Getting hit by ransomware is almost inevitable for the modern enterprise , with 85 % organisations experiencing at least one cyber-attack in 2022 , and as cybercriminals increasingly target data backups , the road to recovery can be a long one , explains Rick Vanover at Veeam Software .

Rick Vanover , Senior Director Product Strategy , Veeam Software

Ransomware attacks do not happen instantly , it is not one malicious link and then lockdown . Instead , attacks can be years in the making , from initial observations and break-ins to declaring the ransom .

For example , reports suggest Clop may have been sitting on its MOVEit exploit as far back as 2021 . So , what is the timeline of a ransomware attack , and why must businesses understand this to improve their ransomware resilience ?

Attack timelines

It is a common misconception that ransomware attacks just happen out of the blue . Cybercriminals often like to take their time , taking the scenic route through your business and getting to know it inside out . The ransom stage is the only part of the process that is visible . This is when attackers announce their presence , but as highlighted by investigations into this year ’ s MOVEIt hack , the biggest hack of 2023 so far , they can spend years behind the scenes . So , what is happening in the lead-up to the ransom demand ?

First , attackers start with an observation stage . This time is spent gathering as much information as possible on the target organisation , including its people , processes , and technology . This could take months . After enough intel has been gathered , attackers will move to infiltrate their target ’ s system , gaining access through a preliminary attack , commonly a phishing email .

After establishing entry , attackers will set up camp within the organisation ’ s IT infrastructure , creating a base of operations from which they can elevate their access and make lateral movements . They do some of the most significant damage at this stage , snooping around undetected and compromising identified high-value targets . They can take their time over this , making as many moves as possible to ensure maximum exploitation .

After this , attackers spend time crippling

recoverability . This involves altering backup routines , documentation , and security systems to reduce or completely deny restore capabilities . So , before the organisation is even aware of the attack , it is too late to turn to its backup .

Things are heating up at this stage , finally coming to a head with the declaration of ransom . As well as announcing their presence and making demands , cyber

The biggest concern is the usability of backups for recovery after an attack .

34 www . intelligenttechchannels . com