Why “We Have Backups” Is Not a Ransomware Strategy

Ask a business owner whether they are prepared for ransomware, and the answer is often the same.

We have backups.

Backups are an essential part of recovery, but on their own, they are not a strategy.

Modern ransomware is built specifically to defeat backups, and businesses that rely on them alone often discover the gap at the worst possible moment.

Attackers Target Backups First

Ransomware groups understand that backups are what stand between them and a payment.

Before encrypting production systems, attackers often spend days or weeks inside a network looking for:

• Backup servers
• Cloud sync accounts
• Network-attached storage
• Shadow copies and snapshots

Once located, these backups are commonly deleted, disabled, or encrypted along with the rest of the environment.

By the time the ransom note appears, the safety net may already be gone.

Immutable Backups Matter

An immutable backup is one that cannot be altered or deleted for a set period of time, even by an administrator.

This protection is critical because:

• Compromised admin accounts cannot remove the backup
• Ransomware cannot encrypt the backup
• Recovery options remain available even during an active attack

Without immutability, a backup is only as safe as the credentials protecting it.

Backups Are Not the Same as Recovery

Restoring data is only one part of returning to operations.

A full recovery typically requires:

• Clean hardware or a clean cloud environment to restore into
• Documentation of how systems connect and depend on each other
• A defined order for bringing systems back online
• Trained staff or partners who can execute the recovery
• Tested processes that are known to work

Many businesses discover during an incident that they have the data but not the plan.

Untested Backups Often Fail

Backups that have never been tested are one of the most common sources of recovery failure.

Issues often discovered during a real incident include:

• Backup jobs that quietly stopped working
• Incomplete data sets
• Corrupt or unreadable files
• Missing critical systems
• Outdated configurations

A backup that has not been tested is not a backup. It is an assumption.

Recovery Time Matters

Even when backups work as intended, recovery takes time.

A business that can be restored in three days, but cannot survive more than one day of downtime, still has a serious gap.

Key questions to evaluate include:

• How long can the business operate without core systems?
• How long would a full restore actually take?
• Which systems must be restored first?
• What is the cost of each additional day of downtime?

Recovery time is just as important as the backup itself.

Data Exfiltration Changes the Picture

Modern ransomware groups often steal data before encrypting systems.

This means that even a successful restore does not undo the fact that sensitive information may have been taken.

Common consequences include:

• Customer notifications
• Regulatory reporting
• Legal exposure
• Reputational impact
• Continued extortion attempts

Backups address availability. They do not address data theft.

A Real Ransomware Strategy

A complete approach to ransomware recovery includes more than backups.

It typically involves:

• Immutable and offsite backups
• Regular restore testing
• Documented recovery procedures
• Endpoint detection and response (EDR)
• Network segmentation
• Security awareness training
• A defined incident response plan

Backups are one layer of a much larger strategy.

Final Thoughts

Backups are essential, but they are not a complete answer to ransomware.

Businesses that recover well from an attack are those that treat backups as part of a broader strategy that includes prevention, detection, response, and recovery.

The time to evaluate that strategy is before an incident occurs, not during one.