World Backup Day 2026: The Ransomware Gangs Have a New Trick
Backups used to be your ransomware insurance policy. Then attackers started targeting them too. Here's what changed and what you need to do about it.
Happy World Backup Day 2026. Let's talk about why your backup strategy from 2024 might not save you anymore.
The Evolution of Ransomware
Old ransomware: Encrypt everything. Demand payment. Hope victim doesn't have backups.
New ransomware: Spend weeks in your network. Find the backups. Encrypt or delete them. Then encrypt everything else. Demand payment.
The attackers learned. If victims can restore from backup, they don't pay. So now, compromising backups is step one.
How They Target Backups
Backup software credentials
Your backup solution has admin credentials. Attackers harvest them along with everything else. Then they log in and delete your backup history.
Network-accessible backup storage
If your backup drive is on the same network as your servers, and the attacker has admin rights, they can reach it.
Cloud backup with stolen credentials
Cloud backups are great until an attacker has your login. Then they're just another thing to delete.
Long dwell time
Attackers often wait weeks or months before triggering ransomware. During that time, your backups are capturing infected systems. When you restore, you restore the infection.
What Protects You Now
1. Immutable backups
Backups that literally cannot be deleted or modified once written. Not 'protected by permissions' - actually immutable at the storage level.
Many backup solutions now offer WORM (Write Once Read Many) storage. If you're not using it, ask why.
2. Air-gapped copies
A backup that's physically or logically disconnected from your network. Attackers can't delete what they can't reach.
This might be offline tape. Cloud storage with separate, unconnected credentials. A physically isolated backup server.
3. Backup credentials separate from AD
If your backup system uses the same Active Directory that attackers compromised, your backups are compromised too. Separate credentials. Different password. Different MFA.
4. Regular restore testing
Not 'backup verification' - actual restores. To different hardware. Timed. Can you recover your whole environment? How long does it take? Do you know?
5. Retention beyond dwell time
If attackers are in your network for 90 days before triggering ransomware, your 30-day backup retention means every backup is infected. Keep older copies.
The Test
This World Backup Day, answer honestly:
- Are your backups immutable or just 'protected'?
- Could an attacker with admin rights delete your backups?
- Do your backup credentials match your main domain?
- How far back can you restore?
- When did you last test a full recovery?
If the answers make you uncomfortable, fix them.
Get a backup security assessment
Is Your Email a Security Risk?
90% of cyber attacks start with email. Where do you stand?
True story: A local business lost £42,000 when a staff member replied to a fake "invoice" email that looked like it came from their regular supplier. The email had bypassed their basic spam filter.
Answer 8 questions to find out how protected you really are against email-based attacks.
Real Performance Stats
Live data from our helpdesk right now.
Worried About Your Security?
Get a free security review. We'll check your vulnerabilities and show you exactly what needs fixing.
You May Also Like
The Backup Test 60% of Businesses Fail
Your backups are running. Green lights everywhere. But when did you last test a restore? The answer often reveals an uncomfortable truth.
Ransomware Attack: What Happens Next?
Your screen shows a ransom demand. Your files are encrypted. Here's the step-by-step reality of ransomware recovery.
World Backup Day 2025: The Question Your IT Provider Should Answer
It's World Backup Day. Time for the question that separates real backup from security theatre: when did you last successfully restore from backup?