Backups are compromised early
Modern ransomware crews target backup systems, credentials, and immutability controls before detonation.
Research Note · Recovery & Resilience
The Backup Lie
Why “we have backups” isn’t a strategy
Backups are often cited as the final safety net against ransomware. In practice, they are frequently incomplete, inaccessible, untested, or operationally irrelevant when the business needs them most.
Recovery reality
Ransomware leverage
Business continuity
Backups protect data. Strategy protects the business.
Executive summary
Backups reduce loss — they don’t reduce pressure
In ransomware incidents, the decisive factor is not whether backups exist, but whether the organization can restore operations quickly, confidently, and without unacceptable business impact. Many cannot — and attackers know it.
Failure patterns
Why “we have backups” collapses under pressure
These failures are common, predictable, and routinely exploited.
Restores are slower than leadership expects
Multi-day or multi-week restoration timelines are common — especially for large datasets and legacy systems.
Backups don’t equal usable systems
Restoring data does not restore integrations, authentication, configurations, or business workflows.
Human capacity is ignored
Restore plans assume staff availability, clarity, and stamina during a high-stress crisis — often unrealistically.
Attacker view
How ransomware crews think about backups
Crews don’t need to destroy every backup — only enough to delay recovery.
Backups are leverage, not obstacles
Attackers assume backups exist. Their goal is to make restoring slower, riskier, and more expensive than paying.
Time pressure favors extortion
Every hour of downtime increases executive willingness to negotiate.
Partial recovery still hurts
Even if systems return, data loss, delays, and public fallout may already justify ransom demands.
Leadership impact
Why backup confidence misleads executives
Backup status is often reported as binary: present or absent. Recovery reality is not binary.
Backup success ≠ recovery success
Successful backups do not guarantee successful restoration under adversarial conditions.
Metrics hide fragility
“Backup job completed” metrics obscure restore times, data integrity, and operational dependencies.
Strategy is assumed, not tested
Many organizations have never attempted a full restore during a realistic incident scenario.
Program direction
From backups to recovery strategy
Real ransomware resilience treats backups as one component — not the plan itself.
Priority
Design for restore under attack
Assume identity compromise, degraded tooling, and limited staff availability during recovery.
Priority
Protect recovery infrastructure
Backup platforms, credentials, and immutability controls require the same protection as production systems.
Priority
Practice full-scale recovery
Tabletop and technical exercises should validate time-to-restore, not just documentation.
Priority
Align executive expectations
Leadership must understand realistic downtime, data loss, and recovery tradeoffs before an incident.