18% of Attacks, 100% Business Paralysis. Hackers Have Learned to Kill Your "Rainy Day" — By Attacking Backups.
Where companies usually expect salvation, only emptiness remains.
Where companies usually expect salvation, only emptiness remains.
Hackers are increasingly choosing backup copies as their primary target—not the systems, not the servers, but the very data that companies store for a "rainy day" for recovery after an attack. New research from Apricorn reveals alarming statistics: one in five data breach incidents in the UK is directly linked to the compromise of backup copies. This is a signal that intruders have learned to penetrate deeper and more precisely—into the very place where a business hopes to find salvation in the event of a cyberattack.
Previously, backup data was considered a kind of insurance policy—a reliable and protected copy of critical information that could be restored in case of any disaster. However, the dynamics are changing. While companies previously focused on protecting active IT infrastructure—workstations, clouds, routers—passive storage is now also under fire. Moreover, this is not just a side effect; in some cases, attacks are aimed exclusively at backup copies to undermine the very possibility of recovery.
According to Apricorn, 18% of companies cited the hacking of backup copies as the main cause of an incident. This is not only direct damage but also a strategic disruption of business continuity: the inability to return to work without a complete reinstallation and negotiations with blackmailers. Notably, 13% of respondents admitted that their recovery infrastructure is not robust enough to quickly restore data. Nearly a third of companies that faced actual recovery from backups failed to restore everything completely: either some information was lost, or the process turned out to be non-functional due to poorly designed procedures.
The example of Danish cloud company CloudNordic, attacked in 2023, is telling. The attackers not only disabled the main servers but also encrypted all backups. As a result, the entire customer base was irrevocably lost, and the company's operations were virtually paralyzed. Notably, CloudNordic had antivirus, firewalls, and a multi-tiered backup strategy. However, vulnerable servers, previously compromised, became the entry point. This highlights an important point: backup is only effective when it doesn't just exist, but is regularly tested, physically isolated, and built on the principle of being "invisible" to the main network.
However, the Apricorn report also shows positive trends. The number of companies that successfully restored their entire infrastructure from backups has risen to 58%—up from 50% a year earlier. More and more organizations are using automated mechanisms to create copies: 44% send data to both central and personal storage, compared to only 30% last year. Overall, 85% of companies have now implemented at least one element of automation.
According to Jon Fielding, Managing Director for EMEA at Apricorn, incident management should include not only preparation for attacks but also readiness for a full recovery. In his assessment, only regularly tested, full-format, and reliably protected copies can become a true defense tool, not an illusion of security.
Against the backdrop of growing attack sophistication, it becomes clear: it's not enough to just have a backup. It must be beyond the attacker's control, duplicated, well-debugged, and easily deployable in isolation. Otherwise, companies risk not just losing data—but losing the ability to ever get it back.
