In A Ransomware Attack, Your Backups Are The Target

For years, the standard advice after a ransomware attack was simple: restore files from backups and move on. That advice was never complete, but it was at least directionally correct. Today, it can get you into serious trouble.

Ransomware attackers have spent the past several years doing exactly what you’d expect a sophisticated adversary to do: they studied the defenses, found the weak point, and went straight for it. Increasingly, the weak point is the backup repository itself.

Attackers Go for the Backups First

According to a survey of 1,200 organizations that experienced a ransomware attack, bad actors targeted backup repositories in 96% of attacks. This isn’t opportunistic. It’s strategic. Attackers understand that if they can compromise your backups before triggering encryption, they remove your primary path to recovery and dramatically increase the pressure to pay.

This same pattern was confirmed in additional research with 2,974 ransomware victims conducted by independent research agency Vanson Bourne. They found that attackers attempted to compromise backups in 94% of ransomware incidents. Across all sectors, those attempts succeeded 57% of the time.

The success rate varied significantly by industry. IT, technology, and telecoms organizations fended off backup compromise attempts most effectively, with attackers succeeding only 30% of the time. Energy, oil and gas, and utilities fared far worse, with a 79% success rate for attackers. The difference likely reflects both the strength of backup protection in place and the sophistication of the attacks those sectors attract.

The Cost Difference Is Staggering

The research makes the financial stakes concrete. When attackers successfully compromised backups, the median total recovery cost came in at $3 million. When backups remained intact, the median recovery cost was $375,000. That is an eight-fold difference in recovery costs, driven almost entirely by whether your backups were usable when you needed them.

None of this is surprising. Backups are leverage. An attacker who has neutralized your backups has also neutralized your negotiating position. You are no longer choosing between paying or restoring. You are choosing between paying and losing data.

“We Have Backups” Is Not a Recovery Strategy

The problem most organizations face is not that they lack backups. It is that they do not have continuous, verified visibility into whether those backups are intact, current, and recoverable.

In large enterprise environments and or heterogeneous MSP deployments, backup jobs run across dozens or hundreds of systems, spanning multiple backup platforms, on-premises and cloud. Failures are common. Gaps in coverage accumulate quietly. And when attackers dwell inside an environment for days or weeks before triggering encryption, they have time to find and corrupt repositories that no one has recently verified.

What Visibility Actually Means

The shift in attacker behavior means the question is no longer just “did the backup job run?” It is:

• Are all assets covered? Are there gaps in protection that have gone undetected?
• Are backups anomaly-free? Have any jobs shown unusual patterns in bytes backed up, frequency, or failure rates that might indicate tampering or silent corruption?
• Can you prove it? When a compliance audit or insurance carrier asks for evidence of backup health across your environment, can you produce it without a manual reporting exercise?

These are operational questions, not just security questions. And they require continuous monitoring, not a weekly manual review of backup logs.

The Takeaway

Ransomware defense has a backup problem, and it is not what most people think. The problem is not that organizations skip backups. The problem is that they treat backup existence as backup assurance.

Attackers are counting on that gap. Closing it means knowing, in real time, that your backups are complete, clean, and recoverable. Not assuming. Knowing.

For more on how Bocada helps enterprise IT teams and MSPs maintain continuous visibility into backup health and coverage, visit bocada.com.