exploitation of this vulnerability and block similar attack methods,” the company said.

“Users are recommended to use a password at least 10 characters long, and include uppercase and lowercase letters, numbers, and symbols. In addition, ASUS recommends keeping device firmware up to date to ensure ongoing protection.”

techradar.com

The report that Tata Consultancy Services, which is serving as Marks & Spencer’s principal technology partner since 2018, initiated the internal investigation comes after the retailer’s CEO Stuart Machin’s assertion that the incident was due to ‘human error’.

Tata Consultancy Services (TCS), a long-time service provider to Marks & Spencer (M&S), is conducting an internal investigation to determine whether it served as the entry point for the cyberattack on the UK retailer. The Indian IT company aims to complete this internal probe by the end of the month, reported the Financial Times.

This comes after M&S chief executive Stuart Machin attributed the breach to ‘human error’, rather than vulnerabilities within the company’s systems or cybersecurity measures. Machin mentioned that employees of a third-party contractor were deceived, although he did not disclose whether a ransom was paid. He also refrained from specifying if TCS, which has been M&S’s principal technology partner since 2018, was the point of entry used by the attackers.

The breach, which resulted in the theft of some customer data, has significantly impacted M&S’ operations. It forced the British retailer to shut down its online clothing operations for over three weeks and disable certain food-related services. The hacking group known as Scattered Spider, which has also targeted other retailers such as Co-op and Harrods, is held responsible for this breach.

M&S faces significant financial impact from cyberattack

The incident resulted in a market capitalisation loss of more than £750m for the company. The disruption is anticipated to persist until July. The UK authorities are also conducting a separate investigation into the cyberattack.

Last week, M&S released its annual financial results for the year ending March 29, 2025. It acknowledged the cyberattack’s potential cost of up to £300m in operating profit for the current year. The company plans to counter this financial impact through cost management, insurance claims, and enhanced trading strategies. Additionally, M&S will categorise expenses directly associated with the breach as separate adjusting items in its financial statements.

TCS also provides services to British consumer co-operative Co-op. However, the company is not investigating any connection to a recent cyberattack on Co-op, as its services were reportedly unrelated to the Co-op’s technology infrastructure, FT said quoting a person familiar with the matter.

Meanwhile, Adidas announced a similar breach recently. In a statement, the German sportswear manufacturer said that an unauthorised external party accessed certain consumer data through a third-party customer service provider.

“We immediately took steps to contain the incident and launched a comprehensive investigation, collaborating with leading information security experts,” it said in a statement. “The affected data does not contain passwords, credit card or any other payment-related information. It mainly consists of contact information relating to consumers who had contacted our customer service help desk in the past.”

As part of its response, Adidas is currently notifying potentially affected consumers about the breach.

https://www.techmonitor.ai

Marks & Spencer (M&S) says it has stopped taking online orders as the company struggles to recover from a cyber attack.

Customers began reporting problems last weekend, and on Tuesday the retailer confirmed it was facing a “cyber incident”.

It told the BBC on Wednesday some of its systems were back to normal, but others remained offline.

Now the firm has entirely paused orders on its website and apps.

“We are truly sorry for this inconvenience,” it wrote in a post on X, external.

“Our experienced team – supported by leading cyber experts – is working extremely hard to restart online and app shopping.

“We are incredibly grateful to our customers, colleagues and partners for their understanding and support.”

It said its stores remain open despite the issues affecting online ordering.

Previously, the firm was dealing with problems which affected people using Click & Collect, as well as paying with gift cards.

Since it suspended online ordering, M&S has responded to social media posts advising customers that these problems persist.

“Gift cards, e-gift cards and credit receipts can’t currently be used as a payment method in store or online,” it said in response to one person on X, external.

But it told another that if people have already received an email telling them an item is ready to be collecting, they should be able to go in-store and pick it up.

“We’re holding all parcels in store until further notice, so there’s no risk of it being sent back,” it said, external.

M&S said on Tuesday it had reported the incident to the National Cyber Security Centre (NCSC).

The National Crime Agency previously told the BBC its officers are working with the NCSC to support the firm.

Cloud services with weak credentials were a prime target for attackers, often resulting in lateral movement attempts, a Google Cloud report found.

Dive Brief:

• Cloud services accounts with weak or non-existent credentials were the most common entry point for attackers in the second half of 2024, Google Cloud said Wednesday in its Threat Horizons Report.
• Attacks involving weak or no credentials accounted for nearly half of intrusions observed or studied by Google Threat Intelligence Group, Mandiant, Google Cloud’s Office of the CISO and other Google intelligence and security teams during the second half of last year. 
• Misconfigurations in cloud services were the second most common initial access vector, representing more than 1 in 3 attacks Google Cloud studied. The report noted a sharp increase in compromised application programming interfaces and user interfaces, which accounted for almost 1 in 5 attacks during the second half of the year.

Google Cloud links poor credentials to nearly half of all cloud-based attacks | Cybersecurity Dive

A malicious software development kit (SDK) used in Android and iOS apps has been found to use optical character recognition to scan victims’ photo libraries, looking for cryptocurrency wallet IDs and recovery key information.

Any cryptocurrency information it finds hiding within the victim’s photo libraries is transmitted back to the operators, who then use it to gain access to and drain the wallets of their currency.

While not entirely unimaginable, this is a pretty novel attack method, and many people take photos of, for example, important information for safekeeping. Advances in OCR, including Apple and Google’s own machine learning algorithms, now make it trivial to search for certain content amongst thousands of photographs quickly. 

bleepingcomputer.com 

DeepSeek, a Chinese competitor to OpenAI’s ChatGPT, received massive public attention and soared to the top of the App Store download charts when in launched recently. Here are some of the security-related events that subsequently occured.

• Harmonic Security took a look at the data privacy concerns around the Chinese AI company, highlighting vague statements about data retention within the People’s Republic of China. The AI security firm concluded that very few (0.21%) of its customer’s users were actually using DeepSeek though. harmonic.security  
• DeepSeek limited signups amid a sudden wave of interest and in response to what it described as “large-scale malicious attacks on DeepSeek’s services”. theregister.com 
• Lots of examples have been shared on social media of DeepSeek refusing to answer questions about topics the Chinese Communist Party deems sensitive, such as the Tiananmen Square Massacre. An analysis by PromptFoo of 1,156 prompts found that these “canned refusals” were given 85% of the time and were reasonably easy to circumvent, suggesting, they say, that the censorship is more of a “crude, blunt-force” implementation rather than deeply baked into the reasoning model itself. arstechnica.com 
• The Chinese company appears to have pretty sloppy security engineering practices: Wiz security researchers found a publicly accessible database containing “a significant volume of chat history, backend data and sensitive information, including log streams, API Secrets, and operational details,” within ‘minutes’ of scanning DeepSeek’s infrastructure. The HTTP interface to the database allowed Wiz to run a SHOW TABLES; query, returning all the accessible tables. The log stream data may have included plaintext passwords and chat history. DeepSeek promptly fixed the issue after being notified. theregister.com 
• Italy blocked DeepSeek over privacy concerns after the company told the Italian data protection regulator that it did not fall under the purview of GDPR. therecord.media

November 27, 2024

A ransomware attack on Blue Yonder, a critical supply chain management software provider, has forced Starbucks to revert to manual processes for managing employee schedules and payroll systems.

The incident, which began on November 21, 2024, has not affected customer service or store operations.

Store managers are now using pen and paper to track employee hours, as the attack disrupted the company’s back-end scheduling and time management processes.

The attack has created ripple effects across multiple industries:

UK Retail Impact: Major British supermarket chains Morrisons and Sainsbury’s reported disruptions to their warehouse management systems, though they have implemented backup systems.

Corporate Response: Blue Yonder has enlisted external cybersecurity firms to assist with recovery efforts and implemented defensive protocols. The company has not provided a specific timeline for service restoration.

The incident highlights the vulnerability of supply chain systems during the holiday season. Blue Yonder serves an extensive client base, including:

• 46 of the top 100 manufacturers
• 64 of the top 100 consumer product goods makers
• 76 of the top 100 retailers globally

This attack adds to a growing list of cybersecurity incidents affecting major food service companies. Earlier in 2024, both McDonald’s and Panera experienced technical outages, with Panera’s incident resulting in a class action lawsuit after employee data was compromised.

“We are working around the clock to respond to this incident and continues to make progress. There are no additional updates to share at this time with regard to our restoration timeline following our post yesterday,” reads the Blue Yonder report.

The timing of the attack is particularly significant, as research shows that 86% of ransomware attacks target organizations during holidays or weekends. In 2023, cybercriminals extracted $1.1 billion in ransom payments globally despite governmental efforts to curb such activities.

This disruption presents an additional challenge for Starbucks’ new CEO, Brian Niccol, who is already dealing with three consecutive quarters of declining sales.

While the company works to resolve the situation, it prioritizes maintaining normal customer service operations and ensuring proper employee compensation.