Google’s Security Chief has warned backup systems are a target for ransomware. Cybercriminals are changing tactics. Instead of only locking down live systems, ransomware groups now target backup infrastructure to block recovery and increase ransom pressure.
Ransomware Groups Shift Focus to Backup Systems
According to Google Cloud’s Cloud Threat Horizons Report, threat groups such as UNC3944 (Scattered Spider), UNC2165, UNC4393, and UNC2465 have accessed backup data, deleted routines, and changed permissions. This shift highlights a new threat: if businesses cannot restore operations, they face greater pressure to pay.
In 2024, ransomware accounted for more than one-fifth of Mandiant’s incident response cases, showing how central the problem has become.
Why APAC Organisations Are at Higher Risk
Google’s APAC OCISO Head, Daryl Pereira, explained that uneven digital maturity in the region increases risk. Some businesses are cloud-native, while others are still transitioning from on-premises systems, creating inconsistent security.
Backups often store personal data, intellectual property, and financial records. Attackers exploit this, using sensitive data for extortion or selling it on the dark web. For APAC organisations, the ability to restore systems is becoming just as critical as preventing attacks.
How Do Attackers Access Backup Data?
The report reveals the two leading causes of compromise:
- Compromised credentials – accounting for 47% of cloud incidents in early 2025.
- Misconfigurations – responsible for 29% of breaches.
Attackers exploit these weaknesses, corrupting backups while blending into normal activity. Once inside, they target the most valuable assets, making recovery difficult and ransom payments more likely.
What is Google Doing to Help Stop the Ransomware Attacks?
To counter these threats, Google promotes Cloud Isolated Recovery Environments (CIREs). These environments:
- Separate restored data from compromised systems.
- Provide a safe space to clean and validate backups.
- Ensure business continuity even if production systems fail.
Pereira emphasised that CIREs are no longer optional for APAC businesses, as the region is a prime target for cybercrime and ransomware.
What is Cloud-Native Extortion?
A rising trend is cloud-native extortion. Cloud-native extortion is a ransomware tactic where attackers abuse built-in cloud features, such as storage snapshots, encryption tools, or role-based access controls, to lock organisations out of their own data and systems.
Instead of deploying external malware, attackers weaponise the very tools designed for resilience, turning them into mechanisms of control. This makes detection harder, as the activity often looks like normal system use. For businesses, cloud-native extortion highlights the urgent need for identity-first security, strict access controls, and continuous monitoring to prevent trusted tools from being misused for ransom.
Why Does Identity-First Security Help?
Identity-first security protects cloud environments by focusing on who has access and how that access is controlled. Pereira advised that organisations must adopt identity-first security by:
- Enforcing multi-factor authentication (MFA).
- Limiting access through least privilege policies.
- Monitoring role changes and credential leaks.
- Using automation to detect misconfigurations.
- Proactively detecting anomalies in access and flag unusual patterns that may indicate an attack.
Investments in identity and access management tools are growing, as businesses realise these measures reduce the risk of identity-based attacks.
The Supply Chain Factor in Cloud Attacks
Attackers also exploit supply chains and social engineering. Pereira highlighted campaigns where voice phishing was used to steal Salesforce access. He urged organisations to strengthen:
- Detection and monitoring.
- IAM deployment with MFA.
- Continuous staff awareness training.
Supply chain integrity must now be part of every security strategy, as third-party breaches can cascade across entire ecosystems.
What are the Essential Security Measures for APAC CISOs?
Pereira outlined key steps for CISOs in the region:
- Implement CIREs to safeguard recovery data.
- Strengthen IAM and enforce MFA.
- Secure encryption key management.
- Conduct regular recovery drills.
These steps create resilience and reduce the chance of long, costly outages.
What are Hybrid-Cloud Strategies?
Hybrid-cloud strategies are data management and recovery approaches that combine both public cloud and private cloud (or on-premises systems) to improve resilience, flexibility, and security. Instead of relying on one environment, businesses spread their workloads and backups across multiple platforms.
Key elements of hybrid-cloud strategies include:
-
Data redundancy – storing copies of backups in different environments to prevent a single point of failure.
-
Immutable snapshots – creating recovery points that cannot be altered or deleted, protecting against ransomware.
-
Automated versioning – ensuring older, clean copies of data remain available if recent backups are corrupted.
-
Segmentation and encryption – isolating sensitive data and keeping it secure across environments.
-
Faster recovery times – allowing organisations to restore systems in minutes instead of days or weeks.
By blending on-premises and cloud solutions, hybrid-cloud strategies give organisations a flexible, layered defence against cyberattacks while ensuring business continuity.
Rethinking Cyber Resilience in APAC
The rise in backup-targeted ransomware forces APAC organisations to rethink resilience. Protecting production systems alone is no longer enough, backups are now prime targets.
Pereira stressed that prevention must work alongside recovery. Businesses need layered defence, tested recovery plans, and modern identity-first safeguards. As ransomware grows more advanced, protecting backups is just as important as defending live systems.
Contact us if you have concerns about your company’s resilience to cyberattacks in 2025: info@zendata.security
