Ransomware Groups Now Targeting Cloud Backups: Inside Their Playbook and Real-World Cases

In 2024 and early 2025, multiple high-profile ransomware incidents revealed a quiet but dangerous evolution in attacker tactics:

Before encrypting production systems, threat actors are now going after cloud backups directly — deleting, corrupting, or exfiltrating them to destroy an organisation’s ability to recover without paying.

The New Ransomware Playbook

For years, security teams leaned on the mantra: “As long as backups are safe, we can recover.”

Attackers have caught on.

Recent threat intelligence shows several ransomware crews — including BlackCat/ALPHV, LockBit 3.0, and Play — deploying multi-step playbooks that specifically target backup infrastructure, both on-prem and in the cloud:

• Reconnaissance of Backup Systems
  • Using stolen credentials from phishing, infostealers, or credential stuffing attacks.
  • Mapping backup endpoints, admin portals, and associated storage buckets.
• Privilege Escalation
  • Exploiting weak IAM (Identity and Access Management) controls in cloud backup services.
  • Using default or shared admin accounts still present in some environments.
• Silent Tampering
  • Altering retention policies to shorten backup history.
  • Scheduling deletion commands to execute days later — blending into legitimate maintenance.
• Multi-Region & Multi-Cloud Attacks
  • Coordinated deletion across multiple geographic regions to eliminate redundancy.
  • Targeting both primary and DR (Disaster Recovery) replicas.
• Encryption & Ransom Note Drop
  • Only after backup destruction do attackers encrypt production workloads.
  • Victims are then faced with “No backups, no recovery” and heavy ransom pressure.

Real-World Cases

• Case 1: BlackCat/ALPHV in the Healthcare Sector (2024) In late 2024, a U.S. healthcare provider saw its Veeam backup repositories wiped two days before encryption began. Forensics revealed the attackers had stolen admin credentials from an IT contractor months earlier. Immutable backups had been disabled to “save storage costs” — a decision that proved costly.
• Case 2: LockBit’s Multi-Region Cloud Hit (2025) A manufacturing group in Europe reported that AWS S3 backup buckets in three regions were deleted within minutes, using an API key exposed in a misconfigured CI/CD pipeline. Once production was encrypted, the ransom demand tripled because the attackers knew recovery was impossible without those backups.
• Case 3: Play Ransomware vs. SaaS Backup In early 2025, Play ransomware targeted a global retailer using a SaaS-based backup service. Investigators found that attackers used OAuth token abuse to access the backup control panel and revoke restoration permissions for all users.

Why This Is So Effective

1. Removes Negotiation Leverage – Without backups, downtime costs rise exponentially, making ransom payment more likely.
2. Cloud Trust Gap – Many companies assume “cloud backups are automatically safe,” underestimating how accessible they can be if IAM is weak.
3. Time Bombs – Delayed deletion tactics mean victims often don’t realize backups are gone until they need them most.
4. Cross-Platform Reach – With many orgs using hybrid and multi-cloud environments, coordinated deletion can be executed in parallel.

What Organisations Should Do Now

Cyber Protocol’s Recommended Countermeasures:

• Enforce Immutable Backups
  • Use write-once, read-many (WORM) or immutable snapshots in backup solutions.
  • Ensure immutability settings cannot be altered without multi-party approval.
• Segment Backup Administration
  • No shared credentials across backup and production environments.
  • Mandatory MFA for all backup admin logins.
• Isolate Backup Networks
  • Logical or physical separation from production systems.
  • Limit backup system exposure to the internet.
• Test Restores Regularly
  • Monthly restore drills to validate backup integrity and team readiness.
• Audit API and OAuth Tokens
  • Remove unused keys, rotate regularly, and monitor for suspicious calls.

Conclusion

The reality is simple: ransomware is no longer just about encrypting files — it’s about dismantling your safety net before you even know you’re under attack.

Organisations that treat backups as core security assets — hardening them like crown jewels — will have the upper hand when attackers come calling.

Don’t just back up. Back up securely.