An encrypted backup is not a backup: what ransomware changed
Ransomware made the standard backup scheme insufficient. Here is exactly what to check.
A few years ago the backup conversation was boring but clear: run a backup once a day, keep copies in two places, test recovery once a quarter. That was enough against most threats - accidental deletion, hardware failure, user error.
In 2016 it is not enough. Ransomware changed the threat model in such a way that many companies discover their "backups" encrypted alongside the primary data.
How the problem works
The classic backup scheme assumes the backup is connected to the infrastructure: either as a network drive, through an agent on the server, or via synchronisation. That is convenient for automation.
Ransomware exploits exactly this. When malware gains access to a system, it reaches everything reachable over the network and through mounted drives. If the backup is mounted as a drive or accessible through the same account, it will be encrypted together with the primary data.
The company pays a ransom or loses data not because it had no backup. But because the backup was part of the same attack surface.
What an "isolated copy" means
Real protection from ransomware requires copies that cannot be modified or destroyed by the same attack that hit the primary system. Professionals call this an air-gapped backup or immutable backup.
Several specific properties:
- The backup is not accessible from the main network at the time of writing or afterwards.
- There is no account that simultaneously has rights to the primary data and rights to modify backups.
- Some copies are kept offline - on disconnected media or in isolated cloud storage with deletion protection.
- Versioning: not a single copy but a history across multiple points in time - ransomware can silently encrypt data for several days before it is detected.
Why a recovery test matters more than the backup itself
A backup that has never been tested for recovery is not a backup - it is a hypothesis that it works.
After a ransomware attack a company usually has no time for diagnosis. Systems need to be restored quickly while the business is stopped. That is exactly when it emerges that the last working recovery test was a year ago, the scheme has changed, and what was considered a backup does not mount on the new hardware.
Regular recovery testing is not an administrative formality. It is the only way to know the backup works.
Three questions to check readiness
If you want to quickly assess how well the current backup scheme protects against ransomware, ask your IT team three questions:
- Do we have backups that are physically or logically inaccessible from the main network?
- When did we last restore from backup under conditions resembling a real failure - not a single file, but a full system?
- If everything is encrypted today - how much data will we lose, and how long will recovery take?
If there are no clear answers to these questions, that itself is information. The backup strategy needs to be rethought in light of the new threat model.