{
	"id": "3b62a6c0-04a3-4df0-9962-58db353546b4",
	"created_at": "2026-04-06T00:12:37.993572Z",
	"updated_at": "2026-04-10T03:21:24.63412Z",
	"deleted_at": null,
	"sha1_hash": "2c3d041bc9a5a3e088a871b32d9583d0199d4f4f",
	"title": "Ransomware Attackers Use Your Cloud Backups Against You",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1173425,
	"plain_text": "Ransomware Attackers Use Your Cloud Backups Against You\r\nBy Lawrence Abrams\r\nPublished: 2020-03-03 · Archived: 2026-04-05 13:13:49 UTC\r\nBackups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers\r\nwill use it against you.\r\nRecently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a\r\nnon-paying victim's Veeam backup software.\r\nLeaked Veeam Account\r\nThis was not meant to expose the information to others for further attacks but was used as a warning to the victim that the\r\nransomware operators had full access to their network, including the backups.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nAfter seeing this information, I reached out to the operators of the DoppelPaymer and Maze Ransomware families to learn\r\nhow they target victim's backups and was surprised by what I learned.\r\nIt should be noted that in this article we will be focusing on the Veeam backup software. Not because it is less secure than\r\nother software, but simply because it is one of the most popular enterprise backup products and was mentioned by the\r\nransomware operators.\r\nAttackers first use your cloud backups to steal your data\r\nDuring ransomware attacks, attackers will compromise an individual host through phishing, malware, or exposed remote\r\ndesktop services.\r\nOnce they gain access to a machine, they spread laterally throughout the network until they gain access to administrator\r\ncredentials and the domain controller.\r\nUsing tools such as Mimikatz they proceed to dump credentials from the active directory.\r\nAccording to Nero Consulting, an MSP and IT Consulting company based out of New York City who assisted me with this\r\narticle, this could allow the attackers to gain access to backup software as some administrators configure Veeam to use\r\nWindows authentication.\r\nLog in to Veeam using Windows authentication\r\nOnce they gain access, the Maze Ransomware operators told BleepingComputer that if cloud backups are configured, it is\r\nvery useful when stealing data from their victims.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/\r\nPage 3 of 6\n\nConfigured cloud provider\r\nWhen Maze finds backups stored in the cloud, they attempt to obtain the cloud storage credentials and then use them to\r\nrestore the victim's data to servers under the attacker's control.\r\n\"Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups.\r\nIf backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to \"data\r\nbreach detection software\". Clouds is about security, right?\"\r\nAs the attackers are restoring directly from the cloud to their servers, it won't raise any red flags for the victim as their\r\nservers appear to be operating normally with no logs being created in their backup software.\r\nThe Maze operators did not elaborate on how they gain access to the cloud credentials, but DoppelPaymer told us they use\r\n\"all possible methods\".\r\nThis could include keyloggers, phishing attacks, or by reading locally saved documentation on the backup servers.\r\nDeleting backups before ransomware attacks\r\nRegardless of whether the backups are used to steal data, before encrypting devices on the network the attackers will first\r\ndelete the backups so that they cannot be used to restore encrypted files.\r\nDoppelPaymer told BleepingComputer that even though cloud backups can be a good option to protect against ransomware,\r\nit is not 100% effective.\r\n\"Cloud backups are a very good option against ransom but do not 100% protect as cloud backups are not always good\r\nconfigured, offline backups often outdated - the system of backups is really nice but human factor leaves some options,\"\r\nDoppelPaymer told us via email.\r\nUnless you subscribe to service add-ons such as immutable backups, as the actors have full access to the local install of\r\nbackup software, they can simply delete any backups that exist in the cloud.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/\r\nPage 4 of 6\n\nDeleting a cloud backup in Veeam\r\nWith a victim's data now stolen and their backups deleted, the attackers deploy their ransomware throughout the\r\ncompromised network using PSExec or PowerShell Empire typically during off-hours.\r\nThis usually leads to a company opening the next day to an encrypted network.\r\nProtecting your backups\r\nIn emails with Rick Vanover, Senior Director, Product Strategy at Veeam Software, we were told that it does not matter what\r\nsoftware you use, once an attacker gains privileged access to the network, everything is at risk.\r\n\"We have advocated, even in a published 2017 whitepaper that I wrote I’ve recommended separate accounts for Veeam\r\ninstallations and components. Additionally, I recommend Veeam installations to use non-domain accounts for components as\r\nwell to add more account-based layers of resiliency. Additionally, Veeam has recommended that the Veeam deployment not\r\nhave Internet access or otherwise be on an isolated management network,\" Vanover told BleepingComputer.\r\nTo prevent ransomware attackers from gaining complete leverage over a victim, Veeam recommends that companies follow\r\na 3-2-1 Rule when configuring backups.\r\n\"Whether it is ultra-resilient backup data like S3-immutable backups in the cloud, encrypted backups on tape or encrypted\r\nbackups on removable offline storage; customers need to have multiple copies of data. We have advocated for a long time\r\nthe 3-2-1 Rule, which advocates having 3 different copies of data on 2 different media with one of them being off-site.\r\nCouple in 1 copy being on an ultra-resilient technique such as an immutable backup, offline backup or otherwise air-gapped;\r\ndata can be protected against nearly any failure scenario – including ransomware. Additionally, Veeam also has a technology\r\ncalled Secure Restore; which will perform a threat scan with almost any tool to ensure that a restored system or data does\r\nnot re-introduce a threat,\" Vanover continued.\r\nLike Veeam, Nero Consulting also strongly recommends users should purchase the immutable storage or redundant storage\r\nprotection options if available when using cloud services.\r\nUsing this option, even if the data is deleted from the cloud storage provider, the immutable storage service will make the\r\ndata recoverable for a certain amount of time.\r\nAs for protecting a network from data exfiltration, the best solution is to prevent the attackers from gaining access to your\r\nnetwork in the first place and to monitor for suspicious activity.\r\nThis would include utilizing network monitoring software, intrusion detection systems, and geographic and IP access control\r\nfor cloud storage providers if available.\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/\r\nhttps://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/"
	],
	"report_names": [
		"ransomware-attackers-use-your-cloud-backups-against-you"
	],
	"threat_actors": [],
	"ts_created_at": 1775434357,
	"ts_updated_at": 1775791284,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2c3d041bc9a5a3e088a871b32d9583d0199d4f4f.pdf",
		"text": "https://archive.orkl.eu/2c3d041bc9a5a3e088a871b32d9583d0199d4f4f.txt",
		"img": "https://archive.orkl.eu/2c3d041bc9a5a3e088a871b32d9583d0199d4f4f.jpg"
	}
}