Veeam, Gartner, Halcyon and Total Assure: Why Ransomware Deletes Your Backups Before You Know You've Been Hit

Veeam, Gartner, Halcyon and Total Assure: Why Ransomware Deletes Your Backups Before You Know You've Been Hit

Ransomware Operators Systematically Neutralize Backups Before Striking

A growing trend in ransomware attacks reveals a calculated strategy: threat actors now prioritize disabling backup infrastructure before deploying encryption, ensuring victims have no recovery options. This tactic, documented by MITRE ATT&CK as T1490 (Inhibit System Recovery), is now standard procedure for major ransomware groups.

According to Veeam’s 2024 Ransomware Trends Report, attackers targeted backup repositories in 96% of incidents, succeeding in 76% of cases. The method relies on a prolonged dwell period averaging 70+ days during which adversaries map networks, harvest domain admin credentials, and methodically dismantle recovery mechanisms. By the time the ransom note appears, backups are often already purged, retention policies altered, or immutable storage rendered ineffective.

The destruction process is systematic:

  • Mapping backup repositories and retention policies.
  • Manipulating retention settings to trigger automatic deletion of prior backups.
  • Abusing time synchronization to bypass immutable locks.
  • Terminating backup services before encryption begins.

Even security measures like immutable storage, quorum controls, and air-gapped vaults fail when attackers operate with legitimate admin credentials. For example, immutable storage protects data blocks but not the management plane attackers can simply shorten retention policies to hours, letting automated purges erase backups. Similarly, quorum controls are bypassed during maintenance windows or by compromising multiple privileged accounts.

The result is a 22-day average recovery time (per Gartner), extending to 38 days for enterprises (Total Assure). Recovery efforts don’t begin with data restoration but with containment, forensic preservation, and validating clean restore points a process complicated by the need to rebuild identity infrastructure (Active Directory, domain controllers) first. Every credential active during the attack must be rotated, adding days or weeks before business systems can resume.

Some organizations are adopting alternative recovery methods that don’t rely on backups. Solutions like Halcyon target three layers of the attack chain:

  1. File resilience: Intercepting encryption in real time before files are written to disk.
  2. Lateral movement prevention: Limiting the spread of encryption to additional systems.
  3. Key capture: Extracting cryptographic keys at execution to enable direct decryption, bypassing the need for backups.

The disconnect between preparedness and reality is stark: Halcyon’s survey of 100 security leaders found most organizations believed their backups were secure until they weren’t. With attackers now dedicating weeks to neutralizing recovery options, traditional defenses are proving insufficient.

Source: https://www.halcyon.ai/blog/why-ransomware-deletes-your-backups-before-you-know-youve-been-hit

Veeam Software cybersecurity rating report: https://www.rankiteo.com/company/veeam-software

Gartner cybersecurity rating report: https://www.rankiteo.com/company/gartner

TotalEnergies cybersecurity rating report: https://www.rankiteo.com/company/totalenergies

Halcyon cybersecurity rating report: https://www.rankiteo.com/company/halcyonai

"id": "VEEGARTOTHAL1781807154",
"linkid": "veeam-software, gartner, totalenergies, halcyonai",
"type": "Ransomware",
"date": "1/2022",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': 'Backup infrastructure compromise, credential harvesting, '
                  'lateral movement',
 'data_breach': {'data_encryption': True},
 'description': 'A growing trend in ransomware attacks reveals a calculated '
                'strategy: threat actors now prioritize disabling backup '
                'infrastructure before deploying encryption, ensuring victims '
                'have no recovery options. This tactic, documented by MITRE '
                'ATT&CK as T1490 (Inhibit System Recovery), is now standard '
                'procedure for major ransomware groups. Attackers target '
                'backup repositories in 96% of incidents, succeeding in 76% of '
                'cases, with a dwell period averaging 70+ days. By the time '
                'the ransom note appears, backups are often already purged, '
                'retention policies altered, or immutable storage rendered '
                'ineffective.',
 'impact': {'data_compromised': True,
            'downtime': '22-day average recovery time (38 days for '
                        'enterprises)',
            'operational_impact': 'Extended recovery efforts, credential '
                                  'rotation, system rebuilds',
            'systems_affected': 'Backup repositories, domain controllers, '
                                'Active Directory, business systems'},
 'initial_access_broker': {'high_value_targets': 'Backup repositories, domain '
                                                 'admin credentials, identity '
                                                 'infrastructure',
                           'reconnaissance_period': '70+ days'},
 'lessons_learned': 'Traditional backup defenses are insufficient against '
                    'modern ransomware tactics. Attackers now dedicate weeks '
                    'to neutralizing recovery options, requiring alternative '
                    'recovery methods and proactive measures like file '
                    'resilience and lateral movement prevention.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': 'Rebuild identity '
                                                  'infrastructure, rotate '
                                                  'credentials, validate '
                                                  'restore points, adopt '
                                                  'alternative recovery '
                                                  'methods',
                            'root_causes': 'Prolonged dwell period, credential '
                                           'harvesting, backup infrastructure '
                                           'compromise, manipulation of '
                                           'retention policies'},
 'ransomware': {'data_encryption': True},
 'recommendations': ['Adopt alternative recovery methods (e.g., file '
                     'resilience, key capture)',
                     'Implement real-time encryption interception',
                     'Limit lateral movement to prevent spread of encryption',
                     'Enhance backup security with immutable storage and '
                     'quorum controls',
                     'Rotate credentials and validate clean restore points '
                     'before recovery'],
 'references': [{'source': 'Veeam’s 2024 Ransomware Trends Report'},
                {'source': 'MITRE ATT&CK (T1490 - Inhibit System Recovery)'},
                {'source': 'Gartner (22-day average recovery time)'},
                {'source': 'Total Assure (38-day recovery for enterprises)'},
                {'source': 'Halcyon’s survey of 100 security leaders'}],
 'response': {'recovery_measures': 'Alternative recovery methods (e.g., file '
                                   'resilience, key capture)',
              'remediation_measures': 'Rebuilding identity infrastructure, '
                                      'validating clean restore points, '
                                      'credential rotation'},
 'threat_actor': 'Major ransomware groups',
 'title': 'Ransomware Operators Systematically Neutralize Backups Before '
          'Striking',
 'type': 'Ransomware'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.