Crucial backup strategies to defend against ransomware attacks

Ransomware payouts are trending upward once again. According to Chainalysis, a cryptocurrency tracing firm, 2021 saw ransomware payments reach nearly $1 billion—a record high. While there was a decline in 2022, the trend reversed in 2023, with estimated payouts approaching $900 million. This increase in ransomware activity can be attributed to the intensified operations of ransomware groups and a surge in extortion efforts. To mitigate the risk and defend against these threats, organizations must develop a robust backup plan that accounts for the myriad ways attackers can infiltrate their networks.


Ransomware Attack Strategies

Strategy 1: Malware Spray Attacks

Malware spray attacks involve purchasing malware from the dark web as part of ransomware-as-a-service operations or from brokers of individual components. These tools require minimal skill, enabling attackers to launch attacks without specifically targeting any particular company. This “spray and pray” approach makes organizations with unpatched vulnerabilities, limited monitoring, inconsistent backups, and other security hygiene issues particularly vulnerable. The hope is that one of the many victims will pay the ransom.

Key Characteristics:

  • Low Expertise and Capital: Requires little skill or investment.
  • Short Dwell Time: Attackers begin encryption quickly after gaining access, with the ransom demand appearing soon after.
  • Lower Ransom Demands: Due to the lack of specific targeting, ransoms are typically lower.

Defense: Protection in Layers To defend against this strategy, organizations should implement a layered defense. This includes educating end-users about ransomware risks, applying automated patches, updating servers, routine network monitoring, and implementing robust data protection for backups. The goal is to stop attacks with the initial layers of defense, with the backup serving as the last line of defense.


Strategy 2: Targeted Recon

Targeted recon involves conducting detailed reconnaissance on a specific organization. Attackers gather information about the software and cloud infrastructure in use, social media posts of employees, network vulnerabilities, and financial data. They may also research key personnel for targeted phishing attacks. Once inside the network, attackers move laterally, conducting further research to develop a sophisticated ransom demand.

How to start to create your plan

defend against ransomware

Key Characteristics:

  • High Skill and Investment: Requires financial investment and skilled personnel.
  • Longer Dwell Time: Attackers may remain undetected for an extended period, gathering information.
  • High Ransom Demands: Demands are based on extensive research and tailored to the victim’s financial status.

Defense: Document a Plan To protect against sophisticated attacks, organizations should document a detailed defense plan. This plan should identify potential entry points and outline strategies to defend against evolving threats. Regularly updating and testing the plan is crucial to ensure its effectiveness.


Strategy 3: Exfiltration

Exfiltration involves encrypting data, then exfiltrating it and demanding either a decryption ransom or an extortion payment. Extortion, especially involving personally identifiable information, is becoming more common. Even after paying the ransom, there’s no guarantee that attackers will delete the data; they may reuse it in future attacks or sell it.

Defense: Encrypt Your Backups Encrypting data, whether on-premises or in the cloud, in flight or at rest, makes it much harder for cybercriminals to misuse it. Modern best practices recommend encrypting all backups to safeguard against unauthorized access.


Dwell Times

Dwell time refers to the period an attacker spends in a network before initiating an attack. Research indicates that attackers often have surprisingly short dwell times, averaging nine days in 2022 for Sophos and Mandiant. During this time, attackers may elevate their privileges, move laterally through the network, assess the value of data, and look for ways to corrupt backups.


Defending Against Hidden Ransomware

Sophisticated ransomware can remain dormant for months, embedding itself into daily backups. To avoid reinfecting systems with compromised backups, organizations should plan and regularly test their disaster recovery procedures. This ensures that they can restore systems confidently and effectively in the event of a ransomware attack.



The rising trend of ransomware payouts highlights the ongoing threat to organizations. Defending against these threats requires a comprehensive defense strategy, a robust backup solution, and an understanding of potential entry points. As cyber threats continue to evolve, organizations must adopt a proactive and adaptive approach to defend against ransomware effectively.





About DT Asia

DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.

Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.

Related Articles

A Tale of the Three *ishings: Part 3 – What is Vishing?

Over the past two decades, the security industry has made significant strides in using technology to secure technological assets. However, the human factor in cybersecurity often remains overlooked. Consequently, cyber attackers have shifted their focus from targeting technology to targeting people. Among the various methods they employ, the three most common are phishing, smishing, and […]

API monetization models: Strategies to leverage APIs for greater revenue

API monetization models showcase strategies and tactics for using APIs to generate revenue, impacting the bottom line both directly and indirectly. In this blog, we’ll define API monetization, explore different monetization models, and delve into a classic case study. Additionally, we’ll discuss various use cases and steps to consider when designing your API strategy for […]

syslog-ng Store Box Splunk/HEC and Sentinel destinations

The syslog-ng Store Box (SSB) appliance is built on syslog-ng Premium Edition (PE). SSB inherits most of syslog-ng PE’s features and makes them available with an easy-to-use graphical user interface. One of the typical use cases for SSB (and syslog-ng PE) is optimizing the logging infrastructure for SIEM / log analysis. Two recently introduced SSB […]

Taiwan CyberSec event

Reflecting on an incredible experience at the Taiwan CyberSec event! 🌟 Engaging discussions, groundbreaking insights, and invaluable connections made this event unforgettable. Thank you to all the participants, speakers, and organizers for contributing to this dynamic exchange of ideas. Let's continue working together to enhance cybersecurity worldwide! #DTAsia

ThriveDX: Meet-and-Greet with Partners in Jakarta

ThriveDX organised a Meet-and-Greet session at Kedai Kopi Tenong in Jakarta, together with PT Mega Cyber Security on September 5th. Thank you to the partners who attended the event: PT Alumagubi Raya Indonesia – Franky Yap, Robby Hartana Docotel – Nico Amon, Yudis Tuasamu PT Global Intikarya Sejahtera (GIS) – Ronald Romein, Lhesli Wuisang Nusantara […]

Contact DT Asia Group Hong Kong

Address: Unit 929, Kowloon Bay Industrial Centre,
15 Wang Hoi Road, Kowloon Bay, Hong Kong
Tel: +852 58010001

Like Our Facebook Page :)