Backups Were the Safety Net.
Now They Are the Target.
Attackers target backup infrastructure. That sentence would have seemed unnecessary five years ago. Today it describes standard ransomware practice.
For years, the logic of backup was straightforward. Keep a copy of your data somewhere safe, and if something goes wrong, restore from it. Backups were the fallback. The insurance policy. The thing that meant a ransomware attack was painful but survivable.
Attackers have read the same playbook. And they have responded accordingly.
Modern ransomware campaigns increasingly target backup infrastructure before triggering the main encryption event. Not as an afterthought – deliberately, as the first move. The reasoning is simple: an organisation that cannot recover has no options. Remove that capability before anyone knows an attack is underway, and the ransom conversation looks very different.
The safety net is now the primary target.
Why Backup Infrastructure Is an Attractive Entry Point
Backup environments carry characteristics that make them easier to compromise than production systems.
They are typically connected to the same network as the systems they protect. Access controls are often less rigorous, because backup management has historically been treated as an operational function rather than a security-critical one. Credentials may be shared, undocumented, or unchanged for years. The backup console itself frequently provides a single point of access to the entire data estate.
An attacker who gains access to the backup environment does not need to work through the environment system by system. They can go directly for the recovery copies – and in many environments, they can delete or encrypt those copies without triggering a single alert.
The Architectural Gap Most Organisations Have Not Closed
The controls designed to address this – immutability, logical isolation, separately managed credentials — are not new. They are well understood. But they require the backup environment to have been deliberately designed with an adversary in mind, not just with operational reliability as the goal.
Many environments were not built that way. Backup infrastructure was built to support recovery from hardware failure or accidental deletion. It was not built to survive a targeted attack by someone who knows exactly where to look.
That gap is what modern ransomware campaigns are exploiting. The consequences are measurable. Sophos’s State of Ransomware in Enterprise 2025 found that the use of backups to recover from attacks dropped to a four-year low – down from 73% of organisations the prior year to 53%. When backup environments are compromised before the encryption event, the recovery capability organisations were counting on simply is not there.
Immutable storage ensures that backup copies cannot be deleted or encrypted, even by someone with administrative access to the backup platform.Â
Logical isolation ensures that a compromise of the production environment does not automatically extend to the recovery environment.
Separately managed credentials ensure that an attacker who obtains production access cannot use those credentials to access backup systems.
Without all three, the backup environment is part of the attack surface.
The Question Worth Asking Before It Becomes Urgent
If your backup environment were compromised today – before the main encryption event – would you know?
And if you did know, what would your recovery path actually look like?
Most organisations have not fully tested what happens to their recovery capability when the backup environment itself is the target. The assumption is that backups exist and therefore recovery is possible. But existence and survivability are not the same thing.
The organisations that recover quickly from ransomware attacks are not the ones that had the most backups. They are the ones whose backup environments were designed to survive the attack alongside their production systems.Â
If you are not sure whether yours qualifies, that is the right question to be asking – and it is worth having that conversation before an incident makes it urgent.
