Backup Destruction or Tampering

Backup Destruction or Tampering is a malicious activity within the Impact tactic's Data Destruction technique where adversaries specifically target backup systems and files to prevent recovery operations after an attack. By compromising or destroying application backups, threat actors eliminate an organization's ability to restore systems to pre-attack states, maximizing the impact of their destructive actions. This subtechnique often occurs as a preparatory step before ransomware deployment or data wiping, where attackers first identify backup repositories via enumeration techniques, then proceed to delete backup files, corrupt backup indices, modify retention policies, tamper with backup verification systems, or directly compromise backup management applications. Sophisticated actors may maintain persistence in backup systems for extended periods, gradually corrupting incremental backups to ensure even historical recovery points are compromised. The ultimate goal is to force organizations into a position where paying a ransom or accepting data loss becomes the only viable options, as proper backup restoration has been deliberately rendered impossible.