One of the most persistent misconceptions in enterprise security is that a robust backup strategy provides reliable protection against ransomware. New research and incident data from Acronis challenges this assumption directly: in a significant proportion of ransomware incidents, organizations that had backups still paid ransoms or suffered severe data loss — because the attackers destroyed the backups first.
The finding reframes how organizations should think about ransomware resilience, shifting the focus from "do we have backups?" to "are our backups survivable against a determined adversary?"
The Backup Destruction Pattern
Modern ransomware operations follow a sophisticated multi-stage playbook that is far removed from the early "spray and pray" attacks of the 2010s. Contemporary ransomware groups invest significant reconnaissance time before triggering encryption, with backup destruction as a deliberate pre-encryption step.
How Attackers Approach Backups
After gaining initial access to a network, ransomware operators will typically spend days to weeks in the environment before deploying encryption. During this dwell time, they systematically:
- Map backup infrastructure — Identify backup servers, NAS devices, tape systems, and cloud backup destinations
- Gain backup system credentials — Harvest admin credentials for backup software (Veeam, Commvault, Acronis, Veritas, etc.)
- Destroy or corrupt backup data — Delete backup repositories, corrupt catalog files, or encrypt backup storage before triggering main encryption
- Disable backup agents — Stop or uninstall backup agents on endpoints and servers
- Target cloud backup targets — Use harvested cloud credentials (AWS, Azure, Google Cloud) to delete or corrupt cloud backup buckets
Only after backup destruction is confirmed do the attackers deploy the ransomware payload across the environment. At this point, the victim has no clean recovery path.
The Shadow Copy Problem
A common recovery shortcut for Windows environments is Volume Shadow Copy Service (VSS), which maintains point-in-time snapshots of files. Ransomware operators have known about this recovery path for years — virtually every modern ransomware strain includes automated commands to delete shadow copies before or during encryption:
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled noOrganizations relying on VSS as their primary recovery mechanism face near-certain recovery failure when hit by ransomware.
What "Backup Exists" Actually Means
The phrase "we have backups" obscures enormous variation in backup quality and survivability. Acronis identifies several categories of backup failure in ransomware incidents:
| Failure Mode | Description | Frequency |
|---|---|---|
| Backup system compromised | Attackers access and destroy backup data using harvested credentials | Very common |
| Network-attached backup accessible | Backups stored on SMB/NFS shares accessible from infected hosts | Common |
| Shadow copies deleted | VSS snapshots wiped by ransomware payload | Nearly universal |
| Backup agent on infected host | Local backup agent encrypted along with production data | Common |
| Backup untested | Backup exists but restore has never been validated | Widespread |
| RTO exceeded | Backup exists but recovery takes longer than business can tolerate | Common |
| Partial backup coverage | Critical systems not included in backup policy | Common |
In many incidents, organizations discover that their backup strategy had gaps they were unaware of until they needed to recover.
The Immutability Imperative
The security community has largely converged on immutable backups as the primary technical control against backup destruction. An immutable backup is one that cannot be modified or deleted — even by a user or system with administrative credentials — for a defined retention period.
Key immutable backup approaches:
Object Storage with Object Lock
Cloud storage services like AWS S3 with Object Lock, Azure Blob Storage with Immutability Policies, and Google Cloud Storage with Object Retention offer WORM (Write Once, Read Many) storage where objects cannot be deleted or overwritten during a retention period. Even a compromised cloud account cannot delete these objects if lock policies are applied correctly.
Air-Gapped Backups
Physical separation between backup media and the production network ensures attackers with network access cannot reach backup data. Tape-based backups with offline rotation, or backups to physically isolated systems with no permanent network connectivity, provide strong protection.
Immutable Backup Software Features
Modern backup platforms including Veeam, Acronis, Commvault, and Rubrik now offer immutability features that prevent backup data deletion even by backup administrators for a configured period. These features protect against both external attackers using harvested credentials and insider threats.
The 3-2-1-1-0 Rule
The traditional 3-2-1 backup rule (3 copies, 2 media types, 1 offsite) has been updated for the ransomware era:
- 3 copies of data
- 2 different storage media types
- 1 offsite copy
- 1 offline or air-gapped copy
- 0 errors verified through tested restores
The critical additions are the offline/air-gapped copy (survivable against network-based attackers) and the zero-error verified restores (backups that have never been tested are not backups).
Testing as a Control
Acronis's research highlights that untested backups fail at the worst possible moment. Organizations frequently discover that:
- Backup jobs have been silently failing for weeks or months
- Backup data is corrupt or incomplete
- Restore procedures are undocumented and take far longer than expected
- Recovery time objectives (RTOs) are unrealistic given actual backup infrastructure
A backup strategy without a regular, documented, tested restore process is not a backup strategy — it is a false sense of security.
Recommended testing cadence:
| Test Type | Recommended Frequency |
|---|---|
| Individual file restore | Monthly |
| Full system restore to test environment | Quarterly |
| Tabletop ransomware recovery exercise | Annually |
| Declared recovery time validation | Annually |
What Organizations Should Do
Technical controls:
- Implement immutable backup storage (object lock, air-gap, or immutability features)
- Store backup credentials separately from production credentials — never reuse admin passwords across backup and production systems
- Enable MFA on backup management consoles
- Network-segment backup infrastructure — backup servers should not be reachable from production endpoints
- Monitor backup systems with dedicated alerts for unexpected deletions or configuration changes
Operational controls:
- Test restores on a scheduled basis — document RTO and validate it
- Maintain an offline copy of backup media updated at least weekly
- Include backup system compromise in incident response playbooks
- Audit backup coverage regularly to ensure all critical systems are included