Category: Uncategorised

Ransomware files were found hiding just out of sight in the backups of a European insurance company. They had been there, undetected, for almost 2 years.

On a quiet Friday afternoon in November, a small team from a major European insurance company were reviewing the results of a routine recovery test. They had recently introduced Predatar as part of a broader effort to strengthen their cyber resilience. Until then, they had relied heavily on their annual disaster recovery exercise as evidence that their environment could be recovered if needed. It was a long-established practice, familiar and predictable, but it had not kept pace with the reality of modern cyber threats.

Traditional disaster recovery procedures are built for outages and physical disruption. They focus on restoring services by failing over from one site to another. This approach works when the threat is external to the data. It does not work for ransomware. By the time an organisation triggers a failover from Site A to Site B, the ransomware has usually already replicated itself across both. Cyberattacks require a completely different mindset. Recovery must prove that the data itself is clean, safe and fit to return to production.

This was the reason the company had failed its recent cyber resilience audit. They had no reliable way to perform regular recovery testing. The engineering effort required to stand up clean environments, restore data, analyse behaviour and run malware scans was far beyond what their teams could sustain manually. In practical terms, they had no means of validating the integrity of their backups.

When they evaluated their options, Predatar stood out. It worked across all major backup and storage technologies, including the Veeam and IBM FlashSystem platforms already in place. It provided automated cleanroom validation at a scale that would have been unrealistic to achieve manually. Most importantly, it allowed the company to begin performing daily recovery tests, something that had previously been impossible.

They began with a small but critical subset of their systems, referred to internally as their Minimum Viable Company. These were the essential servers they would need to restore first in the event of a cyberattack in order to re-establish a basic, functioning version of the business. The early results were consistent, reliable and easy to interpret. They quickly took the decision to expand the testing to all backups and all servers.

Only a week after the full rollout, an automated recovery test inside the isolated CleanRoom surfaced something unexpected. Within a restored workload, Predatar identified encrypted files and a ransomware note. The files were not new, but they were remnants of a previous incident.

The company investigated and confirmed that they had suffered a ransomware attack two years earlier. A specialist incident response provider had managed the remediation at the time. However, this particular server had not been included in the cleanup. As a result, the encrypted files and the ransom note had remained unnoticed in production for almost two years.

The location of the server was also significant. It hosted the organisation’s SIEM and wider SecOps platform. Despite being a central point for security monitoring, neither the platform nor the additional security tools running on it had detected the remnants of the old attack.

The finding prompted a broader realisation. If this evidence of ransomware had remained hidden on a highly visible system, similar issues could easily exist elsewhere without detection. The value of continuous recovery testing became immediately clear. It provided visibility not only into whether data could be restored, but whether that data was genuinely safe.

Predatar’s ongoing analysis has shown that hidden malware is present in the backup data of the vast majority of organisations, with discoveries in more than ninety per cent of customer environments worldwide. This does not reflect a failure of security teams. It reflects the sophistication of attackers, the complexity of modern infrastructure and the limitations of relying on a single set of tools to identify every threat.

For the insurance company, continuous recovery testing is now a fundamental part of their cyber strategy. They have moved from annual exercises to daily assurance. They can verify the integrity of their backups with confidence. And they have a far clearer understanding of what it takes to recover safely in a world where cyberattacks often unfold long before they are detected.

Hunt down and eliminate recovery threats in your backups and snapshots.

To discover how you can start pre-emptive recovery testing in an easy to deploy Recovery Assurance CleanRoom, watch this short explainer video or contact the Predatar team.

Author: Alistair Mackenzie.

Within a year of the Berlin Wall coming down, two former East German soldiers set about building a new business. Fuelled by the optimism of the era and a passion for technology, ADICOM^© was born. 35 years later, it’s one of the most innovative storage and backup businesses in Germany, leading the way with ground-breaking recovery assurance services.

This week I took some time out to reconnect with two people that continue to drive the ADICOM_^© business forward every day. Chris Hogrefe [IT System Specialist] and Ralf Brummack [Chief Marketing Officer] told me the story behind ADICOM_^© and explained how they have embraced the bold optimism of the founders.

The Story Begins

Frank Lasinski and Peter Schulz met during their time in the military. They shared an interest in technology and studied computer science during this time. By the time Germany was reunified in 1990, the pair had become firm friends. Within a year of the Berlin Wall coming down, they had left the army to set up their own technology business in the south of Berlin.

In the early years, ADICOM_^© was a technology broker, specialising in reconditioning and selling the big IBM enterprise systems of the day – like Mainframe and AS/400.

More skills. More recognition. More customers

As the team grew, so did its expertise. The company’s ambitions grew too. By 1995, ADICOM_^© was recognised as a leading expert in IBM technology and became an authorised IBM Business Partner in Germany, authorized for AS/400, IBM Storage, IBM INTEL based servers and IBM Printing systems.

The team began reselling new IBM systems to medium and large enterprises in Berlin and beyond, expanding their capabilities to incorporate IBM AIX and Power systems.

Ralf Brummack explained: “Frank and Peter have always been quick to recognise new opportunities and move fast. They encourage us to do the same. We’re proud to be early adopters of innovative technologies that we know will make a difference to our customers.” 

When IBM moved into the backup software space with the acquisition of Tivoli, including TSM (Tivoli Storage Manager), ADICOM_^© was right there.

As well as reselling TSM (later renamed as IBM Storage Protect) ADICOM_^© launched managed backup and recovery services with TSM under the hood. Led by Chris Hogrefe, ADICOM_^©’s backup service offerings have proven to be popular with existing ADICOM_^© customers and have helped the business attract new clients too.

Evolution with Predatar

Backup sales and services were a great driver for growth at ADICOM_^© for more than a decade, but times have changed. “You can no longer grow a business selling backup products and services” Chris explains. “Today everyone has a backup solution in place, and for big businesses, moving to a different one is really hard and, in most cases, too expensive.”

Always looking for the next evolution, Chris was actively searching for ways to move ADICOM_^©’s backup services forward – to add more value for customers, and more differentiation in the marketplace. When he discovered Predatar at IBM Storage Expert event in Augsburg (Germany) in 2022 he knew it would be the beginning of something exciting.

Following an intensive hands-on technical bootcamp with the Predatar Team in UK, Chris and his team wasted no time in building the ADICOM_^© Data Resiliency Service (ADRS).

Data Resiliency with ADICOM^©

ADRS, powered by Predatar is available to businesses that use IBM Storage Protect or IBM Defender Data Protect backup software. Additionally, ADICOM_^© can also deliver this unique service for Veeam users too.

With ADRS, ADICOM_^© will take care of the day-to-day maintenance of your backup environment, ensure that all of your backup runs are successful, and fix any problems. But the real differentiation comes in ADICOM_^©’s ability to run continual recovery tests and malware interrogation. This capability is achieved with the Predatar Recovery Assurance platform and gives ADICOM_^© customers complete confidence in their ability to recover quickly, cleanly and completely in the event of a cyber incident.

What’s next for ADICOM^© ?

35 years on, the original founders of ADICOM_^©, Frank Lasinski and Peter Schulz remain active in their leadership of the business, and it’s clear from my conversations with Ralf and Chris that their bold approach to innovation, their passion for technology and their optimism for the future has become infused into culture at ADICOM_^©.

When I asked, “what’s next for ADICOM_^©?” the answer was simple. Chris explained “We’ll keep on innovating with a very clear focus. We want to be the best at what we do. We want to offer the very best storage and recovery solutions to tackle the challenges facing businesses in Germany today.”  

Boost your data resiliency with ADICOM^© 

If boosting resiliency in your business is a priority, you can find out more about ADICOM_^© at www.adicom.group or email the team at consulting@adicom-group.de 

Find an APEX partner near you.

The Predatar APEX program is a global network of service providers with elite data resiliency capabilities. Find an APEX partner in your region here.  

At Predatar, we’re getting into the spooky season by watching some of our favourite scary movies. Here are five lessons from the original 1996 Scream movie to help you avoid a digital bloodbath.

⚠️ Warning! This blog contains spoilers. But seriously, if you haven’t seen Scream, where have you been for the last 29 years?

Locking the door isn’t enough

Countless times in this classic slasher movie, a door is locked to keep the killer out – but moments later, he’s inside, knife in hand, ready to strike. If you’ve seen Scream, you’ll know how he does it, but that’s not really important here. The point is this:

If someone really wants to get inside, they will.

Cybercriminals are just as determined, creative, and motivated. You might think your IT perimeter is locked down with leading enterprise cybersecurity tools, but the evidence tells us these defences are far from infallible – especially when you consider that over half of ransomware attackers use compromised login credentials to gain access to critical systems.

Hackers don’t hack anymore. They log in.

Lesson #1: Prepare for the breach. You need to know exactly how you’ll respond when the bad guys get in – because we all know that running up the stairs in a panic never ends well.

Anyone can be next

Just as certain industry sectors are at high risk from ransomware attacks, the Ghostface slasher in Scream has a “type”. Most of his victims are teenage girls (and their boyfriends), but there are a few exceptions. Principal Himbry of Woodsboro High School, for example, meets a particularly messy end when he’s stabbed in his office and left hanging from the football goalposts.

Does his murder drive the plot? Not really. But it adds tension, and reminds us that the attacker is calling the shots. He’s unpredictable. Anyone could be next.

When it comes to ransomware, the same is true. While industries such as manufacturing, financial services, healthcare, and utilities are at highest risk, the reality is that any organisation can be hit.

Lesson #2: Don’t be complacent. Face up to the fact that your organisation could be a target.

Attackers do their homework

In the opening (and, in our opinion, the most intense) scene, the phone rings. The sinister voice on the other end walks Casey through a sequence of ‘games’, culminating in the gruesome deaths of her and her boyfriend, Steve. The double murder takes just minutes to play out – but it’s been planned impeccably.

The attacker knows everything about the victim and her home. He knows the floor plan. He knows where the exits and light switches are. He even knows how she’ll react to certain triggers.

Just eleven minutes after Casey first picks up the phone, her disembowelled body is hanging from a tree while her boyfriend sits duct-taped to a deckchair, his vital organs exposed. But here’s the thing, for that attack to run like clockwork, there had to be weeks of surveillance and planning.

That’s the modus operandi for ransomware attackers, too. They conduct detailed reconnaissance before executing a clinical and devastating attack.

In more than 90% of ransomware incidents, surveillance tools such as keyloggers and infostealers have been found inside victims’ systems. If you can catch attackers in this reconnaissance phase, you can stop an attack before it begins.

Lesson #3: Assume you’re already under surveillance. Look for the digital clues of hacker reconnaissance in your IT environment – every day.

The odds are against you

For the masked slasher, each murder is a game – but it’s a game he’s designed himself, so the odds are stacked in his favour. This is best illustrated when he tells Sidney,

“I ask a question… Get it wrong, you die. Get it right, you die.”

All too often, ransomware attacks are lose–lose situations too. Paying the ransom doesn’t guarantee anything. Of the organisations that pay, only 8% get all of their data back.

Worse still, double extortion is now commonplace. Even if you’re “lucky” enough to have your data decrypted after paying a ransom (which typically costs more than $1 million USD), the attackers may deliver a second ransom demand – threatening to publish your sensitive data on the dark web.

But – big spoiler alert –Sidney doesn’t die. She outsmarts the attackers. She refuses to play their game. And you can too.

The best way to survive a ransomware attack is to stop the game before it begins. Thanks to Predatar’s recovery-driven threat detection, you can detect and prevent attacks before they start.

Lesson #4: Think differently. Outsmart the attackers with new and innovative solutions.

Timing is everything

The attacks in Sidney’s and Casey’s homes take place when their parents are out — they’re home alone. Of course, this isn’t a coincidence; it’s an integral part of the killer’s plan.

Ghostface strikes at carefully chosen moments to maximise his chances of success and minimise the risk of intervention.

Cybercriminals do the same. It’s no coincidence that there’s a spike in reported cyberattacks during public holidays, when most organisations are shut down or operating with skeleton staff (Halloween pun not intended).

A rapid response to an active cyberattack dramatically reduces its impact. In a cyber crisis, every minute counts. But when your staff – including IT and security teams – are offline, those response times are significantly extended.

Lesson #5: Act now. The biggest holiday season of the year is just weeks away, but it’s not too late to stop an attack with pre-emptive, recovery-driven threat detection.

Join the next Predatar Webcast – and avoid a digital bloodbath

Join the next Predatar webcast to:

• Hear about a real world use-case where hacker’s surveillance tools were uncovered inside a customer’s storage environment thanks to pre-emptive data validation.
• Discover how automated recovery testing and malware interrogation in a CleanRoom can stop cyberattacks, before damage is done.
• Learn how you can deploy your own Recovery Assurance CleanRoom quickly and easily.

---

Learn More and Register Now

Why STORServer and Predatar Are Building the Future of Resilience Together.

All too often, companies stick to what’s easy. They take the path of least resistance. But the history of STORServer is different. For more than 30 years, the company has built its reputation on saying “yes” to the hard problems – tackling the complex, stubborn challenges that other vendors would rather avoid. Why? To make life simpler for their customers.

That ethos has shaped STORServer into what it is today: a trusted partner to organizations that depend on backup and recovery not just as a compliance checkbox, but as the lifeline of their business. And it’s why the company’s partnership with Predatar feels less like a transaction and more like a shared mission.

Built on a Big Idea: Simplifying Backup

When STORServer was founded in Colorado in the mid-1990s, backup was overwhelming for most IT teams in a small and mid-sized business. Dropping in massive, complex systems was a recipe for frustration.

STORServer’s solution was radical in its simplicity: deliver pre-configured appliances that worked out of the box, with built-in tools and responsive support. Customers could finally stop wrestling with backup and start trusting it.

That commitment to simplicity, backed by deep technical expertise, became STORServer’s DNA. It’s a mindset that Predatar shares, as both companies look to simplify one of today’s hardest challenges in IT: building cyber resilience.

Legacy Matters. But So Does Innovation

One of the most powerful examples of STORServer’s “yes” mindset is its ongoing support for legacy systems like VMS. While many backup vendors have walked away from supporting those environments, STORServer still invests in building and maintaining tools to protect them.

As Scott Jangro, STORServer’s Head of Operations, put it:

“Supporting those legacy systems is important for us. We’re still actively developing VMS backup clients so customers can work those systems into their overall strategy.”

At the same time, STORServer isn’t standing still. With Predatar, the company is now applying its proven appliance model to cyber resilience, creating clean room recovery appliances that make one of today’s most complex challenges—bouncing back after a cyberattack—far more manageable.

A Meeting of Minds: Fresh Perspectives and Deep Roots

STORServer’s story is not just about technology, but about people. After decades of leadership that began with six founders – three of whom continue to guide the company today – Jangro has stepped in to help to take the business into its next era. His background – spanning SaaS, startups, and product marketing – brings a fresh perspective that complements the deep experience of the long-standing team.

He sees his role as asking the hard questions, just as Predatar’s leaders once did when they challenged traditional views of backup.

“There’s only upside in bringing in a fresh pair of eyes,” Jangro said. “Asking questions, identifying things that maybe haven’t been thought of—that’s how we move forward.”

It’s this balance of deep heritage and fresh energy that makes the Predatar and STORServer partnership so powerful.

Saying Yes Together

At its heart, the partnership between Predatar and STORServer is about giving customers confidence in a world that’s only getting more complex. STORServer’s legacy is built on decades of saying yes to tough backup problems. Predatar exists to tackle the hard new problem of cyber resilience.

Together, they’re offering businesses something unique. STORServer’s new Cleanroom Appliance ships with Predatar’s unique Recovery Assurance capabilities baked-in.

If you’re looking to remove the complexity of cyber resilient backup and recovery in your organisation, ask the team at STORServer if they can help.

I think we all know the answer is yes!

---

Learn more:
Discover STORServer’s cyber-resilient backup appliances, powered by Predatar here or contact the STORServer team today!

Predatar is all about recovery readiness. Our unique Recovery Assurance Software and CleanRoom technology has been designed to validate the recoverability and cleanliness of your data before a crisis hits. But Predatar has an extra superpower. And it’s huge!

This week, Predatar uncovered a live and potentially very serious cyberattack in the early stages – inside a customer’s IT environment. By raising the alarm, the infrastructure and cyber security teams in the target organisation were able to take action – and stop the attack in its tracks.

The Target Organisation

The target of the cyberattack is a local government organisation in Austria. Predatar Recovery Assurance software and a Predatar CleanRoom were deployed around a year ago to continually validate immutable snapshots of their most important business systems – which are running on IBM FlashSystems. If these systems went offline, services that citizens rely on would be seriously disrupted, including public transport, law enforcement, emergency response and more.

What Happened?

During a routine scheduled scan, Predatar uncovered malware inside a snapshot that had not previously been detected anywhere else in the customer’s IT environment.

As usual, Predatar began to clean the malware from the snapshot and immediately raised an alert with both the infrastructure and cyber security teams with the customer organisation.

Further investigation quickly revealed that the malware posed a real and very imminent threat.

The Attack

Thanks to the built in Trend Micro cyber security tools, Predatar had found hacking tools on a virtual machine within a snapshot. The VM didn’t contain business-critical data and was considered by the customer to be a low-priority workload. As a result, it didn’t have the same security protocols as other more critical workloads, and patching best-practices hadn’t been maintained.

The malware that was uncovered included ‘tunnelling’ tools designed to help hackers achieve lateral movement within an IT environment. It quickly became evident to the team investigating the threat that hackers were actively using this unassuming Linux server as a ‘jump box’ to access more critical systems.

Thanks to Predatar, the customer was able to take the compromised system offline, execute forensic analysis of their networks to understand if the hackers had managed to gain access to other systems, and contain the threat.

Boom Avoided

The moment that attackers ‘activate’ a cyberattack is often referred to as ‘The Boom.’ That’s when data becomes encrypted, users are locked out, and systems go offline. But cyberattacks don’t happen instantly. Typically, attackers have access to IT systems for at least 14 days before they activate the attack. During this ‘Pre-Boom’ phase attackers deploy specialised tools to gain access to as many systems as possible, to elevate their privileges, and to lay the groundwork for maximum damage.

By identifying an attack in the ‘Pre-Boom’ phase, Predatar was able to avoid a ‘Boom’ event altogether.

The Predatar Superpower

First and foremost, Predatar is designed to give its users total confidence in their ability to execute a fast, clean and complete recovery. While threat detection is not the primary purpose of Predatar, it’s a extremely valuable superpower! 

Is a ‘Boom’ comming in your organisation?

Join our next webcast, ‘Stop the Boom… Before it Happens‘ to learn more about the timeline of cyberattacks, and how you can stop them before the critical ‘Boom’ moment.

Sign up now

There’s a scene in the movie Shrek, where he explains to Donkey that ogres are like onions, “they have layers” Shrek says. But Donkey doesn’t get it.

He complains that onions smell, they make you cry, and if you leave them out in the sun, “they turn brown and sprout little white hairs.” 

It’s a funny moment, but it’s also a reminder that layers matter. Neglect them, and they go bad. When it comes to cyber resilience, the same is true. 

Cyber Security vs Cyber Resilience

Most businesses and most cybersecurity professionals already understand that Cyber Security needs layers. Nobody relies on just one product to keep attackers out. They invest in firewalls, XDR tools, SIEM platforms, SOAR automation, and more. It’s a defence-in-depth strategy designed to stop even the most persistent and aggressive intrusions. 

But when the conversation shifts to Cyber Resilience, (the ability to recover when an attack does get through) that layered thinking often disappears. Responsibility usually falls to infrastructure or IT operations teams, and here the market is flooded with vendors promising “one solution to fix all your resilience problems.” 

Sadly, much like Shrek, it’s total fantasy. Just as security needs multiple layers to stop people getting in, resilience needs multiple layers to get you back up and running when things go wrong. Recovering from ransomware isn’t the same as recovering from mass deletion, and neither is it the same as protecting against data theft. Each scenario requires different technologies, different approaches, and different ways of proving you can bounce back. 

Resilience is not a single product. It’s an onion. 

Why Layers Matter

Attackers don’t follow a script. They exploit whatever door is left open: 

• Poorly patched systems 

• Compromised credentials 

• Misconfigured remote desktop (RDP) 

• Day-zero vulnerabilities 

• Human error 

And once inside, their goals differ: 

• Data theft (exfiltration): quietly stealing information. 

• Data destruction: wiping files to cripple operations. 

• Encryption and ransom: locking systems down for profit. 

Each of these requires a different kind of detection and a different kind of recovery. That’s why resilience must be layered with overlapping defences that detect, contain, and restore, no matter what form the attack takes. 

IBM Storage Defender: Layers That Flex With You 

This is where IBM Storage Defender stands apart. Rather than selling the fairy tale of one-size-fits-all, IBM builds resilience in modular, flexible layers that can adapt as your risks and priorities change. 

Here’s how those layers work together: 

• File-level anomaly sensors flag unusual behaviour before it spreads. 

• Real-time ransomware detection built into IBM FlashSystem stops encryption attempts mid-attack. 

• Safeguarded immutable copies create untouchable restore points, immune to deletion or corruption. 

• Air-gapped backups provide an offline safety net. 

• Automated recovery workflows slash downtime from days to hours. 

• Centralized dashboards and analytics help teams detect trends and spot vulnerabilities before attackers do. 

And because every business is different, IBM’s Resource Units licensing model makes it easy to pick the layers you need today and shift them as your environment evolves. It’s flexibility by design not a locked-in bundle. 

Predatar: Proving Recoverability

Of course, it’s not enough to have defences; you also need to prove recovery. That’s where Predatar adds another vital layer. 

Predatar goes beyond backup. It proactively hunts for malware hidden in recovery environments to find the kind of threats that may have slipped past your XDR tools. In fact, Predatar has found malware in 86% of customer environments. That’s proof that threats often linger undetected until they’re ready to strike. 

By validating backups, scanning for ransomware, and demonstrating recoverability, Predatar ensures that when you hit restore, you’re restoring safely – and not bringing back the problem that took you down. 

The Onion Lesson

Donkey was right: onions left unattended go bad. The same is true of cyber defences. Leave them neglected, untested, or oversimplified, and you’re handing attackers an opportunity. 

Build layers, and resilience becomes something attackers can’t easily peel away. IBM is one of the few vendors honest enough to say that resilience takes multiple layers, and with Storage Defender plus partners like Predatar, businesses can finally build security that doesn’t just defend, but recovers too. 

So yes, onions may make you cry. But with a multi-layered approach to resilience, it’s the attackers who will be in tears. 

---

Discover Predatar for IBM Storage in 90 Seconds.

It’s never been easier to add a Recovery Assurance CleanRoom to your existing IBM storage environment. Discover how Predatar works in this short video. To find out more, contact your IBM Storage Rep, your IBM Reseller, or contact us directly.

Practical steps you can start using today to build recovery confidence and get compliant.

In a recent blog, we looked at how regulations like NIS2, DORA and FISMA are changing the game for backup and recovery.

You can read it here:
Regulations Crash the Party

The response to the article has been huge. We’ve been receiving a lot of questions asking for more detail. Unsurprisingly, regulatory compliance seems to be high on the list of priorities when it comes to the challenges our readers are facing right now. 

At Predatar, we like to give the people what they want. So, in this blog we’re digging deeper into the topic. We’re moving from the ‘why’ to the ‘how,’ to give you practical advice that will help you prove you can recover effectively – giving you recovery confidence and helping you achieve compliance.

Here’s a practical playbook based on 7 steps you can start using right away. 

#1. Know your obligations 

Begin by understanding exactly which regulations apply to you. This might be direct (because you operate in a regulated sector) or indirect (because you are part of the supply chain for a regulated customer). Write the requirements down, highlight the parts that relate specifically to recovery, and make sure your leadership team and IT teams are looking at the same information. 

#2. Define what “acceptable” downtime looks like 

Your Recovery Time Objective (RTO) should never be a guess. It should reflect the real cost of downtime in your business. Calculate what an outage of critical IT systems will cost your business per hour and multiply this by how many hours a full recovery will take. Is the total acceptable? Can your business tolerate the impact? If not, you’ve got important work to do.

To give some context, The True Cost of Downtime in 2025 Report by Erwood Group has found that for 90% of medium-sized enterprises, the cost of IT downtime is greater than $300,000 (USD) per hour.

#3. Test your backups every single day 

It’s not enough to run a quick restore in a safe lab environment once a year or carry out the occasional data centre failover test. The threats you’re facing today don’t wait for annual tests. Modern ransomware and the reconnaissance tools attackers are using are designed to evade primary security tools without detection. By the time an attack is launched, the malware has probably burrowed deep inside your backups. 

We know this because Predatar has found hidden malware in the backups of 86% of our customers. If you’re only testing infrequently, you’re giving the attackers a head start. Testing daily means you can catch and remove malicious code before it has a chance to cause real damage, and you can be confident that your recovery point is both safe and ready to go when you need it. 

#4. Check the health of your backups 

Before you recover anything, be certain it’s clean. This means scanning for dormant malware and confirming the integrity of the data before it re-enters your production environment. 

#5. Automate the evidence 

Most regulations don’t just want you to be compliant, they want you to prove it. Automate the collection of logs, test results and recovery reports so that when the auditors ask for proof, you can provide it immediately. 

#6. Close the gaps quickly 

If a test shows you are not meeting your RTO, or if your backups fail a malware scan, treat it as an opportunity to improve. It is far better to find and fix weaknesses during a test, rather than in a real crisis. 

#7. Make it part of your routine 

Recovery testing should be part of your regular operational rhythm. Daily testing ensures your team is always ready, and your documentation is always accurate and up to date. Thanks to automation and AI, daily recovery testing and reporting is now easy to achieve.

Why this matters now 

Whether it’s NIS2 in Europe, DORA in financial services, or FISMA in the US, the message is the same. You must be able to recover quickly, cleanly, and with proof. 

Following this playbook is not just about passing compliance checks. It is about building true resilience. It’s the confidence that when the worst happens, you can get back to business without the drama. 

What next?

The Predatar Recovery Assurance platform can do a lot of the heavy lifting. From fully automated recovery testing and malware scanning to automated evidence reporting, Predatar makes it simple to be ready and to prove it.

Watch this short explainer video [90 seconds] to learn more, or visit predatar.com to book a demo.  

Predatar and Adicom^© find ransomware files that other security products had missed.

On 15^th June 2025, the team at Adicom received a real-time alert from Predatar relating to one of their customers. It said:

Predatar has identified a suspicious file named Ransom.HTML.LOCKY.SM.note in *Customer X’s* backup environment during the current scan process.

This file is a known ransomware-related HTML document typically used by the Locky ransomware family to deliver ransom instructions after encrypting files. Although this file appears to be a ransom note rather than active malware, its presence indicates that malicious activity may have occurred or may still be occurring in the environment or backups.

We recommend checking the original source of this backup data immediately to understand why the environment contains this file.

Predatar had only been installed on this customer’s environment for 6 days, and with the help of the built-in automation and AI, it had been systematically working through all of the backups – hunting down potential recovery issues and hidden malware.

Adicom’s Chris Hogrefe explains. “When it comes to cyberattacks, every second can count. We received a notification from Predatar, highlighting a potential issue before the scan of the compromised workload had even been completed.

The workload in question was a business-critical virtual machine based on VMWare. The very first time it was restored and scanned for malware signatures with Predatar, a potential problem was uncovered.

What had happened?

Back in 2016, the customer fell victim to a ransomware attack that resulted in the complete encryption of all company data.

As part of an extensive response and recovery process the IT infrastructure was rebuilt, and all ransomware files were manually removed. Or that’s what the customer thought…

Almost 10 years later, Predatar found an HTML file in a folder during its first scan, which was created during the attack. It included the original ransom demand message and payment information for decryption.

None of the antivirus programmes running on the customer’s IT networks had found these files or classified them as anomalies, yet thanks to the totally unique way that Predatar works, they were found and could be removed. The customer was able to breathe a sigh of relief and delete the last remnants of the ransomware attack.

Why does this matter?

In this instance, the malicious files were a legacy from a historic attack. They didn’t pose an active threat. But all-to-often, live malware does find its way into backup environments. In fact, Predatar has found malware in the backups of more than 80% of its customers. In many cases that malware did have the potential to cause serious damage.

Until now, Predatar had not uncovered malicious files that had been hidden for so long. This story goes to show that the cyber security practices that are typically used in businesses today are not as robust as they need to be.

Do you have malware in your backups?

The truth is, you simply don’t know if you have malware in your backups, but our stats suggests that you probably do. Not knowing is a big risk. Predatar uses some of the most sophisticated enterprises security tools and deploys them in a totally unique way to hunt-down threats that other solutions simply can’t find. Visit predatar.com to learn more, or book a demo here.

Adicom and Predatar

Adicom is a leading Backup & Recovery services provider in Germany. Thanks to their extensive technical knowledge and their relentless focus on customer experience they have been selected as one of Predatar’s elite APEX partner.s Together Adicom and Predatar is delivering unrivalled recovery confidence for medium and large enterprises in Germany.

“Predatar has already shown that even undetected malware anomalies can be found reliably and accurately. In addition, Predatar has once again shown that partnership, support and communication form the stable basis for a long-term relationship”
– Chris Hogrefe, Adicom

Learn more about Adicom’s services here.

Backups used to be boring. Not anymore. Regulations like DORA, NIS2, and FISMA have arrived – and things have got a lot more interesting.

For a long time, backup and disaster recovery lived quietly in the background. You knew it was important. You had something in place. Maybe you even tested it…. once a year. But now, governments and regulators are paying attention.

And they’re not just asking if you have backups. They want to know, in detail, how fast you can recover, how clean those backups are and what evidence you have to prove it.

Regulations like NIS2, DORA, and FISMA are leading the charge – and if your business touches critical infrastructure, finance, healthcare (or even just supplies companies that do) this matters to you.

Let’s take a look at what’s changing and how you can stay ahead.

So, what are these regulations actually saying?

NIS2 (The EU’s Network & Information Security Directive)
This one landed in October 2024 and has recently dramatically expanded who it applies to. Suddenly, mid-sized companies are on the hook for proving they can respond to and recover from a cyberattack. The key point is that regulators want evidence that your recovery plans work. Not assumptions. Not best efforts. Actual proof.

DORA (Digital Operational Resilience Act)
This one’s aimed at financial services, but if you sell into that world (or work with a firm that does), you’re likely affected too. DORA demands frequent, real-world testing of recovery systems, not just theoretical policies.

Think ransomware simulations, timed recoveries, and clean-room validations.

FISMA (US Federal Information Security Modernization Act)
Updated to reflect today’s threat landscape, FISMA now requires integrity checks on restored systems. In other words, can you prove your backup isn’t infected before putting it back into production?

Why this matters and what’s at risk?

Let’s cut to the chase. Failing to comply doesn’t just mean a slap on the wrist. It means you face:

• Hefty fines
• Lost business, especially if your customers need you to meet their own compliance needs
• Reputational damage if recovery from an attack takes days (or worse, reintroduces malware)

We’ve seen this play out. More than once. And it’s no longer just a security issue, it’s a board-level conversation.

Recovery Assurance: Your compliance ace in the hole

At Predatar, we believe that the most overlooked part of cybersecurity is what happens after an attack.

That’s where Recovery Assurance comes in. It gives you the confidence—not just that you have backups, but that they actually work, are malware-free and can get you back up and running when it counts.

Even better, it gives you the audit-ready evidence regulators are asking for.

Let’s map that out:

Regulation	What they want	What Predatar does
NIS2	Proof of working recovery strategy	Automated risk-based recovery testing
DORA	Simulated attack recoveries	CleanRoom testing + recovery scoring
FISMA	Clean, validated backups	Threat scanning + evidence trails

No guesswork. No scrambling when an auditor shows up. Just scheduled, reliable, and reportable testing that proves you’re ready.

What should you do next?

If any of this has your attention, here are some practical steps:

1. Find out which regulations apply to you (or your biggest customers).
2. Review how often you test your backups and how real those tests are.
3. Ask yourself: could we prove we’re compliant if asked tomorrow?
4. Let’s talk. We make this process simple.

Wrapping it up

Regulators aren’t just looking for cybersecurity best practices anymore. They want real-world readiness. The ability to recover, quickly and cleanly, with proof to back it up.

That’s where Recovery Assurance fits in. And that’s where Predatar can help.

If you’d like to see how Predatar supports customers navigating these changes, get in touch today, and if you know some that needs a nudge, don’t forget to share this post with them.

Cybercriminals are innovative, agile, and tenacious. Most medium and large enterprises are not. Ransomware gangs have significantly changed the way they operate in the last 12 to 18 months. But, have you significantly changed your approach to detection and response for ransomware events in your organisation? No, didn’t think so.

How it begins

Some things haven’t changed. Most ransomware attacks still start the way they always have. Someone clicks a phishing link. A password gets reused. A system goes unpatched. In fact, the top three breach methods remain the same:

– 78% start with human error: 
Including phishing, stolen credentials, compromised employees or social engineering

– 11 % come from misconfigured or unpatched systems:
Including system integration points such as poorly developed APIs

– Only 3 % involve zero-day exploits

Then:
Quiet, patient, and hidden in plain sight

Attackers haven’t changed the way they get in, but they have changed what they do once they’re inside. Two years ago, attackers took their time. Once they had access, they’d quietly explore. Their approach was known as ‘living off the land,’ using the tools and credentials already inside your environment to avoid detection. They would:

– Use PowerShell
to run commands without downloading new tools

– Use Remote Desktop Protocols
to move around your environment

– Set up scheduled tasks
to ensure that access privileges remained in place

– Exploit default admin accounts
to hide in plain sight

All the time, they would be quietly seeding their ransomware scripts across systems, often spreading them into backups unnoticed. The longer they stayed, the more control they gained, and the more chaos they would cause when they finally ‘pulled the trigger’ on the attack.

Two years ago, the average ‘dwell time’ was well over 100 days.

Now:
Fast, automated and clinical

This approach no longer works. Security technology has improved significantly. Businesses are investing more than ever in tools like:

– EDR (Endpoint Detection and Response)
– XDR (Extended Detection and Response)
– SIEM platforms with real-time alerting

These tools detect behaviour patterns, track lateral movement, and raise alerts much earlier than they did before. To stay ahead, attackers have flipped the playbook.

Now they use automated reconnaissance tools (used in 91% of modern breaches). These tools scan entire environments in hours, logging keystrokes, showing attackers where backups are stored, how security policies are configured, and which systems hold the keys.

From breach to boom can now take less than 14 days.

What attackers target first

Once they’re in, attackers don’t waste any time. Their priorities are usually the same:

– Active Directory:  to escalate access and move freely
– Backup systems: to delete copies, corrupt data or block recovery
– Security tools: to modify policies, disable alerts and whitelist malware

They time the final attack – often referred to as the “boom moment” – for when your team is least ready. Think long weekends and public holidays.

Why your security tools aren’t catching everything

Here’s the part that often gets missed. Production security tools aren’t typically configured to scan every file on every system, every day. Doing this would kill the performance of production systems and seriously impact your business’s ability to operate.

Instead, they typically scan files when:
– They’re created
– They’re modified
– Occasionally, when they’re accessed.

This means if malware slips past the perimeter defences, it can go completely undetected. So what’s the answer?

The answer (and probably some malware) is in your backups.

The team at Predatar has realised something very powerful. Your backups are much more than a last line of defence, they can be the frontline in threat detection. Your backups are a copy of all of your data, and while it’s not practical to continuously scan your production systems every day – you can scan your backups.

The Predatar Recovery Assurance platform continuously moves backups into an isolated CleanRoom, where it uses best-in-class integrated security tools from Trend Micro to interrogate every file for signs of malware, with no negative impact on production systems.

Today, businesses around the world are using Predatar to validate the recoverability and cleanliness of their data 24×7, and the findings are truly worrying.

In the last year alone, Predatar has discovered malware in more than 80% of its users backups. That includes:

– Active ransomware strains:
complete with embedded ransom notes

– Encrypted data from attacks:
that customers did not realise was in progress

– And in over 50 percent of cases:
reconnaissance tools that help attackers map environments and identify weak points

What does this mean for you? Let’s start with the good news. With Predatar, you can perform in-depth security scanning in your backup environment that simply isn’t possible on production systems. The bad news? Well, you probably already have malware hiding in your data.

Discover Predatar:

Discover how Predatar can help your organisation hunt down hidden malware before a crisis. Find out more at www.predatar.com, watch the short explainer video [90 seconds], or book a demo.