Google security chief: ransomware now targets backups

• Google’s APAC OCISO head warns uneven security leaves the region exposed.
• Ransomware groups are corrupting backups to block recovery and raise pressure.

Cybercriminals are changing their playbook. Instead of just locking down live systems, financially motivated groups are now targeting backup infrastructure, aiming to cut off recovery and increase ransom pressure.

According to Google Cloud’s latest Cloud Threat Horizons Reportwhich highlights rising security risks in the region, groups such as UNC3944 (Scattered Spider), UNC2165, UNC4393, and UNC2465 have been caught accessing backup data, deleting routines, and changing permissions to stop businesses from restoring operations. In 2024, ransomware events made up more than one-fifth of all Mandiant incident response cases, showing just how central this problem has become.

Why backups are under attack, and what Google’s security experts say

“Threat actors are increasingly targeting backup infrastructure to prevent data restoration, thereby escalating pressure for extortion and ransom payments during a ransomware attack,” Pereira said. “Instead of solely focusing on live production data, they now delete or corrupt backup routines and alter access permissions, effectively blocking recovery and increasing the likelihood of a ransom payout.”

He added that the risk is especially concerning in Asia Pacific, where economies are at different stages of digital maturity. Some organisations are highly cloud-native while others are still moving from on-premises systems, creating uneven levels of protection. Backups often contain sensitive data such as personal information, intellectual property, and financial records. Pereira warned that attackers can use this data as extra leverage or sell it on the dark web.

The shift in focus to backup systems underscores how ransomware has become less about disruption and more about business pressure. If an organisation cannot restore its systems independently, it has little choice but to consider paying a ransom.

Entry points: weak credentials and misconfigurations

The Threat Horizons Report highlights that compromised credentials and misconfigurations are still the main ways attackers gain access. In the first half of 2025, around 47% of cloud incidents involved stolen credentials, while misconfigurations made up 29%.

“Attackers compromise credentials for cloud access, then exploit misconfigurations to destroy or corrupt backup data. Securing credentials and configurations, not just backups, is crucial,” Pereira said.

He explained that attackers often take advantage of these openings to establish a foothold, using “living off the land” tactics that blend into normal activity. Once inside, they wait until they can target the most valuable assets, which now include backup systems. This patient, methodical approach shows how threat groups have matured and why defenders cannot rely on traditional security models alone.

Google’s security take on isolated recovery

To counter these threats, Google and Mandiant have put forward the idea of Cloud Isolated Recovery Environments (DEDUCTION)a security framework designed to protect backups from being compromised. Pereira believes they are no longer optional.

“CIREs have become a practical and necessary solution for APAC organisations, especially as the region emerges as ‘ground zero’ for cybercrime,” he said.

These environments separate restored data from compromised systems, allowing businesses to test and clean backups without risking reinfection. They provide a safe space to validate data and maintain business continuity even if production systems are compromised.

The concept reflects a wider recognition that recovery is just as critical as prevention. Even the most secure system may eventually be breachedbut if organisations can restore quickly and confidently, they can blunt the financial and reputational impact of an attack.

Cloud-native extortion and identity at the core

Another troubling trend is “cloud-native extortion,” where attackers abuse built-in cloud features, such as encryption or storage snapshots, to hold systems hostage. Pereira explained that many organisations in the region are adapting by shifting to identity-focused security models.

“Cloud environments have become the new perimeter, and attackers have been weaponising cloud-native tools,” he said. “We now need to enforce strict cloud security hygiene, such as robust MFA, least privilege access, proactively monitoring of role access changes or credential leaks, using automation to detect and remediate misconfigurations, and anomaly detection tools for cloud activities.”

He pointed to rising investments in identity and access management tools, with organisations recognising their role in cutting down the risk of identity-based attacks. For APAC businesses, this means moving away from legacy perimeter defences and embracing cloud-native safeguards that assume breaches are inevitable but limit the damage.

The supply chain factor

Beyond ransomware, attackers are also exploiting supply chains and social engineering to breach cloud environments. Pereira cited campaigns such as ShinyHunters, where voice phishing was used to steal Salesforce access.

“With attackers employing social engineering such as voice phishing to bypass MFA and hijack trusted accounts, cyber resilience strategies must involve robust detection capability, continuous monitoring and review of access logs, enabling MFA for the deployment of IAM tools, and most importantly, reinforcing security awareness within your organisation,” he said.

He added that supply chain integrity now needs to be part of every organisation’s security plan. Many companies in APAC rely heavily on interconnected vendor ecosystems. If a third-party supplier suffers a breach, it can cascade into a much larger incident, spreading through trusted links and shared platforms.

Google’s security steps for APAC organisations

Asked what actions CISOs in the region should prioritise, Pereira stressed that backup security needs to go beyond copies of data.

“The most immediate and critical step is to implement a CIRE. This prevents attackers who have compromised an organisation’s main systems from also sabotaging their recovery data,” he said.

Alongside this, he urged companies to strengthen IAM with least privilege access, enforce MFA, secure encryption key management, and run regular recovery drills to test their readiness under real-world conditions. In his view, these are non-negotiable practices that make the difference between a prolonged outage and a manageable disruption.

Hybrid-cloud recovery as insurance

Hybrid-cloud strategies are also emerging as a strong security defence against ransomware, with Google highlighting immutable snapshots and automated versioning as essential for recovery

“APAC CISOs are operating within a landscape that is not only experiencing a growing volume of ransomware attacks, but also with ransomware groups that are deploying more sophisticated techniques to target backup infrastructure. This makes the integration of hybrid-cloud backup strategies an urgent imperative,” he said.

Immutable snapshots, he explained, create air-gapped recovery points that cannot be changed or deleted for a set period, giving organisations a clean fallback. Automated versioning further reduces the risk of permanent data loss, while segmentation and encryption add extra layers of protection.

A well-prepared hybrid-cloud strategy also allows organisations to shorten downtime dramatically. Instead of waiting days or weeks to rebuild, Pereira said recovery can now be measured in minutes. “A well-executed hybrid-cloud strategy can dramatically shorten downtime to mere minutes, boosting cyber resilience and business continuity.”

Rethinking resilience

The rise in backup-targeted ransomware is forcing organisations in APAC to rethink what resilience really means. It is no longer enough to protect production data and assume backups will remain safe. As Pereira pointed out, attackers now see backups as the key to control.

For CISOs and business leaders, the challenge is balancing prevention with recovery. That means closing gaps like weak credentials and misconfigurations, but also preparing for the day attackers break through. With cloud-native extortion growing and supply chains becoming frequent targets, the ability to restore clean data quickly is turning into a core business requirement.

As Pereira summed up, cyber resilience today demands layered defence, tested recovery, and a recognition that backups are now just as critical a target as the systems they protect. Google’s security leadership in APAC makes clear that protecting backups is now just as important as protecting production systems.

Want to learn more about Cloud Computing from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology eventsclick here for more information.

CloudTech News is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.