Ransomware files were found hiding just out of sight in the backups of a European insurance company. They had been there, undetected, for almost 2 years.
On a quiet Friday afternoon in November, a small team from a major European insurance company were reviewing the results of a routine recovery test. They had recently introduced Predatar as part of a broader effort to strengthen their cyber resilience. Until then, they had relied heavily on their annual disaster recovery exercise as evidence that their environment could be recovered if needed. It was a long-established practice, familiar and predictable, but it had not kept pace with the reality of modern cyber threats.
Traditional disaster recovery procedures are built for outages and physical disruption. They focus on restoring services by failing over from one site to another. This approach works when the threat is external to the data. It does not work for ransomware. By the time an organisation triggers a failover from Site A to Site B, the ransomware has usually already replicated itself across both. Cyberattacks require a completely different mindset. Recovery must prove that the data itself is clean, safe and fit to return to production.
This was the reason the company had failed its recent cyber resilience audit. They had no reliable way to perform regular recovery testing. The engineering effort required to stand up clean environments, restore data, analyse behaviour and run malware scans was far beyond what their teams could sustain manually. In practical terms, they had no means of validating the integrity of their backups.
When they evaluated their options, Predatar stood out. It worked across all major backup and storage technologies, including the Veeam and IBM FlashSystem platforms already in place. It provided automated cleanroom validation at a scale that would have been unrealistic to achieve manually. Most importantly, it allowed the company to begin performing daily recovery tests, something that had previously been impossible.
They began with a small but critical subset of their systems, referred to internally as their Minimum Viable Company. These were the essential servers they would need to restore first in the event of a cyberattack in order to re-establish a basic, functioning version of the business. The early results were consistent, reliable and easy to interpret. They quickly took the decision to expand the testing to all backups and all servers.
Only a week after the full rollout, an automated recovery test inside the isolated CleanRoom surfaced something unexpected. Within a restored workload, Predatar identified encrypted files and a ransomware note. The files were not new, but they were remnants of a previous incident.
The company investigated and confirmed that they had suffered a ransomware attack two years earlier. A specialist incident response provider had managed the remediation at the time. However, this particular server had not been included in the cleanup. As a result, the encrypted files and the ransom note had remained unnoticed in production for almost two years.
The location of the server was also significant. It hosted the organisation’s SIEM and wider SecOps platform. Despite being a central point for security monitoring, neither the platform nor the additional security tools running on it had detected the remnants of the old attack.
The finding prompted a broader realisation. If this evidence of ransomware had remained hidden on a highly visible system, similar issues could easily exist elsewhere without detection. The value of continuous recovery testing became immediately clear. It provided visibility not only into whether data could be restored, but whether that data was genuinely safe.
Predatar’s ongoing analysis has shown that hidden malware is present in the backup data of the vast majority of organisations, with discoveries in more than ninety per cent of customer environments worldwide. This does not reflect a failure of security teams. It reflects the sophistication of attackers, the complexity of modern infrastructure and the limitations of relying on a single set of tools to identify every threat.
For the insurance company, continuous recovery testing is now a fundamental part of their cyber strategy. They have moved from annual exercises to daily assurance. They can verify the integrity of their backups with confidence. And they have a far clearer understanding of what it takes to recover safely in a world where cyberattacks often unfold long before they are detected.
Hunt down and eliminate recovery threats in your backups and snapshots.
To discover how you can start pre-emptive recovery testing in an easy to deploy Recovery Assurance CleanRoom, watch this short explainer video or contact the Predatar team.
