Backups Are Under Attack: How Anomaly Detection Shields Your Last Line of Defense

Your backups have become a prime target. Backups used to be the safety net – now attackers aim to cut it and force you to pay up. Why? Because if criminals can take down your backups, your options for recovery dwindle, and their leverage (and ransoms) soar.

Having Backups is No Longer Enough – You Need to Actively Defend Them

Backups are under direct fire from bad actors, and the fallout is severe. A 2024 study found that a staggering 94% of organizations hit by ransomware reported attempts by cybercriminals to compromise backups; if attackers succeed in compromising backups, organizations face far higher costs and recovery time. In fact, organizations whose backups were compromised experienced median ransomware recovery costs of $3M – 8x higher than those whose backups were not impacted ($375K). They also found themselves paying closer to the full ransom demand (98% of the sum demanded) on average. In short, when backups are compromised, a bad day turns into a catastrophic one.

Backups are the lifeline that allows businesses to refuse a ransom. Take that lifeline away, and victims often have no choice but to consider paying. This could mean wiping out backup infrastructure, quietly altering retention policies, or encrypting the backup data itself.

This is where Anomaly Detection comes in. In this series, we’ll explore the difference between Anomaly Detection and Malware Scanning and how our Anomaly Detection as a Service (ADaaS) functionality helps you:

• Keep backup infrastructure secure.
• Keep backup configurations intact.
• Identify clean backup copies.

We’ll also clarify why a holistic approach covering multiple attack vectors is critical for data resiliency (the ability to safeguard data integrity and swiftly resume operations in the event of a cyberattack).

Anomaly Detection vs. Malware Scanning: Know the Difference

Let’s define Anomaly Detection and how it’s different from Malware Scanning. Both are important tools, but they serve different purposes:

• Malware Scanning: Malware scanners look for known bad files or signatures to check if any backup files contain known viruses or ransomware executables. Some use behavioural analysis by partially activating malware and inspecting its behaviour while others use proprietary algorithms. It’s like a security guard checking IDs against a blacklist. Malware scanning is useful for catching known threats; however, it only finds what it recognizes. New or cleverly hidden malware might slip by, meaning classic malware scans alone might allow novel ransomware to get backed up without protest. Therefore, the objective of malware scanning is to contain the spread of damaging malware and ultimately remove it from the network.
• Anomaly Detection: Anomaly Detection looks for unusual activity that deviates from the norm by leveraging machine learning to establish a baseline of normal operations and flag outliers. It asks, “Does this backup behaviour look normal, or is something off?” For example, if your backups suddenly double in size overnight, or an unusually large number of files changed with random content, those are anomalies. It’s like a smoke detector for your data, warning you that something might be on fire. Crucially, it can catch issues even if the malware is previously unknown, because it’s responding to the symptoms (e.g. encryption patterns in files, abnormal deletions) rather than an entry on a blacklist. The goal of Anomaly Detection is to:
  • Find anomalies indicating an attack on the backup infrastructure, backup configurations, or backup data itself.
  • Quickly and proactively pinpointing known ‘clean’ copies for faster recovery.

How Anomaly Detection and Malware Scanning Complement Each Other

Malware Scanning is useful for weeding out known threats (and should be part of your layered security), but it doesn’t help much when attackers target your backups. Anomaly Detection fills that gap by watching for signs that something malicious could be happening.

A cleverly staged attack may not trigger the scanner until it’s too late, or the scanner might find malware after it’s already encrypted your data. This is why Anomaly Detection is gaining focus in backup and recovery circles – it provides an early warning system and a broader net for catching trouble. It can alert you to ransomware activity or other attacks as it’s happening, rather than just identifying damage after the fact.

In the context of backups, Anomaly Detection might notice things like brute force attacks on the backup infrastructure, a sudden spike in the number of files being modified or deleted, unusual changes in backup job durations or sizes, or strange patterns like backups consistently shrinking outside the normal range. These can all be indicators of cybercriminals silently conducting their work.

To sum it up, Malware Scanning answers, “Is there known bad code here?” whereas Anomaly Detection asks, “Are my backups under attack?” and “Is this a good backup copy?”, which is exactly what we need for robust backup protection.

In the next part of the series, we’ll summarize the three attacks vectors for backups, dive into the importance of Honeypots, and how it helps detect brute force attacks on the backup infrastructure.

Click here to find out how Cove can help you protect your backups.

Stefan Voss is VP Product Management at N‑able