For years, the standard advice for protecting a business against ransomware was simple: keep good backups. If attackers encrypt your files and demand a ransom, restore from backup, refuse to pay, and get back to work. It was clean, logical, and for a long time, it worked.

Ransomware groups noticed.

Today's ransomware operators specifically target backup systems before they detonate their payload on live data. They spend days or weeks inside a network before anyone knows they're there, quietly identifying where backups are stored, how they're configured, and how to destroy or encrypt them. By the time the ransom note appears on screen, the backups are already gone.

This post explains exactly what happens when attackers encrypt your backups, what options remain when that happens, and, most importantly, what a backup strategy looks like that is designed to survive a modern ransomware attack.

How Ransomware Groups Target Backups

Understanding why this happens requires understanding how ransomware operations have evolved. The ransomware attacks of the mid-2010s were largely opportunistic and unsophisticated, a malicious attachment opened, files encrypted immediately, ransom demanded. The entire attack played out in minutes.

Modern ransomware operations, particularly the ransomware-as-a-service groups responsible for most major incidents today, operate more like a deliberate intrusion than a smash-and-grab. After gaining initial access, typically through phishing, exposed remote desktop protocol, or compromised credentials, attackers spend significant time inside the network before triggering encryption. This dwell period, often measured in days or weeks, serves a specific purpose: reconnaissance and preparation.

During this phase, attackers are mapping the network, identifying high-value systems, escalating privileges, establishing persistence, and, critically, locating and neutralizing backup infrastructure. They understand that backups are the primary recovery path, and eliminating them before launching the attack dramatically increases the likelihood of a ransom payment.

The methods vary. Attackers with sufficient access may directly delete or overwrite backup files. They may encrypt backup storage using the same ransomware payload targeting live systems. They may target backup software agents running on servers and disable or corrupt them. They may access cloud backup consoles using stolen administrator credentials and delete cloud snapshots. In environments using tape or external drives that remain connected to the network, those too become targets.

By the time encryption begins on live systems, the escape route has already been cut off.

What Actually Happens When Your Backups Are Encrypted

When both live data and backups have been encrypted, the practical reality of the situation becomes apparent quickly.

You cannot restore. The most immediate consequence is that the primary recovery path is unavailable. There are no clean copies to roll back to. Every file, database, and system image that was supposed to be your safety net is just as inaccessible as the live data the attackers encrypted.

Recovery timelines extend dramatically. Organizations with intact backups typically measure recovery time in hours to days, depending on the volume of data and the complexity of systems involved. Organizations without usable backups measure recovery time in weeks to months, if recovery is achievable at all. Rebuilding systems from scratch, without clean backup images to restore from, is an enormously labor-intensive process.

The ransom calculation changes. Attackers know that organizations without viable backups face a fundamentally different decision than those with intact recovery options. When the alternative to paying is weeks of downtime, potential permanent data loss, and a recovery effort that may cost more than the ransom demand, the economics shift in the attacker's favor. This is precisely why backup targeting has become standard practice for sophisticated ransomware groups.

Data loss may be permanent. Not all data can be reconstructed. Databases contain transaction records, customer histories, and operational data accumulated over years that exists nowhere else. If that data was not backed up outside the compromised environment and those backups have been destroyed, the data is simply gone. No amount of money, time, or technical expertise will recover it.

Regulatory and legal exposure increases. Many industries operate under regulations that require organizations to maintain data for specified periods and to notify regulators and affected individuals when data is permanently lost. Encrypted and unrecoverable backups may trigger notification obligations under HIPAA, CCPA, or other applicable frameworks, adding regulatory complexity to an already severe operational crisis.

The Ransom Payment Decision

When backups are gone and recovery is not possible through other means, organizations face one of the most difficult decisions in a security incident: whether to pay the ransom.

It is worth being clear about what paying a ransom actually means in practice. Ransomware groups provide a decryption tool when payment is made, but that tool is not guaranteed to work correctly. Decryption is slow, sometimes taking days or weeks to run across a large environment. The decryption tool may be buggy, leaving some files permanently corrupted even after payment. And paying a ransom funds criminal organizations, creates a documented willingness to pay that may make the organization a target for future attacks, and does nothing to address the underlying security gaps that allowed the attack to succeed.

Law enforcement guidance, including from the FBI and CISA, generally advises against paying ransoms, both because it funds criminal activity and because it does not guarantee recovery. However, that guidance acknowledges the reality that for organizations facing permanent data loss or extended operational shutdown, the calculus is not straightforward.

What is clear is that organizations with intact, offline, tested backups are never in this position. The decision about whether to pay is, in almost every case, a consequence of inadequate backup strategy rather than an unavoidable choice.

What Options Remain

When backups have been encrypted and live data is inaccessible, the options that remain depend on what survived the attack and how quickly the organization acts.

Offline and offsite backups are the most valuable asset in this scenario. If the organization maintained backups on media that was disconnected from the network, or in a cloud environment with access controls that prevented the attacker from reaching them, those backups become the recovery path. The critical word is disconnected. Backups that are connected to the network, even periodically for synchronization, are reachable by an attacker with sufficient access and time.

Immutable cloud backups configured with object lock or similar write-once protections cannot be deleted or overwritten, even by an attacker with administrative credentials. If immutable backups were in place and the retention period had not expired, recovery from those copies is possible.

Volume shadow copies and system restore points on individual machines may survive if the ransomware did not specifically target them, which many modern variants do. These provide partial recovery capability for individual systems in some cases.

Forensic recovery from encrypted media is generally not viable against modern ransomware using strong encryption. The encryption is real and the keys are held by the attacker. Claims of tools that can decrypt ransomware without the key apply only to specific older ransomware families with known weaknesses, not to current sophisticated variants.

Partial operational recovery may be possible by rebuilding critical systems from known-clean installation media and configuration documentation, even without data recovery. This restores operational capability while data recovery efforts continue, but requires that the organization has current documentation of its system configurations and application settings.

What a Ransomware-Resistant Backup Strategy Looks Like

The lesson of every ransomware incident involving encrypted backups is that the backup strategy that exists to protect against routine data loss is not the same as the backup strategy that protects against a determined attacker. Building the latter requires deliberate architecture decisions.

The 3-2-1-1 rule is the modern extension of the classic 3-2-1 backup principle. Maintain at least three copies of data, on at least two different types of media, with at least one copy offsite, and at least one copy offline or immutable. The offline or immutable copy is the element most traditional backup strategies are missing, and it is the element that matters most when an attacker has been inside your network.

Air-gapped backups are copies stored on media that is physically disconnected from any network. Tape backups stored offsite, external drives that are connected only during backup windows and then removed, and dedicated backup systems with no network connectivity are all forms of air gapping. An attacker who cannot reach the backup medium cannot encrypt it.

Immutable backup storage uses write-once object storage with time-locked retention policies so that backup data cannot be modified or deleted, even by users with administrative access, until the retention period expires. Major cloud providers offer this capability through object lock features. Properly configured immutable storage survives even an attacker with full cloud console access.

Backup isolation means that the credentials and access paths used to write to backup storage are not the same as the credentials used to manage other systems. A service account that can only write to backup storage, not delete or overwrite it, limits the damage an attacker can do even if they compromise that account. Backup management consoles should require multi-factor authentication and should not be accessible from general workstations.

Regular tested restores are the element most backup programs lack. A backup that has never been successfully restored is not a backup, it is an untested assumption. Organizations should regularly test restoration from all backup types, including the offline and immutable copies, to confirm that recovery is actually possible before it is urgently needed. A backup strategy that has never been validated under realistic conditions will reveal its gaps at the worst possible time.

Backup monitoring and alerting ensures that failures in the backup process are detected and addressed before an incident occurs. Backups that silently fail over days or weeks leave an organization believing it has protection it does not have. Monitoring backup job completion, data volume trends, and backup integrity checks should be part of standard operations.

How Long Businesses Take to Recover, and What It Costs

Recovery timelines from ransomware incidents involving encrypted backups are consistently longer than organizations anticipate, and the total cost is consistently higher than the ransom demand itself.

Research across major ransomware incidents shows that the average recovery time for organizations without usable backups extends well beyond a month in significant incidents. For small and mid-sized businesses, extended operational disruption of that duration is existentially threatening. Revenue stops while fixed costs continue. Customers find alternatives. Contracts lapse. Key employees begin to consider their options.

The costs extend well beyond the ransom payment, if one is made. Forensic investigation to understand the scope of the incident and confirm that the attacker has been fully removed. Legal fees related to breach notification obligations and potential regulatory inquiries. The labor cost of the recovery effort itself. Temporary replacement of systems and services while recovery proceeds. And reputational damage, which is difficult to quantify but real, particularly for businesses in professional services where client trust is the foundation of the relationship.

For most small and mid-sized businesses, the question is not whether they can afford a robust backup strategy. It is whether they can afford to operate without one.

How nDataStor Helps Protect Your Backup Infrastructure

nDataStor works with businesses across the Bay Area, North Bay, and Sacramento to design, implement, and monitor backup strategies that are built to survive ransomware attacks, not just routine hardware failures.

That work begins with an honest assessment of what backup infrastructure currently exists and where the gaps are. Most organizations we work with have some form of backup in place. The gaps are typically in the areas that matter most against a sophisticated attacker: the absence of offline or immutable copies, backup credentials that share the attack surface of the rest of the environment, and restore processes that have never been tested under realistic conditions.

From there, we work with your team to implement the architecture changes that close those gaps without creating operational complexity your team can't maintain. Immutable cloud backup configuration, air-gapped backup processes, credential isolation, monitoring, and regular tested restores are all components we deploy and verify for clients across our managed services program.

We also address the detection side of the equation. Backup protection matters, but so does detecting the attacker's presence during the dwell period, before backup targeting begins. Continuous monitoring of your environment, with detection logic built around the reconnaissance and privilege escalation behaviors that precede a ransomware deployment, gives your team the opportunity to interrupt an attack before it reaches the stage where backups are at risk.

If you'd like to understand whether your current backup infrastructure would survive a ransomware attack targeting your backups specifically, we offer a complimentary security assessment for businesses in Northern California. It is a straightforward conversation that many organizations find clarifying, whatever the outcome.

The Bottom Line

The advice to keep good backups remains correct. It is simply no longer sufficient on its own.

Modern ransomware operations are deliberate, patient, and specifically designed to eliminate the recovery options that would make a ransom payment unnecessary. Organizations that rely on backup strategies designed for hardware failures, not adversarial attacks, are operating with a false sense of security that will only become apparent at the worst possible moment.

A ransomware-resistant backup strategy is not dramatically more expensive or complex than a standard one. It requires offline or immutable copies, isolated credentials, tested restore processes, and monitoring. Those elements, combined with detection capabilities that can identify an attacker during the dwell period before the payload deploys, are what separate organizations that recover quickly from those that face weeks of downtime, permanent data loss, or an impossible choice about whether to pay.

If you are not certain that your backups would survive a targeted attack, that uncertainty is worth resolving now, before it becomes urgent.