{
	"id": "af31ce69-ee4f-474f-b375-dda6e1853aa0",
	"created_at": "2026-04-06T01:31:42.168893Z",
	"updated_at": "2026-04-10T03:24:29.397958Z",
	"deleted_at": null,
	"sha1_hash": "b856554840d16cc27d4720fc94233f770239b484",
	"title": "Ransomware victims thought their backups were safe. They were wrong",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38340,
	"plain_text": "Ransomware victims thought their backups were safe. They were\r\nwrong\r\nBy Steve Ranger\r\nPublished: 2020-02-27 · Archived: 2026-04-06 00:58:22 UTC\r\nThe UK's cybersecurity agency has updated its guidance on what to do after a ransomware attack, following a\r\nseries of incidents where organisations were hit with ransomware, but also had their backups encrypted because\r\nthey had left them connected to their networks.\r\nKeeping a backup copy of vital data is a good way of reducing the damage of a ransomware attack: it allows\r\ncompanies to get systems up and running again without having to pay off the crooks. But that backup data isn't\r\nmuch good if it's also infected with ransomware -- and thus encrypted and unusable -- because it was still\r\nconnected to the network when the attack took place.\r\nThe UK's National Cyber Security Centre (NCSC) said it has now updated its guidance by emphasising offline\r\nbackups as a defence against ransomware.\r\n\"We've seen a number of ransomware incidents lately where the victims had backed up their essential data (which\r\nis great), but all the backups were online at the time of the incident (not so great). It meant the backups were also\r\nencrypted and ransomed together with the rest of the victim's data,\" the agency warned.\r\nSEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF\r\n(TechRepublic)\r\nWhile the NCSC has previously recommended offline backups, it said recent incidents, such as attacks by the\r\nTrickbot banking trojan malware, suggested greater emphasis was needed.\r\nThe key to mitigating a ransomware attack, NCSC said, is to ensure that businesses have up-to-date backups of\r\nimportant files. Organisations should ensure that a backup is kept separate from their network -- offline -- or in a\r\ncloud service designed for this purpose. \r\nHowever, NCSC warned that cloud-syncing services (like Dropbox, OneDrive and SharePoint, or Google Drive)\r\nshould not be used as the only backup, in case they automatically synchronise immediately after files have been\r\n'ransomwared', at which point the synchronised copies are lost as well.\r\nThe agency also recommends that the device containing any backup, like an external hard drive or a USB stick is\r\nnot permanently connected to your network and that multiple copies exist.\r\nNCSC also warned: \"An attacker may choose to launch a ransomware attack when they know that the storage\r\ncontaining the backups is connected.\"\r\nSEE: Six suspected drug dealers went free after police lost evidence in ransomware attack\r\nhttps://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/\r\nPage 1 of 2\n\nIn a separate advisory on offline backups, NCSC notes that it has seen numerous incidents where ransomware has\r\nnot only encrypted the original data on-disk, \"but also the connected USB and network storage drives holding data\r\nbackups. Incidents involving ransomware have also compromised connected cloud storage locations containing\r\nbackups.\"\r\nThe most common method for creating resilient data backups, NCSC said, is to follow the '3-2-1' rule: at least\r\nthree copies, on two devices, and one offsite.\r\nEditorial standards\r\nSource: https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/\r\nhttps://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.zdnet.com/article/ransomware-victims-thought-their-backups-were-safe-they-were-wrong/"
	],
	"report_names": [
		"ransomware-victims-thought-their-backups-were-safe-they-were-wrong"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439102,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b856554840d16cc27d4720fc94233f770239b484.pdf",
		"text": "https://archive.orkl.eu/b856554840d16cc27d4720fc94233f770239b484.txt",
		"img": "https://archive.orkl.eu/b856554840d16cc27d4720fc94233f770239b484.jpg"
	}
}