Read My Latest Artificial Intelligence (AI) Newsletter For FREE By Clicking Here!

Additional menu

PithySecurity.com

PithySecurity.com

Why Won’t Backups Save You From Modern Ransomware?

By - Get email updates

Modern ransomware operators spend days or weeks inside your network before triggering encryption. During that time they find and compromise your backups. By the time files are encrypted, your most recent clean backup may be weeks old and your backup infrastructure may already be destroyed.

Analysis Briefing

  • Topic: Ransomware backup bypass and dwell time strategy
  • Analyst: Mike D (@MrComputerScience)
  • Context: Originated from a live reader session
  • Source: Pithy Cyborg
  • Key Question: If attackers target backups first, what backup architecture actually survives?

How Ransomware Operators Find and Destroy Backups

Backup systems connected to the network are accessible to an attacker with sufficient network access. The same credentials that gave the attacker access to file servers may give them access to backup servers.

Once they have backup system access, they can delete backup sets, corrupt backup data, or encrypt the backup repository before triggering the main encryption event. Cloud backups connected through credentials stored on compromised endpoints are equally vulnerable. If an attacker finds AWS access keys on a compromised machine, they can delete cloud backups before you know there is an incident.

Resilience TierArchitecture TypeRansomware Survival LogicThe 2026 Reality
Tier 1 (Legacy)Local Network / NASNone. If the attacker has admin rights, they can delete the backups.Fatal: 76% of these are successfully compromised in 2026.
Tier 2 (Basic Cloud)Integrated SaaS BackupPartial. Depends on credential separation.Risky: If your “Global Admin” is breached, your cloud backups go with it.
Tier 3 (Immutable)WORM Cloud StorageHigh. “Write Once, Read Many” prevents deletion even by the admin.Standard: The minimum requirement for small business insurance today.
Tier 4 (Elite)Physical Air GapAbsolute. The attacker cannot cross a physical gap to reach the media.Bulletproof: The final line of defense when the network is entirely lost.
How Ransomware Operators Find and Destroy Backups

What the 3-2-1 Rule With an Air Gap Actually Requires

The gold standard is three copies of data, on two different media types, with one copy offline and disconnected from any network.

An offline backup that a network attacker cannot reach cannot be compromised by a network attacker. This seems obvious. Most organizations do not have it because it requires physical media and a process for regular updates. That operational inconvenience is the reason most backup strategies fail against ransomware.

When Immutable Cloud Backups Are the Practical Answer

Immutable backups are the cloud-era equivalent of the air gap. An immutable backup configuration prevents deletion or modification of backup data for a specified retention period, even by the account that created it.

AWS S3 Object Lock, Azure immutable blob storage, and equivalent features on other platforms implement this. An attacker with your cloud credentials cannot delete immutable backups before the retention period expires. This closes the most common attack path without requiring physical media management.

The Backup Failures That Have Nothing to Do With Attackers

Most backup failures in the real world are not caused by ransomware operators. They are caused by silent misconfiguration, storage quotas that fill without alerting anyone, backup jobs that complete with errors that nobody reads, and retention policies that quietly delete old backups before an incident makes them necessary.

The backup dashboard that shows green does not mean your backups are restorable. It means the backup job ran. Those are different things.

A backup strategy that has never been tested under restore conditions is a liability dressed as a safety net. Schedule a quarterly restore test on a subset of critical data. Verify the restore completes, the data is intact, and the process works without the people who set it up. If you cannot restore without the original administrator, your backup strategy has a single point of failure.

What This Means For You

  • Test your backups quarterly. A backup that has never been restored is a hypothesis, not a recovery plan.
  • Implement immutable cloud backup storage with a retention period longer than your expected dwell time detection window.
  • Maintain at least one offline backup on physical media updated on a regular schedule.
  • Audit backup system access controls. Backup credentials should not be stored on endpoints that could be compromised.
  • The 3-2-1-1 Rule: The old 3-2-1 rule is dead. The new standard is 3-2-1-1: 3 copies, 2 media types, 1 offsite, and 1 Immutable or Air-Gapped.
  • Identity is the New Air-Gap: Ensure your backup credentials are not managed through the same Active Directory or Single Sign-On (SSO) as your production network. If the “keys to the kingdom” are all on one keychain, the attacker only needs to pick one pocket.
  • Beware the “Silent Delete”: Modern attackers don’t always delete backups immediately. They sometimes lower your retention period to 1 day and wait. By the time you notice, your weeks of history are gone. Audit your retention settings as often as your logs.

If this was useful, more like it lives at Pithy Cyborg: AI news made simple, without hype. Join here →

You found Pithy Security. Good instincts. But the bigger story right now is AI, and that's where I spend most of my time. My name's Mike D, and Pithy Cyborg is where thousands of sharp minds come every week to stay ahead of the models, breakthroughs, and power moves reshaping everything. Engineers, developers, business owners, and curious people who just want to understand what's actually happening in AI all read every issue because I don't bury the lede and I don't waste your time.

The frontier models. The privacy traps. The tools your competitors are already using. The hype that's actually real and the hype that isn't. All of it, delivered without the jargon spiral. Pithy Security covers the cybersecurity angle. Pithy Cyborg covers the whole war. If you've been reading on the web, do yourself a favor and subscribe to the full experience below.

Disclosure: Pithy Cyborg is always 100% free. But, I may earn commissions from the affiliate link below. You get real tools that deliver real value. Everyone wins.

# 1 - Pithy Cyborg | AI News Made Simple - The free newsletter that cuts through the AI noise and keeps you two steps ahead of the models, the tools, and the people building both. Every issue lands with 3 elite AI stories plus one prompt you can use immediately, written in plain English without sacrificing depth. Five minutes. No filler. Join thousands of readers who refuse to be the last to know.

# 2 - Galaxy.AI, The All-in-One AI Platform - Why pay for ChatGPT, Midjourney, and three other tools when Galaxy.AI puts every top LLM, image generator, video tool, and ad creator in one place? One account. One flat price. Unlimited creative firepower. This is the unfair advantage your competitors don't have yet.

# 3 - Follow @MrComputerSci on X - Between issues, I'm on X posting real-time AI hot takes, model breakdowns, and threads that go deeper than any newsletter can. If you want to be in the room where it happens, follow along.