Full Report
Backups don't fail because they're missing, they fail because attackers destroy them first. Acronis explains how ransomware targets backup systems before encryption, leaving no path to recovery. [...]
Analysis Summary
# Tool/Technique: Anti-Backup Ransomware Procedures
## Overview
This technique involves the systematic identification, access, and destruction of an organization's backup infrastructure by ransomware operators. The primary purpose is to eliminate the victim's ability to restore data without paying the ransom, effectively turning the backup system from a recovery mechanism into a single point of failure.
## Technical Details
- **Type:** Technique / Attack Procedure
- **Platform:** Windows (Volume Shadow Copies), Linux, Cloud (AWS/Azure/GCP), Virtual Environments (VMware/Hyper-V)
- **Capabilities:** Credential theft, lateral movement, backup enumeration, snapshot deletion, agent disabling, and policy modification.
- **First Seen:** Historically observed; highlighted in the Acronis Cyberthreats Report H2 2025.
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- [T1083 - File and Directory Discovery] (Enumerate backup repositories)
- [T1018 - Remote System Discovery] (Identifying backup servers)
- **[TA0005 - Defense Evasion]**
- [T1562.001 - Impair Defenses: Disable or Modify Tools] (Disabling backup agents)
- **[TA0040 - Impact]**
- [T1485 - Data Destruction] (Deleting backups/shadow copies)
- [T1490 - Inhibit System Recovery] (Main technique for destroying VSS and snapshots)
## Functionality
### Core Capabilities
- **Volume Shadow Copy (VSS) Deletion:** Using native Windows commands to remove local recovery points.
- **Backup Enumeration:** Searching the network for dedicated backup servers, storage repositories, and management consoles.
- **Credential Exploitation:** Using stolen administrative or service account credentials to log into backup software.
- **Snapshot Targeting:** Accessing hypervisors (like ESXi or Hyper-V) to delete virtual machine snapshots.
### Advanced Features
- **Policy Manipulation:** Rather than just deleting files, attackers modify retention policies to "zero days," causing the system to automatically purge all existing backups.
- **API Exploitation:** Utilizing cloud provider APIs to delete offsite blobs or buckets where backups are stored.
- **Living-off-the-Land (LotL):** Using legitimate administrative tools to conduct destruction, bypassing basic signature-based detections.
## Indicators of Compromise
- **File Names:** Usage of `vssadmin.exe`, `wmiprvse.exe`, or PowerShell scripts targeting backup directories.
- **Behavioral Indicators:**
- Execution of `vssadmin delete shadows /all /quiet`.
- Sudden spikes in administrative logins to backup management consoles from unusual IP addresses.
- Mass deletion of files within directories containing extensions like `.vhk`, `.vhd`, `.bak`, or `.vbk`.
- Modification of backup retention schedules outside of maintenance windows.
## Associated Threat Actors
- **General Trend:** Used by modern ransomware-as-a-service (RaaS) affiliates.
- **Specific Mention:** Linked to various groups in the Acronis Cyberthreats Report; mentioned in context with Chaos Ransomware (decoy) and MuddyWater.
## Detection Methods
- **Signature-based detection:** Monitoring for known malicious scripts used to automate the disabling of backup services (e.g., Veeam, Acronis, or Backup Exec services).
- **Behavioral detection:** Flagging any process that attempts to delete Volume Shadow Copies or interact with backup-specific APIs/processes.
- **Audit Logs:** Monitoring for "Success/Failure" logins on backup consoles and unusual API calls to cloud storage.
## Mitigation Strategies
- **Immutability:** Implementing "Write Once, Read Many" (WORM) storage where backups cannot be deleted or modified for a set duration, even with admin credentials.
- **Isolation (Air-Gapping):** Ensuring backup storage is on a separate domain or network segment with strictly controlled access.
- **Multi-Factor Authentication (MFA):** Mandatory MFA for all access to backup management consoles.
- **3-2-1-1 Rule:** 3 copies of data, 2 different media, 1 offsite, and 1 **immutable** or offline.
## Related Tools/Techniques
- **[T1490] Inhibit System Recovery:** The broader MITRE technique category.
- **Living-off-the-Land Binaries (LoLBins):** Use of legitimate system tools to execute the destruction.
- **Credential Access:** Techniques used to gain the backup admin rights prefixing the destruction.