How to Protect Backups From Ransomware

Ransomware groups have figured out that the fastest path to a ransom payment is eliminating the recovery option. Once backups are gone, organizations feel like they have no choice. That is why modern ransomware attacks almost always go after backup repositories before or alongside production systems.

The numbers back this up. According to Veeam’s 2025 security materials, 89% of organizations had their backup repositories targeted, and more than one-third saw critical backup data modified or destroyed. That is not a fringe problem; it is standard operating procedure for ransomware actors.

Backup software itself is now a specific entry point. CISA’s Akira ransomware advisory documents how threat actors exploit unpatched vulnerabilities in backup platforms to gain elevated privileges. 

CVE-2024-40711, a Veeam Backup & Replication vulnerability, is listed in CISA’s Known Exploited Vulnerabilities catalog as actively exploited. A more recent critical issue, CVE-2026-21666, carries a CVSS score of 9.9. Backup infrastructure is a Tier 0 target, and needs to be treated accordingly.

Immutability is the most direct technical answer to ransomware’s backup-destruction tactic. Immutable backups are copies that cannot be altered or deleted by anyone, including an attacker with elevated credentials.

When ransomware reaches a backup repository, it looks for something to encrypt or wipe. An immutable copy simply cannot be modified during its retention window. That one property breaks the attacker’s most reliable leverage point. CISA’s StopRansomware guide recommends that backup data be encrypted and immutable so it cannot be altered or deleted, and the FBI and ASD echo that same language.

Legacy backup jobs that write to reachable, mutable storage are not recovery assets in a ransomware scenario. They are staging grounds for data destruction. Immutability changes that entirely.

Immutability protects backup data from modification. Isolation protects it from being reached in the first place.

According to NIST’s 2025 ransomware risk management profile, organizations should secure and isolate backups of important data. That guidance matters because most ransomware spreads laterally through production networks before it deploys a payload. If backups live in the same trust zone as production, they are exposed to the same lateral movement.

Practical isolation options include offline storage such as tape or disconnected drives, logical air gaps using immutable cloud object lock, and segregated admin credentials with separate management planes. CISA’s ransomware guidance warns directly that most ransomware actors attempt to find and delete or encrypt any accessible backup. The fix is removing that accessibility entirely because if attackers can touch your backups from the same trust zone, those backups are not really protected.

A backup you have never tested is not really a backup. It is an assumption, and in a ransomware event, assumptions fail at the worst possible moment.

CISA’s Cybersecurity Performance Goals set a clear baseline: Recovery should be tested regularly, no less than once per year. But testing frequency matters less than testing fidelity. You need to confirm that the restored data is accurate, complete, and free of malware.

NIST’s data integrity recovery framework frames restoration around returning to a last known good state, specifically identifying the correct backup version that is free of malicious code. That is a meaningful nuance. Ransomware can sit dormant inside a backup if the infection predates the copy. So, recovery is not just about speed. It is about knowing that what you are restoring is clean.

Protecting backup data and protecting the backup environment are two different problems. Both need attention.

Backup servers, consoles, repositories, service accounts, and admin credentials need the same protection level as any Tier 0 asset in your environment. CISA confirms that CVE-2024-40711 is actively exploited, meaning unpatched Veeam servers are a live entry point for ransomware groups right now.

Key hardening actions include prompt patching of backup software when CVEs are published, MFA enforcement for all backup console access, restricted administrative privileges, and segmentation of the backup management network from production. None of these is novel. They are, however, consistently skipped until an incident makes them unavoidable.

Redundancy is the insurance policy that makes everything else recoverable. The 3-2-1 model of three copies, across two different media types, with one stored offsite, has been the baseline standard for years, and it still holds against ransomware. However, the model alone is not enough anymore. The copies themselves need to be protected, not just numerous.

Three copies mean one compromised copy does not end your recovery options. You still have somewhere to go. Two media types mean a single attack vector cannot destroy everything at once; tape and cloud object storage, for example, fail in completely different ways. One off-site copy means a local incident, whether ransomware or physical disaster, cannot take out your last resort.

That said, quantity without protection is still a vulnerability. Add immutability across each tier, and you have a recovery architecture that is genuinely resilient under pressure. Encrypting backup data at rest and in transit layers provides access protection on top of that, so even a stolen copy is not a usable one.

Most organizations do not take backup protection seriously until recovery becomes urgent. By then, the cost is already high, and the options are already limited.

IBM’s Cost of a Data Breach Report 2025 puts the global average cost of a data breach at $4.4 million. That figure covers detection, containment, notification, and lost business, but it does not fully capture what a ransomware-specific event looks like when recovery infrastructure has also been destroyed. 

When backups are gone, recovery takes longer, downtime extends, and the pressure to simply pay the ransom increases. Organizations that invested heavily in AI-assisted security operations saw $1.9 million in savings compared to those that did not, which suggests that proactive investment has a measurable financial return.

Ransomware proceeds tell the other side of the story. The FBI’s IC3 advisory reports that Akira ransomware alone collected approximately $244.17 million by late September 2025. That money came from somewhere, and in many cases, it came from organizations that had no clean path to recovery.

Resilient backup protection that is immutable, isolated, tested, and hardened shortens recovery time, reduces downtime costs, and removes the leverage ransomware actors need to make a ransom demand feel like the only option.

Protecting backups from ransomware is not a one-time configuration. It requires immutable infrastructure, isolation from production, continuous restore validation, and active hardening of the backup stack on an ongoing basis.

At OTAVA, our business resilience solutions are built on these exact principles. We help organizations build backup architectures that attackers cannot reach, cannot alter, and cannot quietly poison before a ransom demand lands. Schedule a consultation with our data protection experts to design a backup strategy that turns your recovery copies into genuine assets.