Back to Intelligence

Backup Sabotage Tactics: Countering Pre-Encryption Attacks on Recovery Infrastructure

SA
Security Arsenal Team
May 6, 2026
6 min read

The traditional narrative that "offline backups are your savior" is failing. Recent analysis from Acronis highlights a critical shift in adversarial playbooks: encryption-based attacks are succeeding not because backups are missing, but because backup infrastructure is actively compromised before the encryption payload executes.

If an attacker gains administrative access to your backup agents or management console, your Recovery Time Objective (RTO) instantly becomes irrelevant. This is no longer a theoretical risk; it is the standard operating procedure for modern ransomware crews. Defenders must shift focus from simply having backups to monitoring the integrity of the backup software itself.

Technical Analysis

Affected Products & Platforms: While the report references Acronis Cyber Infrastructure and Cyber Protect, this Tactic, Technique, and Procedure (TTP) impacts all major enterprise backup solutions including Veeam Backup & Replication, Commvault, Rubrik, and Druva. The affected platforms are typically Windows Server hosts running backup agents or Linux-based backup appliances (NFS/SMB targets).

The Attack Chain:

  1. Initial Access: Phishing, VPN exploit (e.g., Fortinet/GeoServer), or valid credential exposure.
  2. Privilege Escalation: Dumping LSASS or exploiting misconfigurations to obtain Domain Admin or backup-specific service account credentials.
  3. Discovery: Enumerating systems for backup agent software (Acronis Agent, Veeam Installer) and locating backup repositories ( NAS shares, object storage).
  4. Sabotage (The Critical Step): Instead of immediately encrypting, the attacker:
    • Stops backup services (AcronisManagedMachineService, VeeamBackupSvc).
    • Uses legitimate vendor CLIs or native OS tools (vssadmin, wbadmin) to delete existing shadow copies and backup chains.
    • Corrupts the backup database or modifies retention policies to force immediate deletion.
  5. Execution: Ransomware payload is deployed once recovery options are nullified.

Exploitation Status: This is Confirmed Active Exploitation. It is not a specific CVE, but a behavioral pattern widely observed in hands-on ransomware engagements (e.g., LockBit, BlackCat/ALPHV). The "vulnerability" is the implicit trust placed in backup service accounts and the lack of monitoring on their usage.

Detection & Response

The following detection logic focuses on the pre-encryption sabotage phase: the stopping of critical services and the deletion of volume shadow copies using both native tools and specific backup binaries.

Sigma Rules

YAML
---
title: Potential Backup Service Stop via SC.EXE
id: 4f8b3a2d-1c6e-4b7f-9a0d-3e5f6a7b8c9d
status: experimental
description: Detects attempts to stop backup-related services using sc.exe. Attackers often stop services to prevent backups or allow file deletion.
references:
  - https://attack.mitre.org/techniques/T1489/
author: Security Arsenal
date: 2024/10/28
tags:
  - attack.impact
  - attack.t1489
logsource:
  category: process_creation
  product: windows
detection:
  selection_sc:
    Image|endswith: '\sc.exe'
    CommandLine|contains: ' stop '
  selection_backup_services:
    CommandLine|contains:
      - 'VeeamBackupSvc'
      - 'AcronisManagedMachineService'
      - 'MMS'
      - 'CBT'
  condition: all of selection_*
falsepositives:
  - Legitimate administrative maintenance
level: high
---
title: Deletion of Volume Shadow Copies
id: 5e9c4b3e-2d7f-5c8g-0b1e-4f6a7b8c9d0e
status: experimental
description: Detects commands used to delete Volume Shadow Copies (VSS), a common precursor to ransomware to prevent file recovery.
references:
  - https://attack.mitre.org/techniques/T1490/
author: Security Arsenal
date: 2024/10/28
tags:
  - attack.impact
  - attack.t1490
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\vssadmin.exe'
      - '\wmic.exe'
      - '\powershell.exe'
    CommandLine|contains:
      - 'delete shadows'
      - 'shadowstorage delete'
      - 'Remove-WmiObject -Class Win32_ShadowCopy'
  condition: selection
falsepositives:
  - System administration tasks (rare in production environments)
level: critical
---
title: Acronis CLI Backup Deletion or Stop
id: 6a0d5c4f-3e8g-6h9i-1c2d-5e7f8a9b0c1d
status: experimental
description: Detects usage of Acronis CLI tools (acrocmd) with arguments indicating backup stop, deletion, or unregistration.
references:
  - https://www.acronis.com
datauthor: Security Arsenal
date: 2024/10/28
tags:
  - attack.impact
  - attack.t1485
logsource:
  category: process_creation
  product: windows
detection:
  selection_tool:
    Image|endswith:
      - '\acrocmd.exe'
      - '\ManagedMachineService.exe'
  selection_params:
    CommandLine|contains:
      - ' --delete '
      - ' --unregister '
      - ' --stop '
  condition: all of selection_*
falsepositives:
  - Backup administrator operations
level: medium


**KQL (Microsoft Sentinel / Defender)**
KQL — Microsoft Sentinel / Defender
// Hunt for backup service stops and VSS deletion attempts
DeviceProcessEvents
| where Timestamp > ago(24h)
| where (ProcessCommandLine contains " stop " and FileName =~ "sc.exe") or
       (ProcessCommandLine contains "delete shadows" and FileName in~ ("vssadmin.exe", "wmic.exe")) or
       (FileName in~ ("acrocmd.exe", "veeam.cmd") and (ProcessCommandLine contains "delete" or ProcessCommandLine contains "stop"))
| extend Evidence = Pack(ProcessCommandLine, AccountName, DeviceName)
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, AccountName, Evidence


**Velociraptor VQL**
VQL — Velociraptor
-- Hunt for suspicious process execution related to backup sabotage
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "sc.exe" AND CommandLine =~ "\s+stop\s+(Veeam|Acronis|MMS)"
   OR Name =~ "vssadmin.exe" AND CommandLine =~ "delete"
   OR Name =~ "wmic.exe" AND CommandLine =~ "shadow"
   OR Name =~ "powershell.exe" AND CommandLine =~ "Remove-WmiObject.*ShadowCopy"


**Remediation Script (PowerShell)**
PowerShell
<#
.SYNOPSIS
    Backup Integrity Check & Verification Script
.DESCRIPTION
    Checks status of critical backup services and verifies connectivity to backup repositories.
    Run this as a scheduled task or during incident response triage.
#>

$CriticalServices = @(
    "VeeamBackupSvc",
    "AcronisManagedMachineService",
    "VeeamCatalogSvc",
    "MMS"
)

Write-Host "[+] Initiating Backup Infrastructure Health Check..." -ForegroundColor Cyan

$FailedServices = @()

foreach ($ServiceName in $CriticalServices) {
    $Service = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue
    if ($Service) {
        if ($Service.Status -ne "Running") {
            Write-Host "[!] CRITICAL: Service $ServiceName is currently stopped." -ForegroundColor Red
            $FailedServices += $ServiceName
        } else {
            Write-Host "[+] OK: Service $ServiceName is running." -ForegroundColor Green
        }
    } else {
        Write-Host "[-] INFO: Service $ServiceName not found on this host." -ForegroundColor Gray
    }
}

if ($FailedServices.Count -gt 0) {
    Write-Host "[!!!] ALERT: Backup services have been stopped. Investigate immediately." -ForegroundColor Red
    # Optional: Auto-restart could be enabled here, but manual review is recommended during IR.
    # Start-Service -Name $FailedServices -ErrorAction SilentlyContinue
} else {
    Write-Host "[+] No backup service anomalies detected." -ForegroundColor Green
}

# Check for recent VSS Deletion Events (Event ID 7036 for service stop, or look for process logs)
Write-Host "[+] Checking Event Logs for VSS Admin interaction..."
$VssEvents = Get-WinEvent -LogName "Security" -FilterXPath "*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName']='C:\Windows\System32\vssadmin.exe']]" -MaxEvents 5 -ErrorAction SilentlyContinue
if ($VssEvents) {
    Write-Host "[!] WARNING: vssadmin.exe execution detected recently." -ForegroundColor Yellow
    $VssEvents | Select-Object TimeCreated, Message | Format-List
}

Remediation

To defend against pre-encryption backup sabotage, implement the following controls immediately:

  1. Implement MFA for Backup Consoles: Require phishing-resistant MFA (FIDO2/WebAuthn) for accessing the management interface of Veeam, Acronis, or Commvault. Do not rely solely on static credentials or AD groups.
  2. Segregate Backup Accounts: The service account used by the backup software must not be a Domain Admin. It should have delegated permissions only on specific machines and strict write-only access to the backup storage repository.
  3. Enforce Immutable Storage: Configure your backup storage (AWS S3 Object Lock, Azure Immutable Blob, or WORM-enabled on-prem storage) so that data cannot be deleted for a set retention period (e.g., 30 days), even by a malicious administrator.
  4. Monitor for "Stop" Events: Implement the Sigma rules above. Any stopping of a Veeam or Acronis service should trigger an immediate high-severity alert to the SOC.
  5. Offline Backups: Maintain at least one offline copy (tape or cloud storage with air-gapped access patterns) that is not connected to the network during standard operations.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirbackup-securitydefense-evasionacronis

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action