2023 Guide to Enhancing AWS Backups with Threat Detection and Response

While backup is ingrained into the ethos of essential IT management, recovery, or, more specifically, the reliability, speed, and accessibility of recovered data, have yet to be the focus of AWS administrators. However, external factors such as malware, ransomware, regulatory requirements, and business needs are all changing the requirements of “is the data backed up” to “how quickly can it be proven that the data/apps can be recovered.” Many things can cause data loss, such as cloud failures, software bugs, human error, cyberattacks, and natural disasters. AWS Backups can help you recover from these types of events and prevent permanent data loss. Testing AWS Backups for high transaction applications with high data change rates is particularly important.

Overall, the importance of backups for data protection cannot be overstated. They are an essential part of any good data management strategy in AWS and can help to protect the organization from the consequences of data loss.

Differentiating between good and bad data

A backup system must be able to differentiate between good and bad data because if a backup system creates a copy of all data, including any infected or corrupted files, it can spread infection or corruption to the backup and make the recovery process more difficult or impossible. In the cloud, where multiple applications share data, detecting and containing threats can be more challenging.

Elastio is unique because it is designed to scan for and identify cyber threats in the data and provide response and recovery services to help get back up and running as quickly as possible. By detecting threats early and creating clean restores, Elastio can help to minimize the impact of a cyberattack and reduce the risk of data loss.

Differentiating between good and insufficient data is vital to any effective backup and recovery system. It is essential in the cloud, where data is more vulnerable to threats. In addition, Elastio integrates tightly with the AWS Backup service to scan for and identify cyber threats in the AWS backup recovery points.  By providing this capability, Elastio can help organizations to protect their data and recover from cyberattacks more efficiently.

How ransomware and malware can infiltrate backups

Ransomware and malware can infiltrate AWS Backups in much the same way as they can infiltrate on-premises backups. One standard method is phishing attacks, in which the attacker sends a malicious email or message that contains a link or attachment that, when clicked or opened, installs the ransomware or malware on the victim’s system. Once the ransomware or malware is installed, it can spread to other systems on the network, including any connected cloud backup systems.

Another way that ransomware and malware can infiltrate backups is through vulnerabilities in the cloud infrastructure itself. Suppose a workload has a known security vulnerability. In that case, an attacker may exploit that vulnerability to access the cloud environment and install ransomware or malware on the victim’s instances, containers, filesystem, databases, backups, etc.  Sometimes, cloud users may be unable to install agents on their Amazon EC2 instances, making protection against ransomware and malware more challenging.

Under the AWS shared responsibility model, it is the customer’s responsibility to be aware of the risks of ransomware and malware and to take steps to protect their cloud backups from these threats. This can include implementing strong passwords and access controls, educating users about phishing attacks and other threats, and using security measures such as agentless cyber recovery software to help detect, respond, and recover from infections.

The consequences of backing up ransomware and malware

Restoring from a backup that contains ransomware or malware can cause significant damage to an organization. Suppose the malware or ransomware is not detected when the backup is taken and removed before the restore process begins. In that case, it can be spread to the virtual machines and volumes that are being restored, potentially infecting them and causing further damage and spread.

One of the main ways that ransomware and malware can cause damage is by encrypting or otherwise damaging data, making it inaccessible to the application. This can cause significant disruption to the organization, as it may be unable to access essential data and applications and may need to spend considerable time and resources recovering or replacing the data. Sometimes, the data may be permanently lost, seriously affecting the organization.

Malware and ransomware can also cause damage by stealing data or using the infected system as a launchpad for further attacks. This can compromise the organization’s sensitive information, such as customer data or financial records, and can lead to legal and regulatory consequences if the data is not adequately protected.

Recovering from a ransomware attack can be a complex and time-consuming process that may involve several steps, depending on the attack’s specifics and the extent of the damage. Some of the challenges and costs associated with recovering from a ransomware attack include the following:

  1. Identifying and mitigating the source of the attack may require hiring a cybersecurity firm or bringing in outside experts to help identify the source of the attack and implement measures to prevent future attacks.
  2. Restoring systems and data: If the ransomware has encrypted or otherwise compromised critical systems or data, it may be necessary to restore these from backups or rebuild them from scratch resulting in a time-consuming and costly process.
  3. Updating and improving security measures: In the wake of a ransomware attack, it may be necessary to update and improve the organization’s security measures to prevent future attacks. This could involve investing in new software or hardware, training employees on cybersecurity best practices, or implementing additional security protocols.
  4. Managing the fallout: Depending on the extent of the attack, there may be additional costs associated with managing the aftermath, such as lost productivity, lost revenue, damage to the organization’s reputation, and legal or regulatory consequences.
  5. Lastly, should the organization not have a reliable restore point, it may be forced to pay the ransom. In most cases, organizations no longer have cyber insurance as the cost/benefit is no longer there for insurance companies to offer such products. Paying the ransom in no way guarantees that the data will be immediately recoverable and is usually a mix of restore from backup and decryption. This happens when those critical resources are unavailable to the company or its customers.

The costs associated with recovering from a ransomware attack can be significant. They may vary widely depending on the organization’s size and complexity, the damage’s extent, and the measures taken to prevent future attacks. It is essential to carefully evaluate any backup system to ensure it can detect and remove malware and ransomware before creating a restore to minimize the potential damage caused by these threats.

Strategies for protecting against corrupted AWS Backups

There are several strategies that organizations can use to protect against corrupted backups and ensure that they have a reliable and effective cyber recovery plan in place. Some of these strategies include:

  1. Continually scanning backups for cyber threats: It is important to have cyber backups that continually scan backups for ransomware and malware to identify and address these threats as early as possible. By regularly scanning backups, organizations can detect threats that may have infiltrated their cloud resources and take steps to remediate them before they can cause severe damage. This can help reduce the risk of data loss or disruption and minimize the costs and impact of a cyberattack.Additionally, by surfacing threats early, organizations can respond more quickly and effectively, which can help to minimize downtime and reduce the overall impact of the attack. Scanning the backups for ransomware and malware to surface threats early for faster response to eliminate the recovery risk is essential.
  2. Regularly testing and verifying backups: It is essential to regularly test and verify that data is application consistent and stored correctly and can be restored as needed. This will help ensure that the organization has a reliable data source to fall back upon during a disaster.
  3. Encrypting backups: Encrypting backups can help protect against unauthorized access or tampering and provide additional security for sensitive data.
  4. Immutable backups: Immutable backups are backups that cannot be modified or deleted in S3 and provide a permanent, unchangeable data record. They often protect against malicious actors and accidental/intentional deletions.
  5. Air-Gap backup across cloud accounts: Storing backups in different cloud accounts from the production accounts can help protect against attacks by malicious actors and insider threats risking backups corruption and deletion.


Recovering from a cyberattack can be a complex and time-consuming process involving several steps and high costs. Some challenges and costs associated with recovering from a cyberattack include identifying and mitigating the source, restoring workloads and data, updating and improving security measures, and managing the fallout.

To protect against corrupted AWS Backups and ensure a reliable cyber resilience plan, organizations can take several steps, such as regularly scanning backups for cyber threats, testing and verifying backups, storing backups across multiple accounts, encrypting backups, and implementing a cyber recovery plan. By taking these precautions, organizations can better protect against data loss or disruption and minimize the costs and impact of a cyberattack.

About Elastio

Elastio detects and precisely identifies ransomware in your data and assures rapid post-attack recovery. Our data resilience platform protects against cyber attacks when traditional cloud security measures fail.

Elastio’s agentless deep file inspection continuously monitors business-critical data to identify threats and enable quick response to compromises and infected files. Elastio provides best-in-class application protection and recovery and delivers immediate time-to-value.