Can cloud backup be hacked and is it immune to ransomware attacks?

(Image credit: Shutterstock / Blackboard)

Cloud backup is one of those terms businesses and individuals blithely use to describe a number of services that aren’t in fact cloud backup at all!

It’s easy to see where the confusion arises. Take Google’s G Suite, for example – or indeed Microsoft 365, Dropbox, Box, or any number of similar solutions. They’re in the cloud and they look after your data – therefore they’re cloud data backup, right?

Not so. They hold your deleted files only for a certain number of days (typically only 20 – 30, depending on the service), archive them for only a few days longer (depending on how you’re consuming the service), and then blitz them forever. This is cloud storage, not cloud backup.

So, in attempting to answer the question as to whether cloud backup can be hacked, or if it is immune to ransomware, we first have to establish what cloud backup actually is.

About the author

Rob Stevenson is Director at BackupVault

Cloud backup: the good, the bad and the illegal

By its very nature, ‘backup’ means data must be retrospectively accessible for far longer than a mere few days.

Sixty days is the generally accepted bare minimum, but GDPR requirements and compliance regimes in highly regulated industries like finance can push this to several years or more.

This is where cloud backup, as a concept, really comes into its own. It stores huge volumes of backed-up data in a powerful data centre elsewhere (aka the cloud). If disaster befalls the office, it doesn’t take the backed-up data with it, because that data is offsite.

But cloud backup is not without its issues – and security is often one of them. This includes how physically secure the data centre itself is, whether the data held in it meets encryption standards both in transit and at rest, and indeed whether the data centre is actually based in a country whose security and data protection standards can be deemed compliant with the law in your own geography.

There are a lot of free or low-cost cloud backup services out there based out of the US, for example, but you could be breaking the law – and exposing yourself to prosecution if a breach occurs – by using them.

And sadly, the security concerns don’t end there. Ransomware – the very evil that online backup is supposedly well positioned to combat, since it can restore unaffected data back into your organisation – can exploit weaknesses in cloud backup to hold the backed-up data itself to ransom.

So, how does a ransomware attack happen? How does it infect cloud backup systems? And how – if at all – can cloud backup offer ransomware protection?

Cloud backup must haves: Configuration, immutability, point-in-time

Ransomware encrypts your data, locking it and making it unusable, and demands you pay a fine to obtain the key to decrypt it. It’s often triggered by a link in a phishing email, using an infected USB device, or opening a malicious attachment.

This can hit your revenues hard, and every type and size of business is at risk. Some 48% of UK companies were targeted by ransomware last year, yet it has also been reported that 2.8 million businesses in the UK back up in the same location as the original data – meaning they don’t really back up at all!

It should come as no surprise, however, that ransomware can compromise cloud backups – particularly given that it can compromise other cloud services easily enough. (Can ransomware affect Google Drive, for example? You bet it can. Is there such a thing as Office 365 email ransomware? Or Microsoft 365, to give it its new name? Yes and yes.) 

When it comes to cloud backup solutions, the three bulwarks against ransomware are configuration, immutability, and point-in-time restore.


The first is to do with the backup’s own security and access rules setup. Attackers exploit misconfigurations in these to gain access privileges, permanently delete all the backups, and then launch their ransomware attack.

In this scenario, you can’t restore your data from backup because there’s no data there to restore - but correctly configured backup shuts down this ransomware route.


The second is to do with how the backup stores and updates data. Data is normally stored in a way that protects files as they are modified, but this can be tricked by ransomware into accepting encryption as a legitimate modification.

Pretty soon, this encryption spreads to all your backups, leaving you with locked-up data in your business and locked-up data in your backup. However, cloud backup that uses immutable storage prevents backed-up data being deleted or altered in any way throughout a specified retention lifetime, and so stops the ransomware in its tracks.

Point-in-time restore

The third, for its part, is about being able to retrieve backed-up data from a precise point in time.

Not only is this helpful for being able to restore data back into your organisation’s systems from the latest possible moment prior to an incident – so that your restored data is as current as possible – it also enables the backup system itself to revert to the latest unaffected files should a misconfiguration permit a ransomware attack within the backup system itself.

Immunity to ransomware? Taken together, these three features deliver what’s required.

Should you ditch cloud storage?

None of this means, however, that cloud storage solutions are somehow hopelessly ‘unbackupable’, even though they can be susceptible to ransomware.

Quite the opposite, actually, since you can simply connect these applications to a suitable cloud backup provider and your data is then both stored in the cloud, and backed-up in a separate cloud - which, should ransomware rear its ugly head at the storage level, keeps your backed-up data protected from it.

In fact, this not only satisfies, but exceeds, the cardinal 3-2-1 rule of data backup: at least three copies of your data (one in your desktop application, one in your storage provider’s cloud, one in cloud backup), in two different locations, at least one of which is offsite.

You can’t stop the hackers and you can’t eradicate ransomware. But with the right cloud backup, you can ensure all their efforts to hold your business hostage are in vain.

Rob Stevenson

Rob founded BackupVault over 16 years ago to help identify and meet strict data protection requirements of small, medium and public sector businesses, remaining to this day one of the few fully GDPR compliant UK cloud backup services. Rob is an experienced, successful and proactive business owner with a specialist understanding of the technology sector.