The classic narrative that puts back-up as the last line of defense in the face of a ransomware attack has become outdated: recent incidents show that attackers do not expect to encrypt systems to then ask for rescue; first they seek, corrupt or eliminate recovery points. An inaccessible or manipulated backup is of no use and that reality requires rethinking not only technology but also processes and responsibility between IT and security teams.
In practice, attacks often follow a logical sequence: initial access, escalation of privileges, lateral movement, discovery of backup infrastructure and, only then, destruction of recovery points before mass encryption. That chain shows that protecting endpoints without securing the back layer is tantamount to closing the main door leaving the safe open. Backup protection must be integrated into the cybersecurity strategy, not treated as a separate procedure and administered by another equipment.
The failures that appear over and over in incident investigations reveal specific weaknesses: unisolated backup environments of the production domain, shared or non-MFA credentials, retention policies that can be modified, and no control of immutability in storage. Added to this is the lack of regular scale restoration tests and fragmentation between security tools and backup, which allows malicious activities to go unnoticed.
A critical technical dimension is immutability: mechanisms that prevent data modification or deletion over a defined period. It is not enough for the software to declare it; the protection must be imposed in storage or in control layers which do not depend solely on administrative credentials reducing the impact of account supplanting or APIs abuse. However, immutability alone does not guarantee recovery if someone can alter policies or if the integrity of the recovery points is never valid.
The organizational implications are profound. Trust backups without auditioning their isolation and without integrating them into detection and response creates a false sense of security that amplifies the reputational and economic risk. The inactivity time when there are no reliable copies can be much more expensive than investing in preventive controls and regular restoration exercises. In addition, managed service providers should standardize safe configurations for all their customers to prevent a process failure from becoming a chain incident.
From the operational point of view, it is a priority to establish clear separation of identities: dedicated accounts for backup management with minimum privilege principles, multifactor authentication and secret management with records and alerts. At the same time, network segmentation and the use of isolated management areas prevent a committed host from exploring and impacting recovery repositories. Control access, record activity and alert anomalies in the backups layer should be as mandatory as in endpoints.
Another pillar is automation and validation: perform automatic checks that confirm the consistency of copies, periodic restorations to test environments and recovery orchestration that reduce human errors during a crisis. These practices turn copies into points of confidence and allow to detect corruption or lagoons before they need real restoration.
If the integrity of some copies has already been lost, the options include locating old copies out of reach of the attacker, resorting to immutable storage in different locations, rebuilding from clean images or, where necessary, forensic analysis to identify the last reliable state. In any case, recovery often requires a combination of forensic experience, engineering resources and strategic decisions on what to restore and in what order.
Adopt an integrated approach that combines endpoints protection, identity control, detection and recovery orchestration reduces the exposure window. Capacity-building can facilitate visibility and accelerate inter-team coordination, although it is not the only valid way: the essential thing is for controls to operate in a coherent manner and for backup policies to be subject to the same governance as other security.
For those who want to deepen specific measures and reference frameworks, the US Cyber Security and Infrastructure Agency. UU offers practical guides on ransomware and recovery on your portal https: / / www.cisa.gov / stopransomware and the European Union Agency for Cybersecurity publishes analyses and recommendations on the threat landscape around the Ransomware in https: / / www.enisa.europa.eu / publications / enisa-amenat-landcape-2022-ransomware.
In summary: backup must be designed to survive a deliberate attack. This involves isolation, identity and rigid access, verified immutability, integrated monitoring and regular restoration exercises. The alternative is to risk copies, rather than being the guarantee of continuity, becoming another victim of the incident.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...