Ransomware Targets Backup Systems Before Encryption: Acronis

Acronis researchers have documented a systematic shift in ransomware operations: before triggering encryption, threat actors now deliberately cripple backup infrastructure. Their 2024 analysis of 1,200 ransomware incidents reveals that 73 % included steps to delete shadow copies, corrupt backup catalogs, or disable Windows Backup services—often using native OS tools such as vssadmin.exe delete shadows /all /quiet and wbadmin disable. The goal is to make recovery impossible, forcing victims to pay the ransom rather than restore from clean copies.

The typical kill chain starts with phishing or exploitation of a vulnerability such as CVE‑2023‑38408. Once foothold is obtained, adversaries deploy Cobalt Strike or PsExec for lateral movement, escalate privileges, and then execute a series of commands designed to neuter backup capabilities. In Windows environments this includes bcdedit /set {default} recoveryenabled No, mounting volumes and removing mount points, and clearing Volume Shadow Copies. On Linux hosts, they target /var/backups, rm -rf /snap/*, and manipulate backup metadata in /etc/dumpdates. The result is a backup environment that appears intact until the encryption payload detonates.

Prominent ransomware families have built‑in modules to automate these steps. REvil (aka Sodinokibi) includes a component that issues vssadmin.exe commands as soon as SYSTEM privileges are achieved. Conti’s “del_backup” module writes a PowerShell script to enumerate and erase backup repositories across network shares. LockBit 2.0 and the newer BlackCat/ALPHV have added support for interacting with Acronis and Veeam backup APIs, silently deleting scheduled backup jobs before encrypting the primary storage. Acronis notes that in many cases the backup‑deletion phase occurs 24‑48 hours before the encryption wave, giving the attackers a window to ensure no recovery path remains.

To counter these tactics, security teams should adopt a layered backup strategy: maintain at least one immutable, air‑gapped copy (e.g., write‑once tape or offline cloud object lock), enforce multi‑factor authentication on backup admin accounts, and monitor for commands that disable backup services. Acronis Cyber Protect’s Active Protection can detect attempts to modify or delete shadow copies in real time, while a tested incident response plan that includes regular restoration drills ensures that organisations can recover quickly without bowing to ransom demands.