1 in 3
SMBs discover their most recent backup is unusable during ransomware recovery — not because of backup configuration failures, but because ransomware reached and encrypted the backup destination
11 days
average ransomware dwell time before encryption — the window during which backup infrastructure is specifically targeted and eliminated
93%
of ransomware attacks specifically target backup repositories before deploying encryption, according to Sophos 2025 research
24 days
average downtime following a ransomware attack — reduced to 7 days in organizations with tested, isolated backup recovery

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Backup design and backup reliability are different things. You can have a documented backup strategy, configured backup jobs, and a green status light in your backup console — and still discover, at the moment you need recovery, that ransomware encrypted your backup repository three days before it deployed on your endpoints, or that your VSS snapshots were deleted by the ransomware payload in its first 60 seconds, or that a full system restore from your backup takes 8 days rather than the 4 hours your recovery plan assumed.

This guide focuses specifically on the failure modes that ransomware creates for backup systems — not the general backup hygiene issues that DR testing guides cover, but the targeted, intentional backup destruction that modern ransomware operators execute as a standard part of their playbook.

Why ransomware specifically targets your backups first

Ransomware operators understood early that backup infrastructure was their primary obstacle to extracting ransom payment. Organizations with clean, accessible backups could restore and decline to pay. The response was to incorporate backup destruction into the standard ransomware attack chain.

Modern ransomware operations — including the major RaaS groups — spend their first hours after initial access conducting reconnaissance specifically to locate backup infrastructure. They look for: Veeam, Acronis, Commvault, and similar backup agent processes; network shares with names containing 'backup,' 'archive,' or 'recovery'; shadow copy schedules in Windows registry; and cloud backup connector processes and credentials stored in browser history or credential managers.

Once backup infrastructure is identified, pre-encryption activity includes: deleting VSS shadow copies (vssadmin delete shadows /all /quiet is in virtually every ransomware script), stopping and disabling backup agent services, encrypting or deleting the backup repository if it is reachable from the compromised network, and exfiltrating backup catalog data to understand what recovery points exist.

The practical implication: if your backup destination is reachable from any endpoint in your network under any credential available to an attacker who has compromised a privileged account, it is at risk.

Test 1: Verify offline or immutable backup integrity

The first test is whether you actually have backups that ransomware cannot reach.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Test 2: VSS and shadow copy survival test

Volume Shadow Copy Service (VSS) snapshots are the fastest recovery mechanism for individual files and system states on Windows. They are also the first target of virtually every ransomware payload.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Test 3: Full recovery time measurement

Recovery time objective (RTO) figures in disaster recovery plans are often aspirational rather than measured. The gap between documented RTO and actual recovery time is the most common surprise in a real ransomware incident.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Test 4: Backup agent and credential exposure

Backup agents installed on production systems run under service accounts that typically have high privileges — they need access to everything they back up. These credentials are a specific target in advanced ransomware operations.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The backup configuration that looks correct in your management console and the backup that will actually recover your environment after ransomware are frequently different things. The gap is revealed by these tests in a controlled environment — or by ransomware in a real incident. Organizations that run a complete backup reliability test quarterly — including offline backup reachability, immutability verification, VSS survival, and full recovery time measurement — have the data they need to make honest claims about their recovery capability. Those that rely on backup status indicators without testing discover the gap at the worst possible time.

Frequently asked questions

How often should ransomware backup recovery tests be conducted?

Full recovery tests (restoring a critical system end-to-end) should be conducted at minimum annually and ideally quarterly. Component tests (verifying immutability, checking VSS existence, testing backup agent stop attempts) should be part of a monthly operational checklist. After any significant infrastructure change — adding a new backup destination, changing service account credentials, or upgrading backup software — rerun the relevant component tests.

Does object lock (S3 WORM) actually prevent ransomware from deleting cloud backups?

Yes, when correctly configured. Object Lock with Compliance mode prevents deletion by any user including the root account during the retention period. Governance mode prevents deletion by most users but allows root account deletion — choose Compliance mode for ransomware protection. The critical verification: bucket versioning must be enabled before Object Lock can be activated. Buckets with Object Lock enabled but versioning not confirmed are a documented configuration failure.

What is the 3-2-1-1-0 backup rule?

The 3-2-1-1-0 rule is an extension of the classic 3-2-1 rule for ransomware resilience: maintain 3 copies of data, on 2 different media types, with 1 copy offsite, with 1 copy offline or immutable (air-gapped or WORM), and 0 unverified backups (every backup is tested). The additional 1 (offline/immutable) and 0 (tested) elements address the ransomware-specific failure modes that the original 3-2-1 rule predates.

Can ransomware delete backups in the cloud?

Yes, when it has access to the credentials or sessions used to connect to cloud backup services. Ransomware that has compromised a workstation where a backup portal is logged in through a browser, or that has found cloud backup API keys in configuration files, can delete cloud backup repositories. Defense: use dedicated workstations for backup administration, enforce MFA on backup portal access, rotate backup API keys regularly, and enable Object Lock with Compliance mode on backup storage.

Sources & references

  1. Infrascale 2026 Ransomware Recovery Playbook for SMBs
  2. Veeam Data Protection Trends Report 2025
  3. Sophos State of Ransomware 2025

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.