93%
of organizations that experience major data loss without a working DR plan go out of business within one year
3-2-1-1
current backup best practice: 3 copies, 2 media types, 1 offsite, 1 immutable; the fourth copy is the ransomware-proof requirement
76%
of organizations that paid a ransomware ransom could not recover all their data; tested backups are the alternative that actually works
4-10x
how much longer actual recovery takes versus documented RTO targets in untested DR plans; testing before an incident reveals the gap

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A disaster recovery plan that has not been tested against realistic scenarios is not a recovery capability — it is a document. The gap between documented recovery time objectives and actual recovery time is consistently exposed only during real incidents, when the gap matters most.

Ransomware has redefined disaster recovery requirements. Attackers now specifically target backup infrastructure before deploying ransomware — they know that accessible backups are the organization's alternative to paying ransom. They delete backup catalogs, encrypt backup storage connected to the production network, and disable backup agents on compromised hosts. An organization that discovers their backups are encrypted or deleted during a ransomware incident has no recovery path without paying.

This guide covers the DR architecture, testing methodology, and resilience design that makes recovery achievable after a ransomware incident.

Defining RTO and RPO correctly

Recovery Time Objective and Recovery Point Objective are the foundational metrics of any DR program, but they are routinely defined in ways that create false confidence. RTO is frequently defined as the time to restore data from backup, which omits OS rebuild, application configuration, validation, DNS cutover, and user notification steps that can multiply the actual time by 4 to 10. RPO is frequently set to match backup frequency without verifying that the most recent backup is actually restorable. The goal of correct RTO and RPO definition is to produce targets that the team can actually meet under incident conditions, not aspirational figures that look good in a plan that has never been tested.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Ransomware-resilient backup architecture

Ransomware specifically targets backup infrastructure before deploying its payload. Attackers understand that accessible backups are the organization's exit ramp from ransom payment, so they systematically delete backup catalogs, encrypt backup repositories reachable from the production network, and disable backup agents on compromised hosts. Architecture decisions that make backups reachable from any compromised production system make those backups ransomware targets. The 3-2-1-1 rule and immutable storage are not optional additions to a modern backup architecture; they are the minimum viable design for any organization that faces ransomware risk.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

DR testing: validating recovery before you need it

The only way to know your DR capability is real is to test it under realistic conditions. Annual DR tests that succeed under controlled conditions with full team availability and no time pressure are necessary but not sufficient. Regular testing at different levels of depth, including unannounced restore checks, tabletop exercises that simulate backup compromise, and full operational simulations with measured recovery times, produces an accurate picture of actual capability versus documented capability. Organizations that test monthly catch backup corruption while there is still time to rebuild valid copies. Organizations that test annually often discover corruption and missing procedures during the ransomware incident that depends on those backups.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Recovery decision framework for ransomware incidents

Ransomware incidents compress complex, high-stakes decisions into hours. Leaders who have never discussed the ransom payment criteria, recovery sequencing priorities, or regulatory notification triggers are forced to make those decisions under maximum pressure with incomplete information. A pre-defined decision framework documented in the incident response plan eliminates the analysis paralysis that costs hours during active recovery. The two decisions most organizations fail to pre-define are whether and under what conditions to consider ransom payment, and what order to restore systems when multiple critical systems are simultaneously down.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Cyber resilience is not about preventing every incident — it is about surviving the incidents that prevention fails to stop. The architecture that makes survival possible: immutable backups in isolated storage that ransomware cannot reach, tested recovery procedures with measured RTOs that match reality (not aspiration), and pre-defined decision frameworks that prevent analysis paralysis during the recovery period. The investment in DR testing is consistently smaller than the cost of discovering DR gaps during an actual incident — a failed restore test that takes 8 hours to diagnose costs engineer time; a failed restore during a ransomware incident costs revenue, reputation, and potentially ransom payment.

Frequently asked questions

How do we protect backups from being encrypted by ransomware?

Ransomware encrypts backups by using the same network access that the backup system uses to connect to production. The defense is making at least one copy of backups unreachable from any compromised production system: immutable object storage with object lock (attackers cannot delete or overwrite locked objects even with storage admin credentials), dedicated backup repositories on isolated networks with no routing to the production domain, tape backup with physical offsite storage (no network connection = no ransomware path), and backup service accounts isolated from production directory (separate credentials prevent using compromised production accounts to access backup systems). The 3-2-1-1 rule ensures that even if ransomware reaches one backup copy, an immutable copy remains.

What is the difference between RTO and RPO?

RTO (Recovery Time Objective) is the maximum acceptable time from when a disruption begins to when the system is restored to operational status — it is a time duration. RPO (Recovery Point Objective) is the maximum acceptable data loss measured in time — it defines how recent the most recent recoverable backup must be. Example: a payment processing system with RTO 4 hours and RPO 15 minutes must be restored within 4 hours of disruption AND must be restored from a backup no more than 15 minutes old. Meeting the RTO but not the RPO means systems are back up but with stale data — missing recent transactions. Both objectives must be met independently.

How often should we test disaster recovery procedures?

Minimum viable testing cadence: monthly backup restoration tests (5-10 random jobs verified to restore successfully), quarterly tabletop exercises walking through incident scenarios, and annual full recovery simulation for Tier 1 systems measured against documented RTOs. After any significant infrastructure change (major application migration, cloud adoption, merger integration), run a targeted DR test for affected systems — infrastructure changes frequently invalidate existing recovery procedures. After any ransomware incident in your industry (even at a peer organization), validate that your backup architecture would have survived the same attack technique the attacker used.

Sources & references

  1. CISA Ransomware Guide - Backup and Recovery
  2. NIST SP 800-34 Contingency Planning Guide
  3. Veeam Ransomware Protection Trends Report 2025

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.