8 Backup Realities Modern Ransomware Has Broken
The phrase “we have backups” used to end the recovery conversation. Today it opens one.
Backup teams built a decade of practice around assumptions that were true in 2018 and largely true in 2021: immutable storage was the hard part, the EDR stack would catch any threats, and a green job report meant a recoverable copy. The 2024 to 2026 incident record has cracked each of those assumptions in a specific, measurable way. Sophos research found that organizations whose backups were successfully impacted during a ransomware attack saw median recovery costs eight times higher than those whose backups remained intact. The economic gradient between “had backups” and “had recoverable backups” is no longer a footnote.
What follows is eight assumptions to stop relying on, what broke each one, and the control that closes the gap.
What Holds, What Broke
Immutability, air-gap, retention, EDR, and job-status reporting still hold. The assumption that those same controls also prove a recovery point is clean, current, and safe to restore does not. The missing control is a dated verdict on the contents of the protected data, tied to a specific recovery point and preserved as recovery evidence.
Reality 1: Immutability Is Not Recoverability
Immutable storage prevents a backup object from being changed for a defined retention period. It does not inspect the data inside the object. That distinction was an academic point ten years ago. It is a recovery-blocking issue now.
When attackers write encrypted, partially encrypted, or malware-laden data into a backup window before the lock takes effect, immutability becomes the guarantee that the bad copy will persist for the full retention period. NIST’s Security Guidelines for Storage Infrastructure (SP 800-209) lists data protection, isolation, and restoration assurance as distinct security domains for a reason. Storage that cannot be altered is one of those. Storage that can be safely restored is another.
Treat immutability as a write-side control. Treat content inspection of the protected object as the read-side control that proves recoverability. Pair the two, or accept that retention alone is not enough.
Reality 2: EDR Sees Production, Not What Is Frozen In Snapshots
Endpoint detection and response works by watching processes, syscalls, memory, and behavior on a running host. A snapshot or block-level backup is none of those. It is a frozen file system at a point in time, sitting in storage that the EDR agent does not run on and cannot observe.
This gap is widening. Picus Security’s Red Report 2024 documented a 333% increase in “hunter-killer” malware that targets and disables the very EDR, AV, and logging tools defenders rely on. When the production agent is blinded, the snapshot taken under that agent’s watch inherits the silence. The 333% Surge in Hunter-Killer Malware walks through why that pattern moves the integrity check off the host and into the storage layer.
A snapshot inherits the trust state of the system that produced it. If the agent could not see the compromise, the snapshot will not flag it. Inspect the data at rest with controls that do not depend on the production endpoint stack.
Reality 3: A “Successful Backup” Is A Job Status, Not A Data Verdict
The backup console says “Success.” That status confirms that the backup job ran, the files were transferred, the catalog updated, and the retention policy applied. It does not say anything about whether the data inside that backup is clean, recoverable, or already encrypted.
Modern ransomware groups have learned to write data that passes every job-level check. The joint Akira ransomware advisory (AA24-109A, updated November 2025) describes Akira’s use of intermittent encryption, where large files are encrypted in chunks with gaps in between, and Linux variants that scan for /dev/mapper backup paths and Veeam configurations. The backup job runs to completion. The verdict on the data inside it never gets rendered.
Ransomware isn’t a malware problem anymore. It’s a data integrity problem covers the operational shift this requires.
The backup product reports job state. Recovery readiness requires a separate data-state verdict, produced by reading the contents of the protected object after it is written.
Reality 4: Air-Gap Does Not Help If The Ransomware Was Already In The Source
Air-gapped vaults solve the problem of an attacker reaching the backup over the network. They do not solve the problem of an attacker who was already in the source system when the backup was written. If the recovery point captured an encryptor, a dropper, a tampered application binary, or a compromised dependency, the gap protects that payload at the same fidelity as the rest of the data.
Mandiant’s M-Trends 2026 report, based on more than 500,000 hours of frontline investigations in 2025, found a global median dwell time of 14 days, with internally detected intrusions sitting at 9 days and externally notified ones at 25 days. In ransomware cases, Mandiant observed that internal teams identified the compromise only 41% of the time, with adversaries themselves revealing the intrusion in 44% and external entities notifying victims in 15%. The implication for backups is direct: a daily backup schedule with 14 days of retention can sweep right through the dwell window of a quietly running intrusion before anyone inside the organization sees it. By the time you see ransomware, your backups may already be compromised lays out that timeline failure in more detail.
An air gap controls write access from outside. It does not validate the integrity of what got written from inside. Validate before the data enters the vault, not only after.
Reality 5: Entropy And Metadata Anomalies Miss Encryption-In-Place
Anomaly detection on backup data typically watches for entropy spikes, file-count deltas, mass renames, or change-rate jumps. That worked against early ransomware families that encrypted whole files at scale. It does not work against intermittent encryption, partial encryption, or encryption that operates below the change-rate threshold the detector treats as normal.
CISA’s BlackSuit/Royal advisory describes a partial encryption capability that lets the operator choose the percentage of a file to encrypt, specifically to evade entropy-based detectors and improve speed. Academic measurement work, including recent research on intermittent file encryption, shows that family-aware encryption coverage can be tuned to sit below the detectability ceiling of histogram and entropy methods. The Accuracy Gap covers the SOC-level consequence: a stream of false positives that gets muted, alongside the real signal that never fires.
Off-platform encryption compounds the problem. Some attackers copy files to an unmanaged host, encrypt them outside the storage platform, and write the result back. What happens when attackers encrypt your data off-platform explains why the location of the encryption event does not change the integrity outcome for the data.
Statistical inference is one signal. Structural content inspection of the protected object is the signal that produces a verdict.
Reality 6: 30-Day Retention Is No Longer A Safety Margin
Retention math was once simple: more days back, more chances to find a clean point. The numbers cut differently now because attackers increasingly target the systems that make recovery possible, not only the systems that run production.
Verizon’s 2026 Data Breach Investigations Report reports that ransomware is now involved in 48% of breaches. Mandiant’s 2026 M-Trends report describes a related shift: ransomware operators are moving toward deliberate recovery denial by targeting backup infrastructure, identity services, and virtualization management planes. That is the point where a retention window becomes a search problem under pressure.
The operational consequence is that 30 days of backups is not a guarantee that the oldest copy predates the compromise. It is a guarantee that 30 days worth of backups exist to inspect. The metric that matters during an incident is the age of the newest backup with affirmative evidence of cleanliness, the clean recovery point. RPO is not enough for ransomware recovery explains why backup frequency and clean-point age are different measures, and what incident response teams see after cloud ransomware describes how that question dominates the first hours of every cloud-side investigation.
Retention is the search space. Verified cleanliness is the answer key. Add days only when you can also add evidence per day.
Reality 7: Backup Credentials Are Tier 0 Assets, Whether Or Not You Treat Them That Way
The CISA, NSA, and ASD ACSC joint guidance on detecting and mitigating Active Directory compromises places backup servers for Tier 0 assets inside the Tier 0 perimeter, alongside domain controllers and identity infrastructure. Many backup environments are still administered as if they were Tier 1: shared service accounts, password vault entries reachable from production, MFA enforced unevenly across the backup admin console.
The 2025 update to the Akira advisory documents exactly what attackers do with that gap. Akira operators have been observed exploiting CVE-2024-40711, an unauthenticated remote code execution vulnerability in Veeam Backup and Replication, then running PowerShell scripts to dump credentials from backup servers and extract Kerberos tickets. The Linux encryptor enumerates /dev/mapper paths and backup configurations before deleting shadow copies.
The compromise of the backup admin path collapses both the production and recovery sides of the incident at once. The Blind Spot of Zero Trust covers the ephemeral and machine-identity angle that makes this harder in cloud environments.
Backup administrative paths sit at Tier 0 in the modern threat model. Patch cadence, credential isolation, and access review for the backup stack belong on the same calendar as the domain controllers.
Reality 8: One-Time Scans Cannot Keep Up With Dormant Payloads And Late Detonation
A scan-at-ingest model produces a verdict at the moment the backup is written. That verdict assumes the threat model the scanner knew about that day. It does not catch payloads whose detection signatures emerge weeks later, dormant scripts that only execute under specific conditions, or attacker-introduced artifacts whose role only becomes clear once additional context arrives.
The FBI’s 2024 Internet Crime Report catalogs 67 new ransomware variants observed in a single year. A scan that ran in January against a backup written that day did not have signature coverage for variants that emerged in October. Dormant access tools embedded in office documents, container images, and source repositories compound the problem: the scanner sees the file, finds nothing actionable, and moves on. What Is Recovery Assurance frames the alternative as continuous validation rather than one-shot inspection.
Scan-once is point-in-time. Recoverability is a continuous property of the protected estate. Re-inspect existing recovery points against current threat intelligence on a defined cadence, with the same artifact discipline as the original scan.
What The Pattern Shows
Read the eight realities side by side and one pattern dominates: the controls that protected the container of the backup are still working, while the controls that protect the content inside it either never existed or stopped scaling with the threat.
That break changes the first decision on the recovery bridge. If the team cannot prove a clean recovery point, it is no longer choosing a restore point. It is deciding whether to restore or rebuild after ransomware.
That is a fixable problem. Backup teams do not need to abandon the architecture they have. They need to add the verdict layer the architecture was never asked to deliver: deep file inspection and structural validation of the protected object, produced as a dated artifact, tied to a specific recovery point, retained alongside the data it describes.
Our platform builds that verdict layer on top of existing backup, snapshot, and vault infrastructure, agentless and independent of the production endpoint stack. For teams that want to see where the verdict layer would actually land in their environment, the Recovery Assessment runs against an existing backup estate and produces the artifact in the language a board, a regulator, and an incident commander all need to read.
See where the verdict layer lands in your environment
A Recovery Assessment runs against your existing backup estate and produces a dated, defensible verdict on which recovery points are actually clean.
Sources
[1] CISA, NSA, ASD ACSC, and partners, Detecting and Mitigating Active Directory Compromises, September 2024.
[2] FBI, CISA, DC3, HHS, EUROPOL, and partners, #StopRansomware: Akira Ransomware, Joint Cybersecurity Advisory AA24-109A, updated 13 November 2025.
[3] CISA and FBI, #StopRansomware: BlackSuit (Royal) Ransomware, Joint Cybersecurity Advisory AA23-061A, August 2024 update.
[4] FBI Internet Crime Complaint Center, 2024 IC3 Annual Report, 2025.
[5] Mandiant (Google Cloud), M-Trends 2026: Data, Insights, and Strategies From the Frontlines, March 2026.
[6] NIST, Special Publication 800-209: Security Guidelines for Storage Infrastructure, October 2020.
[7] NIST National Vulnerability Database, CVE-2024-40711: Veeam Backup and Replication Deserialization Vulnerability.
[8] Picus Security, Red Report 2024: The Rise of “Hunter-Killer” Malware, February 2024.
[9] Sophos, The Impact of Compromised Backups on Ransomware Outcomes, 2024 ransomware research.
[10] Verizon, 2026 Data Breach Investigations Report, May 2026.
[11] arXiv preprint, Intermittent File Encryption in Ransomware: Measurement, Modeling, and Detection, revised February 2026.
[12] Elastio, Ransomware Isn’t a Malware Problem Anymore. It’s a Data Integrity Problem.
[13] Elastio, The 333% Surge in Hunter-Killer Malware.
[14] Elastio, By the Time You See Ransomware, Your Backups May Already Be Compromised.
[15] Elastio, The Accuracy Gap: Why Anomaly and Entropy Detection Fail the Ransomware Resilience Lifecycle.
[16] Elastio, What Happens When Attackers Encrypt Your Data Off-Platform.
[17] Elastio, RPO Is Not Enough for Ransomware Recovery.
[18] Elastio, What Incident Response Teams See After Cloud Ransomware.
[19] Elastio, The Blind Spot of Zero Trust.
[20] Elastio, What Is Recovery Assurance?.
[21] Elastio, Restore or Rebuild After Ransomware? A Recovery Decision Framework.
[22] Elastio, Platform.
[23] Elastio, Recovery Assessment.
Can you prove your recovery points are clean?
Your board will ask if you can recover clean. This checklist lets you answer with evidence.
