Why total loss has decoupled from the ransom, and what an organization needs to prove it can restore. Evidence from 28 public and methodology-disclosed sources.
Key Findings
Four numbers that frame the report. Each is tied to a named public source.
Executive Findings
Criminal revenue, public victim counts, and enterprise damage now move on different curves. Each finding is corroborated across multiple sources.
Lower aggregate criminal revenue does not imply lower enterprise damage. Single incidents now produce billions in operational loss where no public ransom demand emerged, or where a paid ransom did not restore service.
Backup use as the actual recovery method fell to a six-year low of 54%, down from 73%. Among organizations that paid more than the initial demand, 38% reported their backups had failed or malfunctioned.
Mandiant, Verizon, and Sophos all observed attackers moving against backup and recovery infrastructure before encryption. MITRE catalogs this as T1490 Inhibit System Recovery, paired with T1486 Data Encrypted for Impact.
Verizon reported software vulnerability exploitation as the top initial entry route at 31% of breaches. Mandiant observed voice phishing at 11% of initial vectors enterprise-wide and 23% in cloud environments.
UnitedHealth disclosed $2.2B in direct response costs plus $867M in Optum Insight disruption. CDK Global produced $1.02B in dealer losses over three weeks. Jaguar Land Rover carried an estimated £1.9B total impact.
NIST CSF 2.0 elevated Recover and added Govern. DORA Article 12 requires documented restoration procedures and periodic testing. NIS2 imposes a 24/72/30 reporting cadence. SEC Item 1.05 makes material incidents disclosable within four business days.
Cyber claims notifications fell 29% in 2025 and ransomware-specific claims fell 33%, while NAIC reported the first-ever year-over-year decline in US direct written premium. Underwriting diligence now orients toward evidence that recovery controls work.
The Attack Path
The technical center of gravity has shifted from delivering a payload to dismantling the ability to restore. Recovery suppression is now standard tradecraft, which is why detection has to reach inside backup data.
Share of observed initial-access vectors. Source: Mandiant M-Trends 2026.
Business Impact
Four named incidents. Where a ransom was disclosed, it was a small fraction of total loss. In the rest, operational loss reached hundreds of millions to billions with no public ransom at all.
Per-incident, USD millions (GBP converted at ~1.33). Sources: UnitedHealth 10-K; Anderson Economic Group; Marks & Spencer annual reports; JLR disclosures and UK Cyber Monitoring Centre.
Board Oversight
Each expects an evidence-backed answer, not an assurance. The most useful question is no longer ‘do we have backups.’ These are the questions board reporting should answer.
For each tier-zero service, how old is our most recent recovery point that has been independently verified clean and restorable, and who confirmed it?
If an attacker moved against our backup and recovery infrastructure before encryption, would we detect it, and what evidence shows the recovery plane survived?
What is our exposure to a multi-week outage of a critical service, measured as total loss across operations, suppliers, and disclosure, not the size of a ransom?
Can we produce restore-test results, recovery-point integrity logs, and identity-recovery readiness on demand for a regulator or insurer, within hours rather than weeks?
Who holds the authority to declare a recovery point unsafe or to override a restore gate, and is that decision recorded?
Recovery Assurance
Recovery assurance is continuous, evidence-producing verification that a clean, complete, restorable recovery point exists for each in-scope service, and that the restore can be performed under realistic conditions.
Time since the most recent recovery point independently verified clean, complete, restorable, and within business-policy retention.
Share of tier-zero and tier-one services with at least one recovery point verified clean within their R-RPO policy window.
A composite of data-integrity verification, identity-recovery readiness, dependency status, and runbook completion for a service.
Time since the most recent successful documented restoration test for a given service.
Time between the earliest detected malicious indicator and the last contaminated recovery point. Defines how far back an analyst must search for a safe restore point.
New to these terms? The glossary defines R-RPO, Last Known Clean, Provable Recovery, and more.
| Domain | Level 1: ad hoc | Level 3: managed | Level 5: assured |
|---|---|---|---|
| Asset coverage | Backups tracked by job or storage target. | Critical services mapped to workloads and dependencies. | Service-tier coverage reconciled with policy and evidence. |
| Backup integrity | Backup success assumed to imply recoverability. | Scheduled integrity tests and periodic restore drills. | Continuous recovery-point inspection and known-clean classification. |
| Ransomware detection in backups | Limited to endpoint or production detection. | Selected backup sets scanned during incident response. | All critical recovery points scanned; results integrated with SIEM and restore gates. |
| Restore orchestration | Manual restore tasks and tribal knowledge. | Documented runbooks for critical services. | Isolated, tested, dependency-aware recovery with approval workflows and health validation. |
| Governance evidence | Screenshots and ad-hoc records. | Quarterly test reports and exception registers. | Board-level metrics and control evidence mapped to NIST, CISA, and sector regulators. |
| Continuous improvement | Lessons after major events only. | Annual tabletop and disaster-recovery exercises. | Threat-informed exercises, red-team backup-targeting scenarios, metric-driven remediation. |
Governance & Insurance
Regulators and insurers no longer accept that backup and recovery controls exist. They expect proof the controls produce the outcomes they are supposed to. Each framework implies a specific evidence artifact.
Recovery-point scan results, malware / IoC coverage, clean-point decisions, exception approvals.
Control map, backup-policy evidence, segregation evidence, periodic restore-test records, data-integrity checks.
Incident chronology, severity assessment, IoC packet, and root-cause analysis at 24h / 72h / 30 days.
Materiality decision log, impact assessment, service-restoration evidence, board reporting within four business days.
Plan approvals, test results, incident communications, recovery-dependency evidence.
Backup-test calendar, restore evidence, integrity-test results, tabletop records.
Sources
The report synthesizes 28 sources, reconciles where they disagree, and cites each figure with the population it describes. Full numbered citations appear in the downloadable report.
Related
Go deeper on the controls, evidence, and metrics behind a provable recovery.
Elastio
The Recovery Posture Assessment scores your estate against the evidence regulators and insurers now ask for.