Ransomware preparedness: Why backups alone are not enough
Key Takeaways
- Modern ransomware groups exfiltrate data before encryption (double extortion) — restoring from backup does not resolve the extortion threat when data is already stolen
- Professional attackers specifically target backup servers and compromise them before triggering encryption — backups on the same network as production systems are not reliable protection
- Immutable backups (write-once storage, air-gapped systems, or cloud immutability features) are the standard for ransomware-resistant recovery
- Network segmentation, identity hardening, and EDR are the three core measures that slow an attacker before they can cause widespread damage
- Without prior practice, organisations make mistakes under the stress of a real attack — regular tabletop exercises significantly improve response capability
When we ask organisations about their ransomware strategy, the most common answer is: we have backups. That is a good start. But it is not enough.
Ransomware attacks have evolved. Modern attackers do not simply encrypt data and demand ransom. They exfiltrate sensitive information before encryption (double extortion), compromise backup systems before triggering encryption, and use stolen data as additional leverage.
Why backups alone fail
Backup systems are targeted deliberately
Professional ransomware groups know that backups are the primary recovery method. They therefore specifically search for backup servers, delete or encrypt backup data, and compromise backup accounts. If your backups reside in the same network and are accessible with the same credentials as your production systems, they are not reliable protection.
Recovery takes longer than expected
Even with intact backups, fully restoring a corporate environment typically takes days to weeks — not hours. During this time, business operations are halted. Many organisations have never fully tested their recovery process and only discover during an actual incident that their recovery time objectives are unachievable.
Data exfiltration makes backups irrelevant
If sensitive data has already been stolen, restoring from backup does not solve the problem. The data is out. The threat of publication remains.
What else is necessary
Network segmentation
A flat network allows an attacker to move laterally quickly after gaining initial access. Meaningful segmentation — particularly the separation of production systems, backup infrastructure, and management systems — substantially limits the damage.
Identity hardening
Most ransomware attacks begin with compromised credentials. Multi-factor authentication, restricted administrator rights, and monitoring of privileged accounts are fundamental protective measures.
Endpoint detection and response
Modern EDR solutions detect ransomware-typical behaviour — such as mass file encryption or unusual process activity — and can respond automatically before damage escalates.
Immutable backups
Backups that cannot be subsequently modified or deleted are considerably more resistant to ransomware. This can be achieved through write-once storage, air-gapped systems, or cloud-based immutability features.
Practice and preparation
A ransomware attack is a stress test for the entire organisation. Those who have never practised will make mistakes under pressure. Regular tabletop exercises that simulate various scenarios significantly improve response capability.
The pragmatic approach
Nobody can guarantee that no ransomware attack will occur. But the impact can be drastically reduced: through a hardened environment that slows the attacker, through detection that raises early alarms, and through recovery capabilities that actually work.
If you would like to assess or improve your ransomware resilience, we are happy to assist.
Frequently Asked Questions
Should an organisation pay the ransom during a ransomware attack?
Law enforcement agencies generally advise against payment. It does not guarantee data recovery, funds criminal operations, and marks the organisation as a known paying target for follow-on attacks. With a robust backup strategy and a tested recovery process, the dependence on this decision can be substantially reduced.
What is double extortion and how does it differ from classic ransomware?
Classic ransomware encrypts data and demands payment for the decryption key. With double extortion, data is also stolen before encryption. Attackers then threaten to publish the stolen data even if the organisation restores from backup. This means the reputational damage and regulatory consequences of a data breach exist regardless of technical recovery success.
How do immutable backups protect against ransomware?
Immutable backups cannot be modified or deleted after creation — not by operating system commands, not by compromised accounts. Write-once storage, air-gapped media, and cloud services with immutability features such as Azure Blob Storage with WORM policies achieve this. A ransomware attacker who has compromised the production environment cannot reach these backups to destroy them.
How long does a full ransomware recovery realistically take?
This depends on environment size and preparation level, but most organisations significantly underestimate it. In practice, full recovery typically takes days to weeks — not hours. The critical factor is whether Recovery Time Objectives were defined in advance and tested in exercises. Without testing, the RTO is only an assumption — one that often proves wrong under real conditions.