Modern ransomware destroys backups as its opening move, not its closing act. This shift changes everything about how organizations should think about data protection. For decades, the backup-and-restore playbook felt bulletproof: if attackers encrypted your data, you simply restored from backup and moved on. That world no longer exists. Today’s ransomware operators spend days or weeks mapping your network, hunting your backup infrastructure, and disabling it before they trigger any encryption.
Key Takeaways
- 93% of ransomware attacks actively target and destroy backups before encryption
- Double and triple extortion tactics use data theft threats as primary leverage, making backups irrelevant to ransom pressure
- 68% of ransomware victims face a second attack within six months due to persistent access to backup systems
- The 3-2-1-1-0 rule—three copies, two local on different media, one offsite, one immutable, zero errors via testing—is now essential
- Organizations must test full recovery to a clean environment every 90 days; untested backups are “hope plans,” not recovery plans
How ransomware operators target and destroy backups
Ransomware operators follow a predictable sequence, and backups are always in the crosshairs. The attack typically begins with weak authentication—default credentials on backup repositories, missing multi-factor authentication, or unpatched systems. Attackers exploit these entry points, then spend days or weeks conducting reconnaissance: mapping backup servers, identifying storage locations, and locating admin accounts. Once inside, they abuse vulnerabilities in backup software itself, then systematically disable scheduled backup jobs, delete snapshots, and modify retention policies to erase recovery points.
The waiting period is deliberate. Attackers enter dormant mode for weeks, allowing backups to accumulate compromised data that looks clean to automated systems. Only then do they trigger encryption and data exfiltration simultaneously. By this point, your “clean” backups contain the malware. Restoring from them simply reinfects your environment. According to Veeam data, 93% of ransomware attacks target backups, yet many organizations discover this only after the attack succeeds.
Why backups alone no longer protect you
The rise of double and triple extortion has fundamentally broken the traditional backup defense. Double extortion means attackers encrypt your data and steal it for leak threats. Triple extortion adds pressure on customers, partners, or regulators. Even if you restore from backup successfully, the stolen data remains in attacker hands. They threaten to publish it, demand ransom anyway, and your backup recovery becomes irrelevant to the negotiation.
Cloud backups introduce an additional vulnerability: synchronized deletion. If attackers compromise your API credentials, they can overwrite good backup copies with encrypted versions across all synced services simultaneously. A backup strategy that relies on cloud sync without immutability protection becomes a liability. Additionally, incomplete backups—missing configurations, SaaS data, certificates, or DNS records—leave you unable to fully restore even if encryption is reversed. Many organizations discover mid-recovery that their backups never captured critical infrastructure components.
The most damning failure is untested recovery. 68% of ransomware victims face a second attack within six months, often because attackers maintain persistent access to backup systems throughout the first incident. Organizations with “hope plans” rather than tested recovery procedures cannot verify whether restoration actually works until disaster strikes. As one security firm notes, if your honest answer to “when was your last full restore test?” is “never” or “not in the last 90 days,” you don’t have a recovery plan.
What actually protects backups from ransomware
Effective backup defense requires multiple overlapping layers. Immutability is non-negotiable: attackers cannot delete faster than detection when backup copies are locked against modification. Air-gapped and offline copies create unreachable separation—if backups are stored offline and require manual intervention to restore, attackers cannot destroy them remotely. Geographic distribution ensures that a regional attack cannot compromise all copies simultaneously.
Access controls must assume compromise: if backups share credentials or network access with production systems, treat them as already breached. The traditional 3-2-1 backup rule—three copies, two local on different media, one offsite—is now insufficient. The enhanced 3-2-1-1-0 standard adds one immutable copy and zero errors via regular testing. CISA recommends offline, encrypted backups with regular restore testing as the baseline standard.
Testing is not optional. A full restore drill to a clean environment should run monthly, following a strict sequence: identity systems first, then network, then application tiers, then endpoints, with validation at each step. This reveals whether your recovery actually works, whether the order matters, and whether you can execute under pressure. Many organizations skip this because it feels redundant until the moment they need it and discover critical gaps.
Is a tested recovery plan really necessary?
Yes. A tested recovery plan is the difference between a contained incident and a business-ending catastrophe. Many organizations maintain backups but have never actually restored from them to a clean environment. They assume restoration will work because the backup software shows “healthy” status. This assumption fails the moment attackers strike. A 90-day recovery drill—running a full restore from backup to an isolated test environment and validating every step—is the only way to know whether your backups will actually save you.
What should organizations do immediately?
Start with an audit: verify that backups are offline, immutable, and geographically separated from production systems. Confirm that access to backup infrastructure requires different credentials than production and includes multi-factor authentication. Then schedule a full restore test to a clean environment within the next 30 days. Document the sequence, timing, and any failures. This single action—actually testing recovery—reveals more vulnerabilities than any security assessment.
The harsh reality is that backups are ingredients, not insurance. Recovery is the recipe, the kitchen, and the rehearsal. Organizations that treat backups as a checkbox—”we have them, we’re protected”—are building on sand. Those that test recovery monthly, maintain immutable offline copies, and assume their backup systems are compromised the moment production systems are breached will survive ransomware attacks that would destroy competitors. The question is not whether your backups exist. It is whether you have actually proven they work.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
