Ransomware is the dominant cyber threat facing most organisations. It is the threat most likely to trigger a DR plan. And for most organisations, the DR plan they have was designed for a different kind of disaster — a hardware failure, a data centre outage, a natural disaster. These plans typically involve restoring from backup to a clean environment, which is straightforward when the disruption is environmental rather than adversarial.
Ransomware changes the recovery equation significantly. The adversary who encrypted your systems has almost certainly also accessed your backups. The recovery environment you are restoring to may be compromised. The malware that enabled the attack may still be present in systems that are not obviously affected. Traditional DR planning assumptions do not hold in a ransomware scenario.
Why Ransomware Attacks Specifically Target Backups
Modern ransomware operators understand that backup availability is what makes recovery possible without paying a ransom. Accordingly, backup systems are a primary target in ransomware campaigns. Attackers who have gained access to a network — often weeks or months before deploying ransomware — will identify and either encrypt, delete, or corrupt backup repositories before triggering the encryption. Shadow copy deletion is automated in most ransomware payloads. Backup system credentials, if stored in Active Directory or accessible from compromised accounts, give attackers access to backup management consoles.
An organisation that discovers its backup systems were compromised at the same time as its production systems has no clean recovery point. This is the scenario that produces multi-week outages and ultimately forces ransom payment decisions.
What Ransomware-Resilient Recovery Requires
Immutable backup storage. Backups stored in a way that cannot be modified or deleted by ransomware, even if the backup system is compromised. Cloud-based immutable storage (AWS S3 Object Lock, Azure Immutable Blob Storage) and hardware-based write-once storage both provide this property. The key requirement is that the immutability is enforced at the storage layer — not just a policy that a compromised account could change.
Network isolation for backup systems. Backup management systems should not be accessible from the same network segments as production systems. Credentials used for backup operations should not be shared with or derivable from production system credentials. The backup environment should be a genuine security boundary, not just a separate logical system on the same network.
Offline or air-gapped copies. At least one backup copy that is physically or logically disconnected from any network that a compromised account could reach. This may be tape-based offline storage, an isolated cloud account with no network connectivity to the production environment, or a physically separate backup environment with no permanent connectivity. This is the last line of recovery — the copy that survives even a highly sophisticated attacker.
Clean room recovery capability. A defined process for restoring to a clean environment — one that is known to be free of compromise — rather than restoring to the same environment that may still contain the initial access vector. Clean room recovery requires either a separate, isolated recovery environment or a documented process for building and validating a clean environment before restoration.
A tested cyber recovery runbook. Distinct from the standard DR runbook, a cyber recovery runbook addresses the specific decisions and steps required in a ransomware scenario: how to determine the scope of compromise, how to validate backup integrity, how to sequence recovery to avoid reintroducing the attacker, and how to manage the communications and regulatory notification obligations that a cyber incident triggers.
At Bitsecura, we help organisations review and strengthen their DR and BCM programmes for ransomware resilience — assessing backup architecture, testing recovery procedures, and designing cyber recovery runbooks that address adversarial scenarios rather than environmental failures. Talk to us here if you want to know whether your DR plan is adequate for the threat environment you actually face.
Bitsecura provides business continuity management and disaster recovery planning services. Learn more about our BCM and DR services.