Break the Attack Loop: Why In-Line Scanning During Backup & Restore Is Now Non-Negotiable

Jason Reid on May 15, 2025

When ransomware hits, the room splits in two.

One side is calm: they’ve backed up, tested their recovery, and know exactly what to do. The other side is staring at encrypted screens, weighing up whether to pay a criminal and hoping the decryption key actually works.

But here’s the uncomfortable truth that’s changed the game: having a backup is no longer enough. Cybercriminals have evolved. They now specifically target your backup infrastructure, and they’ve developed a particularly insidious tactic to neutralise your last line of defence before you even know an attack is coming.

The Attack Loop: How Ransomware Defeated Traditional Backup

The latest ransomware strains don’t announce their presence immediately. It may take days, weeks, sometimes months, before an attack is initiated. During that dormant period, malware is quietly embedded across your systems and, critically, backed up alongside your legitimate data.

When you finally trigger a restore to recover from the attack, you bring the malware back with you. The production environment is re-infected. The attackers win again. This is the Attack Loop, and it’s exactly why a backup alone is no longer a resilience strategy.

Cybercriminals understand the economics perfectly. A good backup means a bad payday for them. So they’ve adapted to poison the well.

Why Traditional Backup Software Falls Short

Most legacy backup tools were designed for a simpler threat landscape. They capture data, store it, and retrieve it. Security was an afterthought: an add-on, not a core function.
The problems are structural:

Backups scan at the point of backup only. If malware was dormant during the backup window, it gets archived cleanly. By the time it activates, it’s embedded in every recovery point you own.

Predictable file naming conventions. Experienced attackers know exactly what backup repositories look like on disk. Traditional tools use recognisable file structures, making it straightforward for an attacker who’s gained access to locate and delete or corrupt your backups directly.

Single-factor access to management consoles. If an attacker phishes an admin’s credentials, they can walk straight into your backup settings and quietly disable retention policies, delete repositories, or alter schedules, days or weeks before triggering the ransomware payload.

No protection against double and triple extortion. Attackers increasingly download a copy of your data before encrypting it. If your backup data isn’t encrypted at rest and in-flight, it becomes a secondary target and another lever for demanding payment.

The Modern Answer: Bidirectional In-Line Scanning

The solution isn’t just better antivirus. It’s fundamentally rethinking where and when scanning happens in the backup and recovery workflow.

Asigra Tigris is built on this principle. Rather than treating security as an external layer, it embeds protection directly into the backup and restore pipeline through what it calls a “Deep Six” security architecture.

Scan on Backup, and on Restore

Tigris performs two malware scans. The first happens during backup: every file is scanned, and any malware detected is quarantined rather than archived. But the critical innovation is the second scan, performed during the restore process.

This is what breaks the Attack Loop. When you restore data after an attack, Tigris scans again. Any ransomware that was dormant during the original backup, and therefore backed up cleanly, is caught at restore time, quarantined, and prevented from re-infecting your production environment. You restore clean data, not the infection.

Content Disarm and Reconstruction (CDR)

Modern ransomware doesn’t always look like malware. It hides inside ordinary business documents: PDFs, Office files with macros, media files. Even advanced antimalware scanning can miss deeply embedded executable objects inside these file types.

Content Disarm and Reconstruction (CDR) addresses this by deconstructing files, stripping any potentially malicious code, and rebuilding a clean, functional version. Tigris applies CDR as part of both the backup and restore process, not just at the network gateway where it’s traditionally deployed. That matters, because it only takes one file getting past your front door to start an attack.

Multiperson Approval (MPA) and Multifactor Authentication (MFA)

Credential theft is one of the most common attack vectors. If a threat actor phishes an admin’s login, they can make destructive changes to backup settings without triggering any alarms.

Tigris counters this with two layers. MFA adds a second authentication step for login and for any potentially destructive action, such as deleting backup repositories. MPA goes further, requiring multiple people to approve such actions. An attacker with one set of stolen credentials simply cannot proceed unilaterally.

Repository Obfuscation with Variable Naming

If an attacker gains access to your storage environment, knowing where your backups live is half the battle. Traditional tools use predictable, well-known file naming patterns.
Tigris uses variable repository naming, dynamically obscuring backup file identities so attackers cannot easily identify, locate, or target your recovery data, even with storage-level access.

Soft Delete: The Hidden Safety Net

Even if an attacker manages to access the backup management console and attempts to delete backup jobs, Tigris has one more layer of protection. Soft Delete gives the appearance of successful deletion; the admin console reports it’s done, but a hidden copy of the backup job is retained, recoverable only by those who know it exists.

True deletion requires a separate two-step process that isn’t visible to an attacker unfamiliar with the system.

AES-256 Encryption In-Flight and At-Rest

Double and triple extortion attacks, where attackers steal data before encrypting it and then threaten to publish it, are now standard practice. Backup data is increasingly the softer target.

Tigris protects against this with NIST FIPS 140-2, AES-256-bit encryption covering data both in transit and at rest, making backup repositories useless to attackers even if they succeed in exfiltrating them.

Agentless Architecture: Security Without the Overhead

One reason organisations sometimes underinvest in backup security is operational friction. Deploying and maintaining agents across every endpoint adds complexity, creates attack surface, and slows down updates.

Tigris deploys as a network-based, agentless architecture with no endpoint agents required. It can be deployed in Docker containers, managed through a single pane of glass, and covers operating systems, virtual machines, and databases comprehensively. Updates are smoother, administration is reduced, and the security footprint itself is minimised.

Recovery Confidence Matters as Much as Security

Security is only half the equation. When the worst happens, recovery needs to be fast and reliable.
Tigris pairs its security architecture with advanced recovery capabilities: autonomic healing that automatically repairs corrupted backups, in-memory restore validation that tests recovery before it goes live, VM replication for standby failover, and incremental-forever backup that lets you restore from any point in time. Granular recovery means you can restore an individual file or an entire data centre, on demand.

For more on how Asigra Tigris protects backup environments against modern ransomware tactics and how to get a Ready-To-Use Tigris Platform (Backup2Cloud) click below…

Asigra Tigris
Backup2Cloud

Business readiness for a ransomware attack

Stephen Young on September 21, 2024

The growing threat

The threat from ransomware is growing with the sophistication of the attacks – and technical ability of the attackers – constantly challenging the security measures implemented by businesses striving to protect their systems and data in an increasingly hostile cyber environment.

It’s no longer a case of if a business is attacked, but when, and, at that point, how ready is the business to recover effectively and efficiently from such an attack? There are few second chances when the stakes are so high.

A recent Sophos survey indicated 59% of global businesses were hit by some form of ransomware. 94% of businesses indicated that the attackers had attempted to compromise their backup systems, with 57% being successful.

The time to assess the ability of a business to fully recover has never been more urgent, with a stress on the proactiveness of that preparation time. Identifying any flaws in the plan, or recovery technology deployed, are crucial tasks in a business fitness test.

Fully testing the recoverability of an organisation requires frequent testing – and this can only be carried out effectively if the testing process is non-disruptive, quick, simple and encompasses the business’ entire system and data. Crucially, the skillset and prior experience of staff charged with conducting a successful recovery needs to be factored in for a requirement so nuanced and potentially infrequent.

When the chaos and stress of a business-threatening ransomware attack is unfolding, discovering unnoticed or overlooked flaws in the recovery plan – alongside a lack of skills and experience in business recovery – is irresponsible business practice. Having the confidence to invoke an extremely well-tested and orchestrated business recovery process is critical. When security is compromised this could be the only time to thwart the attempts of cyber criminals to extort significant sums from the business, often even business-ending.

Cloud provider effectiveness

MSPs are ideally positioned to offer DRaaS and BaaS platforms that provide non-disruptive disaster recovery testing, enabling teams charged with business recovery to carry out full and frequent tests without impacting production environments. Additionally, the separation of cloud recovery systems from the production environments adds another layer of much-needed protection.

MSPs specialising in disaster recovery technologies can significantly improve the recovery of an organisation when struck by ransomware. MSPs will have the experience, exposure and expertise to advise on effective techniques and services to deploy, balancing business requirements with available budgets, keeping those achievable RTOs and RPOs realistic.

MSPs can remove many of the concerns for organisations when considering and budgeting for disaster recovery solutions, including; the capital cost of the hardware and software required; the ability to scale up or down as business needs change; the necessary skills required to maintain such a system and invoke a recovery when needed; and the ongoing maintenance costs and inevitable renewal costs.

An update to your approach

Now is the time to shift thinking within IT teams, but also the wider business, about the potential for risk and the collaborative efforts required to protect the business from what will become an undeniable set of threats.

The recommended rhythm and cadence of testing might seem unrealistic, or even unachievable with the current technology deployed within a business. That’s ok. What we strongly believe is that by setting in place a new standard – even if simply an improvement on the status quo at first – businesses can create a necessary shift in mindset towards recoverability and data usability. Setting this new operational standard will undoubtedly place the business in a better state of readiness to recover from a major issue, as and when it happens.