Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Time is of the essence

Issue 8 2023 Information Security

By Rick Vanover, Senior Director of Product Strategy, Veeam Software

Ransomware attacks do not happen instantly. It is not one malicious link and then lockdown. Instead, attacks can be years in the making, from initial observations and break-ins to declaring the ransom. For example, reports suggest Clop may have been sitting on its MOVEit exploit as far back as 2021. So, what is the timeline of a ransomware attack, and why must businesses understand this to improve their ransomware resilience?

Understanding the attack timeline

It is a common misconception that ransomware attacks happen out of the blue. Cybercriminals often like to take their time, taking the scenic route through your business and getting to know it inside out.

The ransom stage is the only part of the process that is visible. This is when attackers announce their presence, but as highlighted by investigations into this year’s MOVEIt hack (the biggest hack of 2023 so far), they can spend years behind the scenes. So, what is happening in the lead-up to the ransom demand?

First, attackers start with an observation stage. This time is spent gathering as much information as possible on the target organisation, including its people, processes, and technology. This could take months. After enough intel has been gathered, attackers will move to infiltrate their target’s system, gaining access through a preliminary attack, commonly a phishing email.

After establishing entry, attackers will set up camp within the organisation’s IT infrastructure, creating a base of operations from which they can elevate their access and make lateral movements. At this stage, they do some of the most significant damage, snooping around undetected and compromising identified high-value targets. They can take their time over this, making as many moves as possible to ensure maximum exploitation.

After this, attackers spend time crippling recoverability. This involves altering backup routines, documentation, and security systems to reduce or completely deny restore capabilities. So, before the organisation is even aware of the attack, it is too late to turn to its backup. Things are heating up at this stage, finally coming to a head with the declaration of ransom. As well as announcing their presence and making demands, cybercriminals at this final stage will encrypt their victim’s data and wipe all records and backups. This entire process might unfold over a year or even multiple years.

Making your backup bulletproof

The discovery that malicious actors can inhabit your systems unseen for a year or more while you are none the wiser can be daunting for businesses. But it is crucial knowledge and never fails to create a sense of urgency when implementing a robust data security strategy. Every minute your business passes without this in place is another minute cybercriminals can carry out the groundwork that will later cause much pain.

So, armed with this knowledge, what steps do businesses need to take? The biggest concern is the usability of backups for recovery after an attack. Suppose your system was breached a year ago without your knowledge. In that case, there is a very high likelihood that your backups are impacted, meaning you will try to restore your data using a compromised backup. Fortunately, this can be avoided with the proper preparation and the right backup strategy in place.

Getting hit by a ransomware attack is almost inevitable for the modern enterprise, with 85% of organisations experiencing at least one cyber-attack in 2022, nearly 10% more than the previous year. Moreover, as cybercriminals increasingly target backups, the road to recovery can be longer than ever.

Thinking of ransomware attacks as a case of ‘when’, not ‘if’, means recognising that you will need to use your backup to restore your critical data when the time comes. Acknowledging this should spur businesses to invest serious time and resources to ensure their backups are ironclad.

This is possible by following the golden rule of backup: 3-2-1-1-0. This requires three copies of data stored on two different media, one stored off-site and one air-gapped and immutable. Across these copies, there needs to be zero errors. Working under the assumption that cybercriminals will target your backup means taking precautions so you retain at least one untouched copy to use for your recovery. It is like keeping your money in a bank and making copies of essential documents in case your house gets robbed – thieves will target your safe, so storing valuables offsite and making copies provides peace of mind.

Implementing a 3-2-1-1-0 backup strategy isn’t a one-time thing. You must constantly monitor and test your backups, checking for errors and cleaning your data as needed. Cybercriminals rely on businesses not doing this; you can stay one step ahead by remaining strict on your data strategy.

Controlling the chaos

Ransomware is a disaster, and disaster recovery takes time. According to the latest Veeam Ransomware Trends Report, most businesses take at least three weeks to recover from a ransomware attack. It is important to note that this recovery time starts after the company has triaged. This investigative stage can be extensive, and its impact on recovery timelines is hard to predict and overstate. At this stage, the business needs to identify the attack's source and the damage's extent; they may even face yellow tape if government bodies need to drive the investigation.

During this time, the business is still compromised. In the worst-case scenario, it might have been forced to cease operations entirely while the breach is investigated and resolved. It is not making money if it is not operating. Worse than this, costs are spiralling as it is resource-intensive to recover from a large-scale attack, with IT departments and key stakeholders working round the clock, and there are legal fees and compensation costs to account for, as well as reputational damage.

It is hard to predict how long a recovery process will take because ransomware is a disaster with a difference. Suppose you are recovering from a natural disaster like a fire. In that case, you can trust your last known backups or replicas and use them to begin recovery immediately, safely knowing that the backups have not been interfered with. This is not the case with a cyber-disaster, which considerably lengthens recovery time. It takes time to identify which servers are infected and to determine whether backups and replicas are also affected (if they are, they can reintroduce the ransomware to your infrastructure, sending you right back to square one).

However, while ransomware is a severe threat and can potentially cause widespread damage, there are measures businesses can take to reduce the recovery time and the extent to which they can be compromised. As mentioned, the golden 3-2-1-1-0 backup rule is a critical tool in your arsenal. While ransomware attacks are inevitable and backups increasingly targeted, by implementing a robust data backup strategy, you always have a clean copy of your data to fall back on.




Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Want effective Attack Surface Management? Think like an attacker.
Information Security
Effective ASM requires companies to think like attackers, anticipate risks, and act decisively to reduce exposure by knowing their environment, deploying a structured approach, leveraging capable tools, and addressing both internal and external risks.

Read more...
The growing role of hybrid backup
Infrastructure Information Security
As Africa’s digital economy rapidly grows, businesses across the continent are facing the challenge of securing data in an environment characterised by evolving cyberthreats, unreliable connectivity and diverse regulatory frameworks.

Read more...
POPIA non-compliance puts municipalities at risk
Information Security Government and Parastatal (Industry)
Digital responsibility must go beyond POPIA compliance to recognising that privacy and service delivery are fundamentally linked. Despite this, only 51 out of 257 municipalities submitted their mandatory data protection and access to information reports in 2024.

Read more...
Choicejacking bypasses smartphone charging security
News & Events Information Security
Choicejacking is a new cyberthreat that bypasses smartphone charging security defences to confirm, without the victim’s input or consent, that the victim wishes to connect in data-transfer mode.

Read more...
Most wanted malware
News & Events Information Security
Check Point Software Technologies unveiled its Global Threat Index for June 2025, highlighting a surge in new and evolving threats. Eight African countries are among the most targeted as malware leaders AsyncRAT and FakeUpdates expand.

Read more...
Welcome to the new cyber battleground
Information Security
The Iran-Israel conflict is rapidly redefining modern warfare, pushing the boundaries of cyber capabilities and creating a new, borderless digital battlefield. Fortinet’s CISO, Dr Carl Windsor, offers a critical, in-depth analysis of the escalating tactics and global implications in his latest report.

Read more...
African industries may overestimate cyber defences
Information Security
A significant perception gap exists in security awareness training: 68% of leaders believe training is tailored to roles, yet only a third of employees feel adequately trained. Many organisations only conduct annual or biannual generic training that may not effectively change behaviour.

Read more...
SMARTpod talks to Sophos and Phishield
SMART Security Solutions Technews Publishing Sophos Videos Information Security News & Events
SMARTpod recently spoke with Pieter Nel, Sales Director for SADC at Sophos, and Sarel Lamprecht, MD at Phishield, about ransomware and their new cyber insurance partnership.

Read more...
Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Corporate and academic teams can register for Kaspersky contest
Kaspersky News & Events Information Security
Kaspersky has announced the registration opening for its new Kaspersky{CTF} (Capture the Flag) competition, inviting academic and corporate teams from around the globe to compete in a battle of skill, strategy and innovation.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.