Happy World Backup Day 2026. Let's talk about why your backup strategy from 2024 might not save you anymore.
The Evolution of Ransomware
Old ransomware: Encrypt everything. Demand payment. Hope victim doesn't have backups.
New ransomware: Spend weeks in your network. Find the backups. Encrypt or delete them. Then encrypt everything else. Demand payment.
The attackers learned. If victims can restore from backup, they don't pay. So now, compromising backups is step one.
How They Target Backups
Backup software credentials
Your backup solution has admin credentials. Attackers harvest them along with everything else. Then they log in and delete your backup history.
Network-accessible backup storage
If your backup drive is on the same network as your servers, and the attacker has admin rights, they can reach it.
Cloud backup with stolen credentials
Cloud backups are great until an attacker has your login. Then they're just another thing to delete.
Long dwell time
Attackers often wait weeks or months before triggering ransomware. During that time, your backups are capturing infected systems. When you restore, you restore the infection.
What Protects You Now
1. Immutable backups
Backups that literally cannot be deleted or modified once written. Not 'protected by permissions' - actually immutable at the storage level.
Many backup solutions now offer WORM (Write Once Read Many) storage. If you're not using it, ask why.
2. Air-gapped copies
A backup that's physically or logically disconnected from your network. Attackers can't delete what they can't reach.
This might be offline tape. Cloud storage with separate, unconnected credentials. A physically isolated backup server.
3. Backup credentials separate from AD
If your backup system uses the same Active Directory that attackers compromised, your backups are compromised too. Separate credentials. Different password. Different MFA.
4. Regular restore testing
Not 'backup verification' - actual restores. To different hardware. Timed. Can you recover your whole environment? How long does it take? Do you know?
5. Retention beyond dwell time
If attackers are in your network for 90 days before triggering ransomware, your 30-day backup retention means every backup is infected. Keep older copies.
The Test
This World Backup Day, answer honestly:
- Are your backups immutable or just 'protected'?
- Could an attacker with admin rights delete your backups?
- Do your backup credentials match your main domain?
- How far back can you restore?
- When did you last test a full recovery?
If the answers make you uncomfortable, fix them.

