The Hidden Risk: Why Malware Scanning Fails Against Ransomware

CMORG’s Data Vaulting Guidance: Integrity Validation Is Now a Core Requirement In January 2025, the Cross Market Operational Resilience Group (CMORG) published Cloud-Hosted Data Vaulting: Good Practice Guidance. It is a timely and important contribution to the operational resilience of the UK financial sector. CMORG deserves recognition for treating recovery architecture as a priority, not a future initiative. In financial services, the consequences of a cyber event extend well beyond a single institution. When critical systems are disrupted and recovery fails, the impact can cascade across customers, counterparties, and markets. The broader issue is confidence. A high-profile failure to recover can create damage that reaches far beyond the affected firm. This is why CMORG’s cross-industry collaboration matters. It reflects an understanding that resilience is a shared responsibility. Important Theme: Integrity Validation The guidance does a strong job outlining the principles of cloud-hosted vaulting, including isolation, immutability, access control, and key management. These are necessary design elements for protecting recovery data against compromise. But a highly significant element of the document is its emphasis on integrity validation as a core requirement. CMORG Foundation Principle #11 states: “The data vault solution must have the ability to run analytics against its objects to check integrity and for any anomalies without executing the object. Integrity checks must be done prior to securing the data, doing it post will not ensure recovery of the original data or the service that the data supported.” This is a critical point. Immutability can prevent changes after data is stored, but it cannot ensure that the data was clean and recoverable at the time it was vaulted. If compromised data is written into an immutable environment, it becomes a permanently protected failure point. Integrity validation must occur before data becomes the organization’s final recovery source of truth. CMORG Directly Addresses the Risk of Vaulting Corrupted Data CMORG reinforces this reality in Annex A, Use Case #2, which addresses data corruption events: “For this use case when data is ‘damaged’ or has been manipulated having the data vaulted would not help, since the vaulted data would have backed up the ‘damaged’ data. This is where one would need error detection and data integrity checks either via the application or via the backup product.” This is one of the most important observations in the document. Vaulting can provide secure retention and isolation, but it cannot determine whether the data entering the vault is trustworthy. Without integrity controls, vaulting can unintentionally preserve compromised recovery points. The Threat Model Has Changed The guidance aligns with what many organizations are experiencing in practice. Cyber-attacks are no longer limited to fast encryption events. Attackers increasingly focus on compromising recovery, degrading integrity over time, and targeting backups and recovery infrastructure. These attacks may involve selective encryption, gradual corruption, manipulation of critical datasets, or compromise of backup management systems prior to detonation. In many cases, the goal is to eliminate confidence in restoration and increase leverage during extortion. The longer these attacks go undetected, the more likely compromised data is replicated across snapshots, backups, vaults, and long-term retention copies. At that point, recovery becomes uncertain and time-consuming, even if recovery infrastructure remains available. Why Integrity Scanning Must Happen Before Data Is Secured CMORG’s point about validating integrity before data is secured is particularly important. Detection timing directly affects recovery outcomes. Early detection preserves clean recovery points and reduces the scope of failed recovery points. Late detection increases the likelihood that all available recovery copies contain the same corruption or compromise. This is why Elastio’s approach is focused on integrity validation of data before it becomes the foundation of recovery. Organizations need a way to identify ransomware encryption patterns and corruption within data early for recovery to be predictable and defensible. A Meaningful Step Forward for the Industry CMORG’s cloud-hosted data vaulting guidance represents an important milestone. It reflects a mature view of resilience that recognizes vaulting and immutability as foundational, but incomplete without integrity validation. The integrity of data must be treated as a primary control. CMORG is correct to call this out. It is one of the clearest statements published by an industry body on what effective cyber vaulting must include to support real recovery.

Closing the Data Integrity Control Gap In 2025, the cybersecurity narrative shifted from protection to provable resilience. The reason? A staggering 333% surge in "Hunter-Killer" malware threats designed not just to evade your security stack, but to systematically dismantle it. For CISOs and CTOs in regulated industries, this isn't just a technical hurdle; it is a Material Risk that traditional recovery frameworks are failing to address. The Hunter-Killer Era: Blinding the Frontline The Picus Red Report 2024 identified that one out of every four malware samples now includes "Hunter-Killer" functionality. These tools, like EDRKillShifter, target the kernel-level "callbacks" that EDR and Antivirus rely on to monitor your environment. The Result: Your dashboard shows a "Green" status, while the adversary is silently corrupting your production data. This creates a Recovery Blind Spot that traditional, agent-based controls cannot see. The Material Impact: Unquantifiable Downtime When your primary defense is blinded, the "dwell time", the period an attacker sits in your network, balloons to a median of 11–26 days. In a regulated environment, this dwell time is a liability engine: The Poisoned Backup: Ransomware dwells long enough to be replicated into your "immutable" vaults.The Forensic Gridlock: Organizations spend an average of 24 days in downtime manually hunting for a "clean" recovery point.The Disclosure Clock: Under current SEC mandates, you have four days to determine the materiality of an incident. If you can’t prove your data integrity, you can’t accurately disclose your risk. Agentless Sovereignty: The Missing Control Elastio addresses the Data Integrity Gap by sitting outside the line of fire. By moving the validation layer from the compromised OS to the storage layer, we provide the only independent source of truth. The Control GapThe Elastio OutcomeAgent FragilityAgentless Sovereignty: Sitting out-of-band, Elastio is invisible to kernel-level "Hunter-Killer" malware.Trust BlindnessIndependent Truth: We validate data integrity directly from storage, ensuring recovery points are clean before you restore.Forensic LagMean Time to Clean Recovery (MTCR): Pinpoint the exact second of integrity loss to slash downtime from weeks to minutes. References & Sources GuidePoint Security GRIT 2026 Report: 58% year-over-year increase in ransomware victims.Picus Security Red Report 2024: 333% surge in Hunter-Killer malware targeting defensive systems.ESET Research - EDRKillShifter Analysis: Technical deep-dive into RansomHub’s custom EDR killer and BYOVD tactics.Mandiant M-Trends 2025: Median dwell time increases to 11 days; 57% of breaches notified by external sources.Pure Storage/Halcyon/RansomwareHelp: Average ransomware downtime recorded at 24 days across multiple industries in 2025.Cybereason True Cost to Business: 80% of organizations who pay a ransom are hit a second time.

Cloud-Native Architectures Shift Ransomware Risk to Data Integrity While cloud platforms improve availability and durability through replication, immutability, and automated recovery, they do not ensure data integrity. In cloud-native environments, compute is ephemeral and identity-driven, but persistent storage is long-lived and highly automated. This shifts ransomware risk away from servers and toward data itself. Modern ransomware increasingly exploits compromised cloud credentials and native APIs to encrypt or corrupt data gradually, often without triggering traditional malware detection. As a result, immutable backups and replicas can faithfully preserve corrupted data, leaving organizations unable to confidently restore clean systems. Ransomware resilience in cloud-native architectures therefore requires data integrity validation: continuous verification that backups, snapshots, and storage objects are clean, recoverable, and provably safe to restore. Without integrity assurance, recovery decisions depend on manual forensics, increasing downtime, operational risk, and regulatory exposure. Executive Strategic Assessment We have successfully re-architected our enterprise for the cloud, adopting a model where compute is ephemeral and infrastructure is code. In this environment, we no longer repair compromised servers; we terminate them. This success has created a dangerous blind spot. By making compute disposable, we have migrated our risk entirely to the persistent storage layer (S3, EBS, FSx, RDS). Our current architectural controls—S3 Versioning, Cross-Region Replication, and Backup Vault Locks—are designed for Durability and Availability. They guarantee that data exists and cannot be deleted. They do not guarantee that the data is clean. In cloud-native security, data integrity means the ability to cryptographically and behaviorally verify that stored data has not been silently encrypted, corrupted, or altered before it is used for recovery. In a modern ransomware attack, the threat is rarely that you "lose" your backups; it is that your automated, immutable systems perfectly preserve the corrupted state. If we replicate an encrypted database to a compliance-mode vault, we have not preserved the business—we have simply "vaulted the virus."Under the shared responsibility model, cloud providers protect the availability of the platform, while customers retain responsibility for ensuring the correctness and integrity of the data they store and recover. This brief analyzes the Integrity Gap in cloud-native resilience. It details the architectural controls required to transition from assuming a clean recovery to algorithmically proving it, ensuring that when the Board asks, The New Risk Reality: Ephemeral Compute, Permanent Risk Our migration to cloud-native architectures on AWS has fundamentally shifted our risk profile. We have moved from "repairing servers" to "replacing them." Compute is now disposable (containers, serverless functions, auto-scaling groups) and identity is dynamic (short-lived IAM credentials). This is a security win for the compute layer because the "crime scene" effectively evaporates during an incident. Cloud changes where risk concentrates, not whether risk exists. Recent incident analysis shows stolen credentials as a leading initial access vector, with median attacker dwell time measured in days rather than months. This compression of time is what enables low-and-slow data corruption to outrun human-driven validation. Multiple industry investigations support this pattern, including Mandiant and Verizon DBIR reporting that credential abuse and identity compromise are now among the most common initial access vectors in cloud environments, with attackers often persisting long enough to corrupt data before detection. However, this architecture forces a massive migration of risk into the persistent storage layer. Modern ransomware attacks exploit this shift by targeting the integrity of the state itself. Attackers encrypt object stores, poison transaction logs, or utilize automation roles to mass-modify snapshots.Why aren’t cloud-native architectures inherently ransomware-safe? Because cloud controls prioritize availability and automation, not verification of data correctness at restore time. The Strategic Blind Spot: Immutability is Not Integrity Our current resilience strategy aligns with AWS Well-Architected frameworks. We rely heavily on Availability and Durability. We use S3 Versioning, AWS Backup Vault Locks, and Cross-Region Replication. These controls are excellent at ensuring data exists and cannot be deleted. However, they fail to ensure the data is clean. Integrity controls verify recoverability and correctness of restoration assets, not just retention. Operationally, this means validating data for encryption or corruption, proving restore usability, and recording a deterministic “last known clean” recovery point so restoration decisions do not depend on manual forensics. In a "Low and Slow" corruption attack, a threat actor uses valid, compromised credentials to overwrite data or generate new encrypted versions over weeks. In cloud environments, attackers increasingly encrypt or replace data using native storage APIs rather than custom malware. Once access is obtained, legitimate encryption and snapshot mechanisms can be abused to corrupt data while appearing operationally normal.This creates a failure mode unique to cloud-native architectures: attacks can succeed without malware, without infrastructure compromise, and without violating immutability controls. The "Immutable Poison" Problem: If an attacker encrypts a production database, Backups will dutifully snapshot that corruption. If Vault Lock is enabled, we effectively seal the corrupted state in a compliance-mode vault. We have preserved the attack rather than the business. Vault Locking prevents deletion and lifecycle modification of recovery points, including by privileged users. It does not validate the integrity or cleanliness of the data being ingested and retained.Replication Accelerates Blast Radius: Because replication is designed for speed (RPO), it immediately propagates the corrupted state to the DR region. The Missing Control: Recovery Assurance During a ransomware event, the most expensive resource is decision time. The Board will not ask "Do we have backups?" They will ask "Which recovery point is the last known good state?" Without a dedicated integrity control, answering this requires manual forensics. Teams must mount snapshots one by one, scan logs, and attempt trial-and-error restores. This process turns a 4-hour RTO into a multi-day forensic ordeal. Industry data shows that organizations take months to fully identify and contain breaches, and multi-environment incidents extend that timeline further. This gap is why recovery cannot depend on snapshot-by-snapshot investigation during an active crisis. Critically, integrity validation produces durable evidence, timestamps, scan results, and clean-point attestations that can be reviewed by executives, auditors, and regulators as part of post-incident assurance. Where Elastio Fits: The Integrity Assurance Layer Elastio fits into our architecture not as a backup tool, but as an Integrity Assurance Control (NIST CSF "Recover") that audits the quality of our persistence layer. Detection in Depth: Unlike EDR which monitors processes, Elastio watches the entropy and structure of the data itself. It scans S3 buckets and EBS snapshots for the mathematical signatures of encryption and corruption.Provable Recovery: Elastio indexes recovery points to algorithmically identify the "Last Known Clean" timestamp. This allows us to automate the selection of a clean restore point and decouple recovery time from forensic complexity. Platform Engineering Guide Architecture Context Elastio operates as an agentless sidecar. It utilizes scale-out worker fleets to mount and inspect storage via standard Cloud APIs (EBS Direct APIs, S3 GetObject, Azure APIs). It does not require modifying production workloads or installing agents on production nodes. Protection Capabilities by Asset Class 1. AWS S3 & Azure Blob Data Lakes Real-Time Inspection: The system scans objects in real-time as they are created. This ensures immediate detection of "infection by addition."Threat Hunting: If threats are found, automated threat hunts are performed on the existing objects/versions to identify the extent of the compromise.Recovery: The system identifies the last known clean version, allowing restores to be automated and precise. 2. Block Storage (EBS, EC2, Azure Disks, Azure VMs) Scale-Out Scanning: Automated scans of persistent storage are performed using ephemeral, scale-out clusters. This ensures that inspection does not impact the performance of the production workload.Policy Control: For long-lived workloads (e.g., self-hosted databases), policies control how frequently to scan (e.g., daily, hourly, or on snapshot creation) to balance assurance with cost. Integrity validation frequency must be faster than plausible time-to-impact. With ransomware dwell time measured in days, weekly validation leaves material integrity gaps. For critical, high-risk workloads, production data validation can be configured to run as frequently as hourly, based on policy and business criticality, while lower-risk assets can operate at longer intervals to balance assurance, cost, and operational impact. 3. AWS Backup Scan-on-Create: Automated scanning of backups occurs immediately as they are created.Asset Support: Supports EC2, EBS, AMI, EFS, FSx, and S3 backup types.Vault Integration: Fully integrated with AWS Backup Restore Testing and Logically Air-Gapped (LAG) Vaults, ensuring that data moving into high-security vaults is verified clean before locking. 4. Azure Backup Scan-on-Create: Automated scanning of backups occurs immediately as they are created.Asset Support: Supports Azure VM, Azure Managed Disks, and Azure Blobs. 5. Managed Databases (RDS / Azure Managed SQL) Status: Not Supported.Note: Direct integrity scanning inside managed database PaaS services is not currently supported. Table 1: Threat Manifestation & Control Fit Architecture ComponentThe "Native" Failure ModeProtection Available (Elastio)AWS S3 / Azure Blob"Infection by Addition"Ransomware writes new encrypted versions of objects. The bucket grows, and "current" versions are unusable.Real-Time Detection & HuntingScans real-time as objects are created. Automates threat hunts for last known clean versions. Automates restores.EC2 / Azure VMs(Self-Hosted DBs)The "Live Database" AttackAttackers encrypt database files (.mdf, .dbf) while the OS remains up. Standard snapshots capture the encrypted state.Automated Integrity ScansAutomated scans of persistent storage in scale-out clusters. Policies control scan frequency for long-lived workloads.AWS BackupVault PoisoningWe lock a backup that was already compromised (Time-to-detect > Backup Frequency).Scan-on-Create (Vault Gate)Automated scanning of backups (EC2, EBS, AMI, EFS, FSx, S3) as they are created. Integrated with AWS Restore Test and LAG Vaults.Azure BackupReplica CorruptionBackup vaults replicate corrupted recovery points to paired regions.Scan-on-CreateAutomated scanning of Azure VM, Managed Disk, and Blob backups as they are created.Managed DBs(RDS / Azure Managed SQL)Logical CorruptionValid SQL commands drop tables or scramble columns.Not SupportedIn these environments, integrity assurance must be addressed through complementary controls such as transaction log analysis, application-layer validation, and point-in-time recovery testing. Conclusion Adopting this control moves us from a posture of "We assume our immutable backups are valid" to "We have algorithmic proof of which recovery points are clean." In an era of compromised identities, this verification is the requisite check-and-balance for cloud storage. This control removes uncertainty from recovery decisions when time, trust, and data integrity matter most.In cloud-native environments, ransomware resilience is no longer defined by whether data exists, but by whether its integrity can be continuously proven before recovery.In practical terms, any cloud-native ransomware recovery strategy that cannot deterministically identify a last known clean recovery point before restoration should be considered operationally incomplete. This perspective reflects patterns we consistently see in enterprise incident response, including insights shared by Elastio advisors with deep experience leading ransomware investigations and cloud recovery efforts.