When thinking about ransomware, enterprises that ignore their data backups do so at their own peril, according to cybersecurity firm Sophos.

Protecting backups will significantly reduce the harm to a company hit by a ransomware attack and the need to pay the ransom demanded by the bad actors to return access to the encrypted or stolen files, the company wrote in a recent report.

The “financial and operational implications of having backups compromised in a ransomware attack are immense,” Sally Adam, Sophos’ senior director of marketing, wrote in a blog post accompany the report. “When attackers succeed in compromising backups, an organization is almost twice as likely to pay the ransom and incurs an overall recovery bill that is eight times higher than for those whose backups are not impacted.”

That is why ransomware groups almost always will try to compromise backups in their attacks. If they can do this, it drastically raises the probably that a ransom will be paid. In a Sophos survey of 2,974 cybersecurity professionals whose organizations were hit by ransomware attacks last year, 94% said the threat groups tried to compromise backups during the attack.

That figure was greater for both state and local governments as well as the media, leisure, and entertainment sectors, where 99% of attacks also targeted backups. The lowest rate was reported in the distribution and transport industry, where it was 82%.

An Evolving Ransomware Scene

Sophos’s report puts numbers to a central tenet echoed by cybersecurity companies when discussing ways enterprises can protect themselves at a time when the sophistication and number of ransomware attacks are increasing and ransomware-as-a-service (RaaS) is becoming more common, allowing less-skilled cybercriminals launch attacks by paying to use another group’s malware.

According to a recent report by security firm Thales, there was a 27% increase in the number of companies his with a ransomware attack, with 8% paying the ransom.

In almost every metric measured by Sophos, the outcome of a ransomware attack was worse if the cybercriminals were able to compromise a target’s backups. They were able encrypt data 89% of the time when backups were compromised, compared to 52% of the time when they weren’t. The median ransom demand was $2.3 million with compromised backups and $1 million without.

In addition, 67% of companies whose backups were impacted by a ransom, while 36% of those with secure backups did. The media costs for recovering from a ransomware attack was $3 million for those with compromised backups and $375,000 for those with secured backups.

The report found that while attackers were able to successfully compromise backups 57% of the time, some industries were most susceptible than others. The success rate for in the energy, oil and gas, and utilities sectors was 79%, followed by education at 71%. The industries that saw the lowest rates of compromise were the IT, technology, and telecoms sectors, with a 30% success rate, and retail (47%).

Sophos researchers thought IT and telecoms companies likely had stronger backup protection in place.

Climbing Costs of Attacks

The damage of a ransomware attack doesn’t stop with the ransom paid, they wrote. The ransoms paid are only part of the larger financial hit victims take.

“Ransomware-led outages frequently have a considerable impact on day-to-day business transactions while the task of restoring IT systems is often complex and expensive,” Sophos wrote in the report.

Leverage in the primary reason for bad actors to target backups, according to Narayana Pappu, CEO of data protection firm Zendata. Doing so removes victims’ options of simply restoring what was lost via backups.

“Backups typically don’t have the same level of security controls as production systems,” Pappu said. “Implementing similar logging, security and access controls, testing on backup systems would help a lot. On top of that, having multiple copies of backups in multiple places – [such as] in the cloud and offline – with a disaster recovery plan would reduce downtimes.”

Security is an Ongoing Process

Ratan Tipirneni, president and CEO at container security company Tigera, said it’s incumbent on organizations of all sizes to realize that security is not a one-time effort but an ongoing process, an important concept at a time when cyberthreats are mounting. The growing RaaS model “will lead to a worsening security situation for unprepared enterprises,” Tipirneni said.

“As the threat landscape changes and evolves, businesses must constantly re-evaluate and adapt their security measures to stay ahead of potential threats, prioritizing key best practices like regularly backing up data,” he said.

Sophos researchers echoed the advice to take regular backups and store them in multiple locations, adding that cloud backup accounts should be protected with multi-factor authentication. They also said backups should be monitored for suspicious activity and that organizations should practice recovering from backups.

“The more fluent you are in the restoration process, the quicker and easier it will be to recover from an attack,” they wrote.

Sophos and data protection company announced a partnership designed to bolster the security of backups by integrating the Veeam Data Platform with Sophos’ Managed Detection and Response offering.