Blog

KEY STATISTICS <2.5%MOVEit victims who paid ransom~25%Accellion victims who paid (2021)~0%Paid in Cleo & Oracle EBS breaches For a few years, ransomware groups seemed to have found a smarter play: steal data, skip the encryption, and watch the ransom payments roll in. It worked brilliantly — until it didn’t. Now, with extortion-only economics in freefall, threat actors are returning to the double-threat model that made them so feared in the first place. How the Shift Happened The data-exfiltration-only playbook was popularized by Cl0p, a group that turned zero-day exploitation into an assembly line. The formula was elegant in its simplicity: find a critical vulnerability in a widely-used enterprise file transfer or storage product, exploit it at scale before anyone could patch, siphon data from as many victims as possible, and demand silence money. In 2021, this approach paid off spectacularly. During the Accellion campaign, Cl0p breached dozens of organizations and roughly a quarter of them paid up. The group repeated the trick with GoAnywhere MFT, where about one in five victims settled. These weren’t small scores — the group likely cleared tens of millions of dollars without ever deploying a single encryption payload. Other groups took notice. Why bother with the complexity of encryption, the risk of detection during file-locking operations, and the messy negotiation over decryption keys? Just steal the data and threaten to publish it. “The bullet points on the ‘pro’ side of the white board are getting increasingly scarce, while the cons side is getting crowded.”— Coveware, Q4 2025 Ransomware Trends Report When the Money Dried Up The MOVEit campaign — Cl0p’s largest and most audacious operation — was also the beginning of the end for the extortion-only model. The attack hit hundreds of organizations across government, finance, and healthcare. But when the ransom demands came, victims largely refused to pay. Less than 2.5% complied. In the subsequent Cleo and Oracle E-Business Suite campaigns, the rate collapsed further — approaching zero. The reason isn’t hard to understand. Enterprises have grown more sophisticated in assessing what a ransom payment actually buys. When encryption is involved, paying at least restores access to locked systems. But paying to suppress leaked data offers no such guarantee. The attackers retain the data regardless. They might sell it, recycle it in future attacks, or simply fail to honor any agreement — and there’s no enforcement mechanism for victims to lean on. The Shiny Hunters extortion group experienced the same rude awakening, according to Coveware, after attempting to replicate Cl0p’s approach. The math simply stopped working. Most Active Groups in Q4 2025 Akira~14% of activityQilin~13% of activityLone Wolf~12% of activity Who’s Getting Hit Ransomware attacks in Q4 2025 were not evenly distributed. Professional services firms bore the heaviest load at nearly 19% of all attacks. Healthcare came in second at over 15%, a perennial target due to its operational urgency and often strained security budgets. Technology, software, and consumer services rounded out the most targeted sectors. SECTORSHARE OF ATTACKS%Professional Services■■■■■■■■■18.92%Healthcare■■■■■■■■15.32%Consumer Services■■■■■9.01%Technology Hardware■■■■■9.91%Software Services■■■■7.21% What the Pivot Back Means for Defenders The return to encryption-plus-exfiltration attacks is, in a sense, good news: organizations now have more warning indicators to look for. Encrypting files across a network is a noisy operation. Good endpoint detection and response (EDR) solutions, behavioral analytics, and network monitoring give defenders a fighting chance to catch attackers mid-operation. But the combined threat model is also more consequential when it succeeds. Organizations must now contend simultaneously with system outages — creating immediate pressure to pay — and with the ongoing risk that stolen data surfaces on dark web leak sites regardless of whether a ransom is paid. That dual leverage was always ransomware’s most potent weapon, and it’s back. Coveware’s analysis offers a pointed observation: every refused ransom payment chips away at the economics that sustain these operations. Improved prevention, tighter incident response, and the maturity to resist extortion collectively make ransomware less profitable — and less frequent. KEY TAKEAWAYS FOR SECURITY TEAMS Extortion-only attacks are yielding diminishing returns — expect more groups to reintroduce encryption for additional leverage.Paying ransom to suppress data release offers no reliable guarantee; enterprises are right to weigh this carefully.Professional services and healthcare remain the top ransomware targets by volume in Q4 2025.Behavioral detection and EDR are more critical than ever as encryption-based attacks return to prominence.Disciplined incident response — including the decision whether to pay — directly erodes attacker economics across the ecosystem. The takeaway isn’t that ransomware is getting easier to deal with. It’s that the cat-and-mouse dynamic is accelerating. Defenders adapted to double extortion; attackers countered with data-only theft; now they’re reverting as that tactic loses teeth. Understanding this cycle — and staying a step ahead — is the work of modern security operations. Adapted from SecurityWeek / Coveware Q4 2025 Ransomware Trends Report — March 2026

Why Cyber Risk Spikes During Disasters and How to Build Resilience by Design Disaster recovery planning has traditionally focused on infrastructure. Systems fail, environments go offline, and IT teams restore operations as quickly as possible. But that model no longer reflects the reality organizations face today. In a recent webinar with NetApp and Elastio, Brittney Bell (NetApp), Mike Fiorella (NetApp), and Eswar Nalamuru (Elastio) explored an increasingly common pattern. When organizations experience a disruption, whether it is a natural disaster, infrastructure outage, or operational crisis, cyber risk often increases at the exact same time. Attackers understand that recovery periods create vulnerability. Systems are under pressure, teams are focused on restoration, and normal controls may be temporarily bypassed. The result is that disaster scenarios frequently become cyber incidents as well. This shift is forcing organizations to rethink how resilience is designed. Instead of treating disaster recovery and cybersecurity as separate functions, organizations are beginning to design recovery strategies that assume both types of events may occur simultaneously. When crises collide Brittney Bell described this challenge using the concept of a “polycrisis,” where multiple forms of disruption occur together rather than in isolation. Natural disasters alone can cause widespread operational impact. Infrastructure damage, power outages, and supply chain disruptions can force organizations into emergency recovery mode. But during those same moments, cyber attackers may also exploit the chaos. In fact, research shows that a large percentage of organizations affected by natural disasters also experience cyber attacks at the same time. Examples from recent history illustrate the scale of impact that disasters can have on infrastructure and digital operations: Major hurricanes that disrupted utilities and transportation infrastructure for weeksFlooding events that took critical systems offlineStorms that impacted data centers and shut down major digital services These events demonstrate why resilience cannot be limited to infrastructure recovery. Organizations must also assume that security threats will emerge when systems are already under stress. As Bell emphasized, resilience today is not just an IT concern. It is a business survival strategy. Disaster recovery and cyber recovery are not the same A key theme of the discussion was the difference between traditional disaster recovery and cyber recovery. Eswar Nalamuru explained that many organizations still approach both scenarios using the same framework. In practice, the two require very different assumptions. In a traditional disaster recovery scenario, the failure is usually clear. Systems may be offline or infrastructure may be unavailable, but organizations generally trust their backup data and recovery points. Cyber recovery introduces uncertainty. Security teams may not know whether attackers still have access to the environment, whether backups have been compromised, or which recovery point is actually safe to restore. This changes how recovery must be executed. Traditional disaster recovery prioritizes speed and service restoration. Cyber recovery requires precision. Teams must identify a clean recovery point and ensure that restoring data will not reintroduce the threat. That investigation step is what often slows recovery efforts during ransomware incidents. Without confidence in backup integrity, organizations may spend days or weeks determining which recovery point can be trusted. The three pillars of modern resilience The speakers outlined a simple framework that organizations can use to bridge the gap between disaster recovery and cyber recovery. Effective resilience strategies now require three capabilities working together. Availability Systems and data must remain accessible even during disruption. High availability architectures and geographic redundancy ensure that applications can continue operating if a primary location fails. Isolation and immutability Backup data must be protected from tampering or deletion. Features such as immutable storage and write-once policies help ensure attackers cannot alter or destroy recovery data. Integrity Organizations must be able to verify that their backups are clean and recoverable. Without validation, backups may contain encrypted or corrupted data that will fail during recovery. While many organizations already invest heavily in availability and immutability, integrity validation is often the missing layer. The storage foundation for resilient recovery Mike Fiorella discussed how many organizations are using Amazon FSx for NetApp ONTAP as a foundation for modern recovery strategies. FSx for NetApp ONTAP, often referred to as FSxN, is a managed storage service in AWS that incorporates NetApp’s ONTAP data management platform. Several capabilities make it well suited for resilient architectures. High availability deployments allow data to remain accessible even if a failure occurs within a single availability zone. Snapshot technology enables fast, space efficient point-in-time recovery of data. SnapMirror replication allows organizations to maintain synchronized copies of data in secondary AWS regions, enabling rapid failover if a primary region becomes unavailable. SnapLock adds immutability by allowing organizations to enforce write-once retention policies that prevent modification or deletion of protected data. Together, these capabilities allow organizations to create layered recovery strategies that include local snapshots, cross-region replication, and long-term protected backups. The integrity challenge in ransomware recovery Even with strong storage and backup protections in place, a critical question often remains unanswered during ransomware incidents. Is the data clean? Eswar Nalamuru explained that modern ransomware campaigns increasingly target backup infrastructure. If attackers can encrypt both production systems and backups, they remove the organization’s ability to recover independently. Attack techniques have also become far more sophisticated. Many modern ransomware variants use approaches designed to evade traditional detection tools. Examples include: Fileless attacks that operate entirely in memoryEncryption techniques that modify only portions of filesObfuscation techniques that preserve file metadataPolymorphic malware variants that continuously change signatures These techniques make it difficult for traditional security tools to detect encryption activity before damage occurs. To address this challenge, Elastio focuses on validating the integrity of backup data. Its platform scans stored data to detect ransomware encryption patterns and identify clean recovery points that organizations can safely restore. The goal is simple but critical. When a crisis occurs, recovery teams should know exactly where to recover from. Designing resilience for the real world The central lesson from the webinar is that recovery planning must evolve. Organizations can no longer assume that disasters and cyber attacks occur independently. Real world disruptions often combine both. Building resilient architectures requires integrating infrastructure availability, immutable data protection, and backup integrity validation into a single strategy. When these elements work together, organizations can recover faster and with greater confidence, even under the most challenging conditions. Join us for the “Building for the Breach” workshops To continue the conversation, Elastio, NetApp, and AWS are hosting a series of in-person workshops focused on ransomware resilience and recovery readiness. The Building for the Breach workshops explore how organizations can prepare for ransomware attacks before they occur. Each session includes: An executive discussion on modern cyber resilience strategiesA technical walkthrough of ransomware attack and recovery scenariosHands-on demonstrations of technologies that help validate recovery points and accelerate recovery Upcoming workshops are scheduled in cities including New York, Boston, Chicago, and Toronto. If you are responsible for disaster recovery, cybersecurity, or infrastructure resilience, these sessions provide an opportunity to see how modern recovery strategies work in practice and how organizations can strengthen their readiness for future disruptions. You can learn more about the workshops and upcoming dates through the Elastio events page.

The Rise of Off-Platform Encryption Modern ransomware attacks no longer follow a predictable script. Today’s adversaries are methodical and adaptive. They move laterally, identify valuable data, and increasingly attempt techniques designed to evade traditional detection controls. One scenario highlighted in recent threat reporting involves attackers transferring data from a storage array to an unmanaged host, encrypting it outside the production platform, and then writing the encrypted data back. The Illusion of Evasion On the surface, this appears clever. If encryption happens “off platform,” perhaps it avoids detection mechanisms tied to the storage system itself. Security teams may assume that because the encryption process did not execute within the storage environment, it leaves fewer indicators behind. That assumption does not hold up. Why Location Doesn’t Matter The critical point is that ransomware is not dangerous because of where encryption executes. It is dangerous because of what encryption does to data. When attackers copy files to an unmanaged system, encrypt them externally, and then reintroduce them into the environment, the storage platform may simply register file modifications. Blocks are written, files are updated, and nothing may appear operationally unusual at first glance. Encryption Leaves a Mark But the data itself has fundamentally changed. Elastio does not depend on observing the act of encryption. It does not require visibility into the unmanaged host. It does not rely on detecting specific attacker tools or processes. Instead, Elastio evaluates the integrity and structure of the data itself. When encrypted data is written back into a protected environment, it exhibits clear mathematical characteristics. There is high entropy, loss of expected file structure, destruction of known signatures, and transformation from meaningful structured content into statistically random output. Those changes are measurable and immediately identifiable. In an enterprise cloud environment, when encrypted files are reintroduced after off-platform manipulation, Elastio detects the anomaly as soon as the altered data is analyzed. The system recognizes that the file state no longer matches expected structural norms. Compromised data is flagged right away. Clean recovery points are preserved and confidence in restoration remains intact. Protecting Recovery Before It’s Too Late This matters because backup compromise is now a primary objective of modern ransomware groups. Attackers understand that if they can corrupt recovery data, they dramatically increase pressure to pay. Off-platform encryption is one way they attempt to quietly poison what organizations believe are safe restore points. Elastio prevents that silent corruption from spreading undetected. The architectural advantage is straightforward. Elastio focuses on validating the recoverability and integrity of backup data continuously. It does not chase attacker techniques, which evolve constantly. It analyzes outcomes, which cannot hide. Even if encryption occurs halfway around the world on infrastructure the organization never sees, the reintroduced data cannot disguise its cryptographic fingerprint. The mathematical properties of encryption are universal. They do not depend on vendor, platform, or geography. As soon as that altered data touches protected storage, the signal is present. Attackers may change tools, infrastructure, and tradecraft. They may leverage unmanaged hosts, cloud workloads, or insider access. They may try to fragment, stagger, or throttle their activity to avoid behavioral alarms. None of that changes what encrypted data looks like when examined structurally. Verification Is the Advantage That is why outcome-based detection matters. By analyzing the data itself rather than the surrounding activity, Elastio removes the blind spots attackers attempt to exploit. Off-platform encryption is simply another variation of the same fundamental tactic: render data unusable while attempting to evade detection. When encrypted content re-enters the environment, it is seen immediately for what it is. In cybersecurity, assumptions create risk. Verification creates resilience.

The False Security of Checked BoxesIn the high-stakes world of cyber-recovery, there is a dangerous assumption that "detection" is a binary state, either you have it or you don’t. Most backup vendors have checked the box by offering anomaly and entropy-based monitoring. But as a CISO who has spent over a decade in regulated industries, I’ve learned that a check-box control is often worse than no control at all. It creates a false sense of security while delivering a signal so noisy and inaccurate that it’s practically unusable. The Inaccuracy Problem: Inference Is Not Evidence The core issue with the ransomware detection provided by backup vendors isn’t just where it happens; it’s how it happens. These tools rely on statistical inference rather than data evidence: Anomaly Detection: Monitors for “unusual” behavior, like a sudden spike in changed blocks or a deviation in backup window duration.Entropy Detection: Measures data randomness to infer encryption. In a modern enterprise, data is naturally “noisy.” Compressed database logs, encrypted video files, and standard application updates all register as anomalies or high-entropy events. Because these tools cannot distinguish between a legitimate .zip file and a ransomware-encrypted .docx, they produce a constant stream of false positives. Figure 1: Modern ransomware (red) operates below the statistical noise floor while legitimate enterprise data generates constant false-positive noise. Elastio detects threats through structural content inspection, independent of entropy. For a SOC team, this noise is toxic. When a tool is consistently inaccurate, the human response is predictable: the alerts are muted, tuned down, or ignored. If your “last line of defense” relies on a signal that your team doesn’t trust, you don’t actually have a defense. Beyond the “Big Bang”: The Rise of Evasive Encryption Current anomaly and entropy tools were designed for the "Big Bang" encryption events of years past. As of 2026, threat actors have evolved well beyond this model, with variants including LockFile specifically engineered to stay below the statistical noise floor using intermittent encryption. Intermittent Encryption: Encrypting every other 4KB block so the overall entropy change remains negligible.Low-Entropy Encryption: Using specialized schemes that mimic the statistical signature of benign, compressed data.Selective Corruption: Attacking only file headers or metadata while leaving the bulk of the file statistically “normal.” Against these techniques, a statistical guess is useless. You need a Data Integrity Control that performs deep content inspection to validate the actual structure of the data, not just its randomness. Mapping Integrity to the Resilience Lifecycle A high-fidelity integrity engine, like Elastio, provides the same level of accuracy regardless of where it is deployed. However, for a CISO, the location of that check is a strategic decision based on the Resilience Lifecycle: The Backup Layer: Validating integrity here is non-negotiable. It ensures that when you hit “restore,” you aren’t re-injecting corrupted data into your environment and extending downtime.The Production Layer (VMs, Buckets, Filers): For mission-critical data, waiting for the backup cycle to run is a luxury we can’t afford. Detecting corruption at the source, in your production VMs, S3 buckets, or filers, is about minimizing the blast radius. Data integrity validation serves different purposes depending on where it is applied in the resilience lifecycle. Scanning production data across VMs, filers, and object stores is the most effective way to minimize blast radius and prevent spread, because it detects corruption before it propagates downstream. When production data cannot be scanned due to security boundaries, operational constraints, or tenancy limitations, snapshots and replicas become the practical control point for achieving the same outcome. In this model, snapshot integrity analysis is not additive to production scanning; it is a substitute. Both serve the same objective: early detection and containment before corruption reaches backups or immutable storage. The CISO’s Bottom Line: Proving vs. Guessing Resilience is measured by the speed and certainty of recovery. Anomaly and entropy-based detection fail on both counts: they are too inaccurate to provide certainty and too late to provide speed. True resilience requires moving from statistical inference to data integrity validation. Whether validating backups to prove recoverability or monitoring production data to prevent spread, the objective is the same: replace guessing with proof. In regulated environments, “recovery is safe” is the only defensible statement a CISO can make to the board. The ability to detect these advanced threats early is the difference between being able to ensure fast recovery versus a ransomware event that results in devastating downtime, data loss, and financial impact.

Cloud ransomware incidents rarely begin with visible disruption. More often, they unfold quietly, long before an alert is triggered or a system fails. By the time incident response teams are engaged, organizations have usually already taken decisive action. Workloads are isolated. Instances are terminated. Cloud dashboards show unusual activity. Executives, legal counsel, and communications teams are already involved. And very quickly, one question dominates every discussion. What can we restore that we actually trust? That question exposes a critical gap in many cloud-native resilience strategies. Most organizations have backups. Many have immutable storage, cross-region replication, and locked vaults. These controls are aligned with cloud provider best practices and availability frameworks. Yet during ransomware recovery, those same organizations often cannot confidently determine which recovery point is clean. Cloud doesn’t remove ransomware risk — it relocates it This is not a failure of effort. It is a consequence of how cloud architectures shift risk. Cloud-native environments have dramatically improved the security posture of compute. Infrastructure is ephemeral. Servers are no longer repaired; they are replaced. Containers and instances are designed to be disposable. From a defensive standpoint, this reduces persistence at the infrastructure layer and limits traditional malware dwell time. However, cloud migration does not remove ransomware risk. It relocates it. Persistent storage remains long-lived, highly automated, and deeply trusted. Object stores, block snapshots, backups, and replicas are designed to survive everything else. Modern ransomware campaigns increasingly target this persistence layer, not the compute that accesses it. Attackers don’t need malware — they need credentials Industry investigations consistently support this pattern. Mandiant, Verizon DBIR, and other threat intelligence sources report that credential compromise and identity abuse are now among the most common initial access vectors in cloud incidents. Once attackers obtain valid credentials, they can operate entirely through native cloud APIs, often without deploying custom malware or triggering endpoint-based detections. From an operational standpoint, these actions appear legitimate. Data is written, versions are created, snapshots are taken, and replication occurs as designed. The cloud platform faithfully records and preserves state, regardless of whether that state is healthy or compromised. This is where many organizations encounter an uncomfortable reality during incident response. Immutability is not integrity Immutability ensures that data cannot be deleted or altered after it is written. It does not validate whether the data was already encrypted, corrupted, or poisoned at the time it was captured. Cloud-native durability and availability controls were never designed to answer the question incident responders care about most: whether stored data can be trusted for recovery. In ransomware cases, incident response teams repeatedly observe the same failure mode. Attackers encrypt or corrupt production data, often gradually, using authorized access. Automated backup systems snapshot that corrupted state. Replication propagates it to secondary regions. Vault locks seal it permanently. The organization has not lost its backups. It has preserved the compromised data exactly as designed. Backup isolation alone is not enough This dynamic is particularly dangerous in cloud environments because it can occur without malware, without infrastructure compromise, and without violating immutability controls. CISA and NIST have both explicitly warned that backup isolation and retention alone are insufficient if integrity is not verified. Availability testing does not guarantee recoverability. Replication can accelerate the blast radius Replication further amplifies the impact. Cross-region architectures prioritize recovery point objectives and automation speed. When data changes in a primary region, those changes are immediately propagated to disaster recovery environments. If the change is ransomware-induced corruption, replication accelerates the blast radius rather than containing it. From the incident response perspective, this creates a critical bottleneck that is often misunderstood. The hardest part of recovery is deciding what to restore The hardest part of recovery is not rebuilding infrastructure. Cloud platforms make redeployment fast and repeatable. Entire environments can be recreated in hours. The hardest part is deciding what to restore. Without integrity validation, teams are forced into manual forensic processes under extreme pressure. Snapshots are mounted one by one. Logs are reviewed. Timelines are debated. Restore attempts become experiments. Every decision carries risk, and every delay compounds business impact. This is why ransomware recovery frequently takes days or weeks even when backups exist. Boards don’t ask “Do we have backups?” Boards do not ask whether backups are available. They ask which recovery point is the last known clean state. Without objective integrity assurance, that question cannot be answered deterministically. This uncertainty is not incidental. It is central to how modern ransomware creates leverage. Attackers understand that corrupting trust in recovery systems can be as effective as destroying systems outright. What incident response teams wish you had is certainty What incident response teams consistently wish organizations had before an incident is not more backups, but more certainty. The ability to prove, not assume, that recovery data is clean. Evidence that restoration decisions are based on validated integrity rather than best guesses made under pressure. Integrity assurance is the missing control This is where integrity assurance becomes the missing control in many cloud strategies. NIST CSF explicitly calls for verification of backup integrity as part of the Recover function. Yet most cloud-native architectures stop at durability and immutability. When integrity validation is in place, recovery changes fundamentally. Organizations can identify the last known clean recovery point ahead of time. Recovery decisions become faster, safer, and defensible. Executive and regulatory confidence improves because actions are supported by evidence. From an incident response standpoint, the difference is stark. One scenario is prolonged uncertainty and escalating risk. The other is controlled, confident recovery. Resilience is proving trust, not storing data Cloud-native architecture is powerful, but ransomware has adapted to it. In today’s threat landscape, resilience is no longer defined by whether data exists somewhere in the cloud. It is defined by whether an organization can prove that the data it restores is trustworthy. That is what incident response teams see after cloud ransomware. Not missing backups, but missing certainty. Certainty is the foundation of recovery And in modern cloud environments, certainty is the foundation of recovery.

CMORG’s Data Vaulting Guidance: Integrity Validation Is Now a Core Requirement In January 2025, the Cross Market Operational Resilience Group (CMORG) published Cloud-Hosted Data Vaulting: Good Practice Guidance. It is a timely and important contribution to the operational resilience of the UK financial sector. CMORG deserves recognition for treating recovery architecture as a priority, not a future initiative. In financial services, the consequences of a cyber event extend well beyond a single institution. When critical systems are disrupted and recovery fails, the impact can cascade across customers, counterparties, and markets. The broader issue is confidence. A high-profile failure to recover can create damage that reaches far beyond the affected firm. This is why CMORG’s cross-industry collaboration matters. It reflects an understanding that resilience is a shared responsibility. Important Theme: Integrity Validation The guidance does a strong job outlining the principles of cloud-hosted vaulting, including isolation, immutability, access control, and key management. These are necessary design elements for protecting recovery data against compromise. But a highly significant element of the document is its emphasis on integrity validation as a core requirement. CMORG Foundation Principle #11 states: “The data vault solution must have the ability to run analytics against its objects to check integrity and for any anomalies without executing the object. Integrity checks must be done prior to securing the data, doing it post will not ensure recovery of the original data or the service that the data supported.” This is a critical point. Immutability can prevent changes after data is stored, but it cannot ensure that the data was clean and recoverable at the time it was vaulted. If compromised data is written into an immutable environment, it becomes a permanently protected failure point. Integrity validation must occur before data becomes the organization’s final recovery source of truth. CMORG Directly Addresses the Risk of Vaulting Corrupted Data CMORG reinforces this reality in Annex A, Use Case #2, which addresses data corruption events: “For this use case when data is ‘damaged’ or has been manipulated having the data vaulted would not help, since the vaulted data would have backed up the ‘damaged’ data. This is where one would need error detection and data integrity checks either via the application or via the backup product.” This is one of the most important observations in the document. Vaulting can provide secure retention and isolation, but it cannot determine whether the data entering the vault is trustworthy. Without integrity controls, vaulting can unintentionally preserve compromised recovery points. The Threat Model Has Changed The guidance aligns with what many organizations are experiencing in practice. Cyber-attacks are no longer limited to fast encryption events. Attackers increasingly focus on compromising recovery, degrading integrity over time, and targeting backups and recovery infrastructure. These attacks may involve selective encryption, gradual corruption, manipulation of critical datasets, or compromise of backup management systems prior to detonation. In many cases, the goal is to eliminate confidence in restoration and increase leverage during extortion. The longer these attacks go undetected, the more likely compromised data is replicated across snapshots, backups, vaults, and long-term retention copies. At that point, recovery becomes uncertain and time-consuming, even if recovery infrastructure remains available. Why Integrity Scanning Must Happen Before Data Is Secured CMORG’s point about validating integrity before data is secured is particularly important. Detection timing directly affects recovery outcomes. Early detection preserves clean recovery points and reduces the scope of failed recovery points. Late detection increases the likelihood that all available recovery copies contain the same corruption or compromise. This is why Elastio’s approach is focused on integrity validation of data before it becomes the foundation of recovery. Organizations need a way to identify ransomware encryption patterns and corruption within data early for recovery to be predictable and defensible. A Meaningful Step Forward for the Industry CMORG’s cloud-hosted data vaulting guidance represents an important milestone. It reflects a mature view of resilience that recognizes vaulting and immutability as foundational, but incomplete without integrity validation. The integrity of data must be treated as a primary control. CMORG is correct to call this out. It is one of the clearest statements published by an industry body on what effective cyber vaulting must include to support real recovery.

Closing the Data Integrity Control Gap In 2025, the cybersecurity narrative shifted from protection to provable resilience. The reason? A staggering 333% surge in "Hunter-Killer" malware threats designed not just to evade your security stack, but to systematically dismantle it. For CISOs and CTOs in regulated industries, this isn't just a technical hurdle; it is a Material Risk that traditional recovery frameworks are failing to address. The Hunter-Killer Era: Blinding the Frontline The Picus Red Report 2024 identified that one out of every four malware samples now includes "Hunter-Killer" functionality. These tools, like EDRKillShifter, target the kernel-level "callbacks" that EDR and Antivirus rely on to monitor your environment. The Result: Your dashboard shows a "Green" status, while the adversary is silently corrupting your production data. This creates a Recovery Blind Spot that traditional, agent-based controls cannot see. The Material Impact: Unquantifiable Downtime When your primary defense is blinded, the "dwell time", the period an attacker sits in your network, balloons to a median of 11–26 days. In a regulated environment, this dwell time is a liability engine: The Poisoned Backup: Ransomware dwells long enough to be replicated into your "immutable" vaults.The Forensic Gridlock: Organizations spend an average of 24 days in downtime manually hunting for a "clean" recovery point.The Disclosure Clock: Under current SEC mandates, you have four days to determine the materiality of an incident. If you can’t prove your data integrity, you can’t accurately disclose your risk. Agentless Sovereignty: The Missing Control Elastio addresses the Data Integrity Gap by sitting outside the line of fire. By moving the validation layer from the compromised OS to the storage layer, we provide the only independent source of truth. The Control GapThe Elastio OutcomeAgent FragilityAgentless Sovereignty: Sitting out-of-band, Elastio is invisible to kernel-level "Hunter-Killer" malware.Trust BlindnessIndependent Truth: We validate data integrity directly from storage, ensuring recovery points are clean before you restore.Forensic LagMean Time to Clean Recovery (MTCR): Pinpoint the exact second of integrity loss to slash downtime from weeks to minutes. References & Sources GuidePoint Security GRIT 2026 Report: 58% year-over-year increase in ransomware victims.Picus Security Red Report 2024: 333% surge in Hunter-Killer malware targeting defensive systems.ESET Research - EDRKillShifter Analysis: Technical deep-dive into RansomHub’s custom EDR killer and BYOVD tactics.Mandiant M-Trends 2025: Median dwell time increases to 11 days; 57% of breaches notified by external sources.Pure Storage/Halcyon/RansomwareHelp: Average ransomware downtime recorded at 24 days across multiple industries in 2025.Cybereason True Cost to Business: 80% of organizations who pay a ransom are hit a second time.

Cloud-Native Architectures Shift Ransomware Risk to Data Integrity While cloud platforms improve availability and durability through replication, immutability, and automated recovery, they do not ensure data integrity. In cloud-native environments, compute is ephemeral and identity-driven, but persistent storage is long-lived and highly automated. This shifts ransomware risk away from servers and toward data itself. Modern ransomware increasingly exploits compromised cloud credentials and native APIs to encrypt or corrupt data gradually, often without triggering traditional malware detection. As a result, immutable backups and replicas can faithfully preserve corrupted data, leaving organizations unable to confidently restore clean systems. Ransomware resilience in cloud-native architectures therefore requires data integrity validation: continuous verification that backups, snapshots, and storage objects are clean, recoverable, and provably safe to restore. Without integrity assurance, recovery decisions depend on manual forensics, increasing downtime, operational risk, and regulatory exposure. Executive Strategic Assessment We have successfully re-architected our enterprise for the cloud, adopting a model where compute is ephemeral and infrastructure is code. In this environment, we no longer repair compromised servers; we terminate them. This success has created a dangerous blind spot. By making compute disposable, we have migrated our risk entirely to the persistent storage layer (S3, EBS, FSx, RDS). Our current architectural controls—S3 Versioning, Cross-Region Replication, and Backup Vault Locks—are designed for Durability and Availability. They guarantee that data exists and cannot be deleted. They do not guarantee that the data is clean. In cloud-native security, data integrity means the ability to cryptographically and behaviorally verify that stored data has not been silently encrypted, corrupted, or altered before it is used for recovery. In a modern ransomware attack, the threat is rarely that you "lose" your backups; it is that your automated, immutable systems perfectly preserve the corrupted state. If we replicate an encrypted database to a compliance-mode vault, we have not preserved the business—we have simply "vaulted the virus."Under the shared responsibility model, cloud providers protect the availability of the platform, while customers retain responsibility for ensuring the correctness and integrity of the data they store and recover. This brief analyzes the Integrity Gap in cloud-native resilience. It details the architectural controls required to transition from assuming a clean recovery to algorithmically proving it, ensuring that when the Board asks, The New Risk Reality: Ephemeral Compute, Permanent Risk Our migration to cloud-native architectures on AWS has fundamentally shifted our risk profile. We have moved from "repairing servers" to "replacing them." Compute is now disposable (containers, serverless functions, auto-scaling groups) and identity is dynamic (short-lived IAM credentials). This is a security win for the compute layer because the "crime scene" effectively evaporates during an incident. Cloud changes where risk concentrates, not whether risk exists. Recent incident analysis shows stolen credentials as a leading initial access vector, with median attacker dwell time measured in days rather than months. This compression of time is what enables low-and-slow data corruption to outrun human-driven validation. Multiple industry investigations support this pattern, including Mandiant and Verizon DBIR reporting that credential abuse and identity compromise are now among the most common initial access vectors in cloud environments, with attackers often persisting long enough to corrupt data before detection. However, this architecture forces a massive migration of risk into the persistent storage layer. Modern ransomware attacks exploit this shift by targeting the integrity of the state itself. Attackers encrypt object stores, poison transaction logs, or utilize automation roles to mass-modify snapshots.Why aren’t cloud-native architectures inherently ransomware-safe? Because cloud controls prioritize availability and automation, not verification of data correctness at restore time. The Strategic Blind Spot: Immutability is Not Integrity Our current resilience strategy aligns with AWS Well-Architected frameworks. We rely heavily on Availability and Durability. We use S3 Versioning, AWS Backup Vault Locks, and Cross-Region Replication. These controls are excellent at ensuring data exists and cannot be deleted. However, they fail to ensure the data is clean. Integrity controls verify recoverability and correctness of restoration assets, not just retention. Operationally, this means validating data for encryption or corruption, proving restore usability, and recording a deterministic “last known clean” recovery point so restoration decisions do not depend on manual forensics. In a "Low and Slow" corruption attack, a threat actor uses valid, compromised credentials to overwrite data or generate new encrypted versions over weeks. In cloud environments, attackers increasingly encrypt or replace data using native storage APIs rather than custom malware. Once access is obtained, legitimate encryption and snapshot mechanisms can be abused to corrupt data while appearing operationally normal.This creates a failure mode unique to cloud-native architectures: attacks can succeed without malware, without infrastructure compromise, and without violating immutability controls. The "Immutable Poison" Problem: If an attacker encrypts a production database, Backups will dutifully snapshot that corruption. If Vault Lock is enabled, we effectively seal the corrupted state in a compliance-mode vault. We have preserved the attack rather than the business. Vault Locking prevents deletion and lifecycle modification of recovery points, including by privileged users. It does not validate the integrity or cleanliness of the data being ingested and retained.Replication Accelerates Blast Radius: Because replication is designed for speed (RPO), it immediately propagates the corrupted state to the DR region. The Missing Control: Recovery Assurance During a ransomware event, the most expensive resource is decision time. The Board will not ask "Do we have backups?" They will ask "Which recovery point is the last known good state?" Without a dedicated integrity control, answering this requires manual forensics. Teams must mount snapshots one by one, scan logs, and attempt trial-and-error restores. This process turns a 4-hour RTO into a multi-day forensic ordeal. Industry data shows that organizations take months to fully identify and contain breaches, and multi-environment incidents extend that timeline further. This gap is why recovery cannot depend on snapshot-by-snapshot investigation during an active crisis. Critically, integrity validation produces durable evidence, timestamps, scan results, and clean-point attestations that can be reviewed by executives, auditors, and regulators as part of post-incident assurance. Where Elastio Fits: The Integrity Assurance Layer Elastio fits into our architecture not as a backup tool, but as an Integrity Assurance Control (NIST CSF "Recover") that audits the quality of our persistence layer. Detection in Depth: Unlike EDR which monitors processes, Elastio watches the entropy and structure of the data itself. It scans S3 buckets and EBS snapshots for the mathematical signatures of encryption and corruption.Provable Recovery: Elastio indexes recovery points to algorithmically identify the "Last Known Clean" timestamp. This allows us to automate the selection of a clean restore point and decouple recovery time from forensic complexity. Platform Engineering Guide Architecture Context Elastio operates as an agentless sidecar. It utilizes scale-out worker fleets to mount and inspect storage via standard Cloud APIs (EBS Direct APIs, S3 GetObject, Azure APIs). It does not require modifying production workloads or installing agents on production nodes. Protection Capabilities by Asset Class 1. AWS S3 & Azure Blob Data Lakes Real-Time Inspection: The system scans objects in real-time as they are created. This ensures immediate detection of "infection by addition."Threat Hunting: If threats are found, automated threat hunts are performed on the existing objects/versions to identify the extent of the compromise.Recovery: The system identifies the last known clean version, allowing restores to be automated and precise. 2. Block Storage (EBS, EC2, Azure Disks, Azure VMs) Scale-Out Scanning: Automated scans of persistent storage are performed using ephemeral, scale-out clusters. This ensures that inspection does not impact the performance of the production workload.Policy Control: For long-lived workloads (e.g., self-hosted databases), policies control how frequently to scan (e.g., daily, hourly, or on snapshot creation) to balance assurance with cost. Integrity validation frequency must be faster than plausible time-to-impact. With ransomware dwell time measured in days, weekly validation leaves material integrity gaps. For critical, high-risk workloads, production data validation can be configured to run as frequently as hourly, based on policy and business criticality, while lower-risk assets can operate at longer intervals to balance assurance, cost, and operational impact. 3. AWS Backup Scan-on-Create: Automated scanning of backups occurs immediately as they are created.Asset Support: Supports EC2, EBS, AMI, EFS, FSx, and S3 backup types.Vault Integration: Fully integrated with AWS Backup Restore Testing and Logically Air-Gapped (LAG) Vaults, ensuring that data moving into high-security vaults is verified clean before locking. 4. Azure Backup Scan-on-Create: Automated scanning of backups occurs immediately as they are created.Asset Support: Supports Azure VM, Azure Managed Disks, and Azure Blobs. 5. Managed Databases (RDS / Azure Managed SQL) Status: Not Supported.Note: Direct integrity scanning inside managed database PaaS services is not currently supported. Table 1: Threat Manifestation & Control Fit Architecture ComponentThe "Native" Failure ModeProtection Available (Elastio)AWS S3 / Azure Blob"Infection by Addition"Ransomware writes new encrypted versions of objects. The bucket grows, and "current" versions are unusable.Real-Time Detection & HuntingScans real-time as objects are created. Automates threat hunts for last known clean versions. Automates restores.EC2 / Azure VMs(Self-Hosted DBs)The "Live Database" AttackAttackers encrypt database files (.mdf, .dbf) while the OS remains up. Standard snapshots capture the encrypted state.Automated Integrity ScansAutomated scans of persistent storage in scale-out clusters. Policies control scan frequency for long-lived workloads.AWS BackupVault PoisoningWe lock a backup that was already compromised (Time-to-detect > Backup Frequency).Scan-on-Create (Vault Gate)Automated scanning of backups (EC2, EBS, AMI, EFS, FSx, S3) as they are created. Integrated with AWS Restore Test and LAG Vaults.Azure BackupReplica CorruptionBackup vaults replicate corrupted recovery points to paired regions.Scan-on-CreateAutomated scanning of Azure VM, Managed Disk, and Blob backups as they are created.Managed DBs(RDS / Azure Managed SQL)Logical CorruptionValid SQL commands drop tables or scramble columns.Not SupportedIn these environments, integrity assurance must be addressed through complementary controls such as transaction log analysis, application-layer validation, and point-in-time recovery testing. Conclusion Adopting this control moves us from a posture of "We assume our immutable backups are valid" to "We have algorithmic proof of which recovery points are clean." In an era of compromised identities, this verification is the requisite check-and-balance for cloud storage. This control removes uncertainty from recovery decisions when time, trust, and data integrity matter most.In cloud-native environments, ransomware resilience is no longer defined by whether data exists, but by whether its integrity can be continuously proven before recovery.In practical terms, any cloud-native ransomware recovery strategy that cannot deterministically identify a last known clean recovery point before restoration should be considered operationally incomplete. This perspective reflects patterns we consistently see in enterprise incident response, including insights shared by Elastio advisors with deep experience leading ransomware investigations and cloud recovery efforts.

Elastio and AWS recently hosted a joint webinar, “Modern Ransomware Targets Recovery: Here’s What You Can Do to Stay Safe.” The session brought together experts to unpack how ransomware tactics are evolving and what organizations need to do differently to stay resilient. A clear theme emerged. Attackers are no longer focused on disruption alone. They are deliberately sabotaging recovery. Ransomware Has Shifted From Disruption to Recovery Sabotage Modern ransomware no longer relies on fast, obvious encryption of production systems. Instead, attackers often gain access months in advance. They quietly study the environment, including backup architectures, replication paths, and retention windows. Encryption happens slowly and deliberately, staying below detection thresholds while corrupted data propagates into snapshots, replicas, and backups. By the time the attack is triggered and ransom is demanded, recovery options are already compromised. This represents a fundamental shift in risk. Backups are no longer just a safety net. They are a primary target. Ransomware Risk Is Unquantifiable Without Proven Clean Recovery Points Ransomware risk becomes impossible to quantify when organizations cannot prove their recovery data is clean. Boards, regulators, and insurers are no longer reassured by the mere existence of backups. They want to know how quickly recovery can happen, which recovery point will be used, and how its integrity is verified. Most organizations cannot answer these questions with confidence because backup validation is not continuous. The consequences are real. Extended downtime, board-level exposure, insurance gaps, and growing regulatory pressure under frameworks such as DORA, NYDFS, and PRA. Without proven clean recovery points, ransomware becomes an unbounded business risk rather than a technical one. The Three Pillars of Ransomware Recovery Assurance The webinar emphasized that real ransomware resilience depends on three pillars working together. Immutability and isolation ensure backups are tamper-proof and stored separately, protected by independent encryption keys. AWS capabilities such as logically air-gapped vaults support this foundation.Availability focuses on whether recovery can happen fast enough to meet business expectations, particularly when identity systems are compromised. Clean-account restores and multi-party approval become critical.Integrity, the most overlooked pillar, ensures backups are continuously validated to detect encryption, corruption, malware, and fileless attacks, and to clearly identify the last known clean recovery point. If any pillar fails, recovery fails. For more information: Resilience by design: Building an effective ransomware recovery strategy | AWS Storage Blog Malware Scanning Is Not Ransomware Detection The speakers drew a clear distinction between traditional malware scanning and what is required to defend against modern ransomware. Signature-based tools look for known binaries, but today’s attacks often run in memory, use polymorphic techniques, and encrypt data without leaving a detectable payload. In these cases, the absence of malware does not mean the absence of damage. Effective ransomware defense requires detecting the impact on data itself, including encryption, corruption, and abnormal change patterns, not just the presence of malicious code. Validation Enables Faster, Safer Recovery Without Paying Ransom A real-world case study illustrated the value of recovery validation. Attackers encrypted data gradually over several days, allowing compromised data to flow into backups that appeared intact but were unsafe to restore. Through targeted threat hunting, Elastio identified a clean recovery point from roughly six days earlier, enabling the company to restore operations without paying the ransom. With downtime costs often reaching millions per day, even small reductions in recovery time have outsized financial impact. The takeaway was simple. Knowing where to recover from matters more than recovering quickly from the wrong place. Key Takeaways Ransomware now targets recovery, not just production.Attackers gain access early, encrypt data slowly, and ensure corruption spreads into replicas and backups before triggering an attack. By the time ransom is demanded, recovery paths are often already compromised.Backups alone are not proof of recoverability.Without continuous validation, organizations cannot confidently identify a clean recovery point, making ransomware risk impossible to quantify.True ransomware resilience depends on three pillars.Immutability and isolation protect backups from tampering, availability ensures recovery meets business expectations, and integrity validation confirms recovery data is usable. If integrity fails, recovery fails.Malware detection is not ransomware detection.Fileless and polymorphic attacks often evade signature-based tools. Detecting the impact on data, such as encryption and corruption, is critical.Provable recovery changes the economics of ransomware.Validated recovery points reduce downtime, avoid reinfection, and can eliminate the need to pay ransom, delivering measurable operational and financial impact. Additional Resources AWS ReInvent: How Motability Operations built a ransomware-ready backup strategy with AWS Backup & Elastio AWS re:Invent 2025 - Motability Operations' unified backup strategy: From fragmented to fortified

In early 2026, U.S. authorities issued a cyber threat alert warning organizations about evolving tactics used by North Korean state-sponsored cyber actors. The advisory highlights how the Democratic People’s Republic of Korea (DPRK) continues to refine its cyber operations to conduct espionage, gain persistent access to networks, and generate revenue to support state objectives. This activity underscores a broader reality: DPRK cyber operations are no longer niche or experimental. They are mature, adaptive, and increasingly effective against both public- and private-sector targets. Evolving Tradecraft: From Phishing to QR Code Attacks A key focus of the alert is the growing use of malicious QR codes embedded in phishing emails, a technique often referred to as “quishing.” Instead of directing victims to malicious links, attackers embed QR codes that prompt users to scan them with mobile devices. This approach allows attackers to bypass traditional email security controls and exploit weaker defenses on mobile platforms. Once scanned, these QR codes redirect victims to attacker-controlled pages that closely mimic legitimate login portals, such as enterprise email or remote access services. Victims who enter their credentials unknowingly hand over access to their accounts, enabling attackers to move laterally, conduct follow-on phishing campaigns, or establish long-term persistence. Kimsuky and Targeted Espionage The activity described in the alert is attributed to a DPRK-linked cyber group commonly referred to as Kimsuky. This group has a long history of targeting policy experts, think tanks, academic institutions, and government entities, particularly those involved in foreign policy and national security issues related to the Korean Peninsula. What distinguishes recent campaigns is the subtlety of the lures and the deliberate exploitation of user trust. Emails are crafted to appear routine or administrative, and QR codes are presented as harmless conveniences. This increases the likelihood of successful compromise, even in security-aware environments. Cybercrime as Statecraft DPRK cyber operations should not be viewed solely through the lens of traditional espionage. North Korea has repeatedly demonstrated its willingness to use cybercrime as a strategic tool. In parallel with intelligence collection, DPRK-linked actors have conducted financially motivated attacks, including cryptocurrency theft, financial fraud, and illicit remote employment schemes. These activities serve a dual purpose: generating revenue to circumvent international sanctions and providing operational cover for broader intelligence objectives. In many cases, what appears to be simple fraud is ultimately tied to state-directed priorities. Why This Matters Now The techniques outlined in the 2026 alert highlight how DPRK cyber actors are adapting faster than many defensive programs. By shifting attacks to mobile devices, exploiting human behavior, and blending espionage with financial crime, they reduce the effectiveness of traditional security controls. For organizations, this means that technical defenses alone are no longer sufficient. User awareness, mobile security posture, identity protection, and anomaly detection all play a critical role in mitigating risk. Key Takeaways for Organizations Organizations should assume that DPRK cyber activity will continue to evolve and expand in scope. Practical steps include updating security awareness training to address QR code–based attacks, monitoring for anomalous authentication behavior, limiting credential reuse, and treating identity compromise as a high-impact security incident. Most importantly, leaders should recognize that DPRK cyber operations are persistent, well-resourced, and strategically motivated. Understanding this threat is essential not only for government and policy organizations, but for any enterprise operating in an increasingly interconnected and geopolitically influenced digital environment.

Detonation Point is where cyber risk stops being an abstract headline and becomes an operational reality. In a recent episode presented by Elastio, host Matt O’Neill sat down with cloud security expert Costas Kourmpoglou at Spike Reply UK to unpack a hard truth many organizations only learn after an incident: Ransomware doesn’t succeed because attackers are smarter; it succeeds because recovery fails. Ransomware Is an Industry Early ransomware operations were vertically integrated. The same group wrote the malware, gained access, deployed it, negotiated payment, and laundered funds. That model is gone. Today’s ransomware ecosystem resembles a supply chain: Developers build ransomware toolingInitial access brokers sell credentialsAffiliates deploy attacksNegotiators manage extortionSeparate actors handle payments and laundering This “Ransomware-as-a-Service” model lowers the barrier to entry and scales attacks globally. No one really needs expert technical skills. They just need access and opportunity. How Daily Mistakes Set Ransomware in Motion Ransomware became dominant for a straightforward reason: it pays. Despite headlines about zero-day exploits, most ransomware campaigns still begin with mundane failures: Reused credentialsPhishing emailsThird-party access The uncomfortable reality is that most organizations already assume breaches, yet design security as if prevention is enough. In this Detonation Point podcast, Costas noted, “Many teams over-invest in stopping the first mistake and under-invest in what happens after that mistake inevitably occurs.” Attackers don’t rush. Once inside, they: Observe quietly and use native tools to blend in (“living off the land”)Map systems and privilegesIdentify backups and recovery paths Ransomware often detonates months after initial access and long after backups have quietly captured infected data. But Why Paying the Ransom Rarely Works Ransomware payments are often justified as the “cheapest option.” But data tells a different story: Recovery success after payment is worse than a coin flipPayments may violate sanctions lawsData is often not fully restored or released anyway As Costas put it, “If you’re willing to gamble on paying the ransom, you might as well invest that money in resilience, where the odds are actually in your favor.” One of the most critical insights from the conversation was this: If your business cannot operate, that is not just a cybersecurity failure, it’s a business failure. If your plan assumes everything else still works, it’s not a plan. And, if ransomware detonated tonight, do you know which recovery path would save you, and which ones would make things worse? Because when ransomware stops being theoretical, only validated recovery determines the outcome. This blog is adapted from the Detonation Point podcast presented by Elastio.

GuardDuty’s release of malware scanning on AWS Backup is an important enhancement to the AWS ecosystem, reflecting growing industry recognition that inspecting backup data has become a core pillar of cyber resilience. But real-world incidents show that ransomware often leaves no malware behind, making broader detection capabilities for encryption and zero-day attacks increasingly essential. Across industries, there are countless examples of enterprises with premium security stacks in place - EDR/XDR, antivirus scanners, IAM controls - still suffering extended downtime after an attack because teams couldn’t reliably identify an uncompromised recovery point when it mattered most. That’s because ransomware increasingly employs fileless techniques, polymorphic behavior, living-off-the-land tactics, and slow, stealthy encryption. These campaigns often reach backup andreplicated copies unnoticed, putting recovery at risk at the very moment organizations dependon it. As Gartner puts it: Modern ransomware tactics bypass traditional malware scanners, meaning backups may appear ‘clean’ during scans but prove unusable when restored. Equip your recovery environment with advanced capabilities that analyze backup data using content-level analytics and data integrity validation.”— Gartner, Enhance Ransomware Cyber Resilience With A Secure Recovery Environment, 2025 This is the visibility gap Elastio was designed to close. In this post, we walk through how Elastio’s data integrity validation works alongside AWS GuardDuty to support security and infrastructure teams through threat detection all the way to recovery confidence and why integrity validation has become essential in the age of identity-based and fileless attacks. What is AWS GuardDuty? AWS GuardDuty is a managed threat detection service that continuously monitors AWS environments for malicious or suspicious activity. It analyzes signals across AWS services, including CloudTrail, VPC Flow Logs, DNS logs, and malware protection scans, and produces structured security findings. GuardDuty integrates natively with Amazon EventBridge, which means every finding can be consumed programmatically and routed to downstream systems for automated response. For this integration, we focus on GuardDuty malware findings, including: Malicious file findings in S3Malware detections in EC2 environments These findings are high-confidence triggers that indicate potential compromise and warrant immediate validation of recovery data. Learn more about GuardDuty. Why a GuardDuty Finding Should Trigger Recovery Validation Malware detection is important, but it is no longer sufficient to validate data recoverability. Identity-based attacks dominate cloud breaches Today’s attackers increasingly rely on stolen credentials rather than exploits. With valid identities, they can: Use legitimate AWS APIsAccess data without dropping malwareBlend into normal operational behavior In these scenarios, there may be nothing malicious to scan, yet encryption or tampering can still occur. Fileless and polymorphic ransomware evade signatures Many ransomware families: Run entirely in memoryContinuously mutate their payloadsAvoid writing recognizable artifacts to disk Signature-based scanners may report “clean,” even as encryption spreads. Zero-day ransomware has no signatures By definition, zero-day ransomware cannot be detected by known signatures until after it has already caused damage - often widespread damage. The result is a dangerous failure mode: backups that scan clean but restore encrypted or corrupted data. Why Integrity Validation Changes the Outcome Elastio approaches ransomware from the impact side. Instead of asking only “is malware present?”, Elastio validates: Whether encryption has occurredWhat data was impactedWhen encryption startedWhich recovery points are still safe to restore The timeline above reflects a common real-world pattern: Initial access occurs quietlyEncryption begins days or weeks laterBackups continue, unknowingly capturing encrypted dataThe attack is only discovered at ransom time Without integrity validation, teams cannot know with confidence that their backups will work when they need them. This intelligence transforms a GuardDuty finding from an alert into an actionable recovery decision. Using GuardDuty as the Trigger for Recovery Validation Elastio’s new GuardDuty integration automatically initiates data integrity scans when GuardDuty detects suspicious or malicious activity. Instead of stopping at alerts, the integration immediately answers the implied next question: Did this incident affect our data, and can we recover safely? By validating backups and recovery assets in response to GuardDuty findings, Elastio reduces response time, limits attacker leverage, and enables faster, more confident recovery decisions. Architecture Overview At a high level: GuardDuty generates a malware findingThe finding is delivered to EventBridgeEventBridge routes the event into a trusted sender EventBusElastio’s receiver EventBus accepts events only from that senderElastio processes the finding and starts a targeted scanTeams receive recovery-grade intelligenceIncluding:Ransomware detection resultsFile- and asset-level impactLast known clean recovery pointOptional forwarding to SIEM or Security Hub The critical design constraint: trusted senders Each Elastio customer has a dedicated Receiver EventBus. For security reasons, that receiver only accepts events from a single allowlisted Sender EventBus ARN. This design ensures: Strong tenant isolationNo event spoofingClear security boundaries To support scale, customers can route many GuardDuty sources (multiple accounts, regions, or security setups) into that single sender bus. Elastio enforces trust at the receiver boundary. End-to-End Flow Step 1: GuardDuty detects malware GuardDuty identifies a malicious file or suspicious activity in S3 or EC2 and emits a finding. Step 2: EventBridge routes the finding Native EventBridge integration allows customers to filter and forward only relevant findings. Step 3: Sender EventBus enforces trust All GuardDuty findings flow through the designated sender EventBus, which represents the customer’s trusted identity. Step 4: Elastio receives and buffers events The Elastio Receiver EventBus routes events into an internal queue for resilience and burst handling. Step 5: Elastio validates recovery data Elastio maps the finding to impacted assets and initiates scans that analyze both malware indicators and ransomware encryption signals. Step 6: Recovery-grade results Teams receive actionable results: Ransomware detectionFile-level impactLast known clean recovery pointOptional forwarding to SIEM or Security Hub What This Enables for Security and Recovery Teams By combining GuardDuty and Elastio, organizations gain: Faster response triggered by high-signal findingsEarly detection of ransomware encryption inside backupsReduced downtime and data lossConfidence that restores will actually workAudit-ready evidence for regulators, insurers, and leadership Supported Today S3 malware findingsEC2 malware findings EBS-specific handling is in progress and will be added as it becomes available. Why This Matters in Practice In most ransomware incidents, the challenge isn’t identifying a security signal - it’s understanding whether that signal corresponds to meaningful data impact, and what it implies for recovery. Security and infrastructure teams often find themselves piecing together information across multiple tools to assess whether encryption or corruption has reached backups or replicated data. That assessment takes time, and during that window, recovery decisions are delayed or made conservatively. By using GuardDuty findings as a trigger for integrity validation, customers introduce earlier visibility into potential data impact. When suspicious activity is detected, Elastio provides additional context around whether recovery assets show signs of encryption or corruption, and which recovery points appear viable. This doesn’t replace incident response processes or recovery testing, but it helps teams make better-informed decisions sooner, particularly in environments where fileless techniques and identity-based attacks limit the effectiveness of traditional malware scanning. Extending GuardDuty From Detection Toward Recovery Readiness GuardDuty plays a critical role in surfacing high-confidence security findings. Elastio extends that signal into the recovery domain by validating the integrity of data organizations may ultimately depend on to restore operations. Together, they help teams bridge the gap between knowing an incident may have occurred and assessing recovery readiness, with supporting evidence that can be shared across security, infrastructure, and leadership teams. For organizations already using GuardDuty, this integration provides a practical way to connect detection workflows with recovery validation without changing existing security controls or response ownership. Watch our discussion: Understanding Elastio & AWS GuardDuty Malware Scanning for AWS Backup An open conversation designed to answer customer questions directly and help teams understand how these technologies work together to strengthen recovery posture. How signature-based malware detection compares to data integrity validationReal-world scenarios where behavioral and encryption-based detection mattersHow Elastio extends visibility, detection, and recovery assurance across AWS, Azure, and on-prem environmentsAn early look at Elastio’s new integration launching at AWS re:Invent