Every 11 seconds, a business gets hit by ransomware. The average ransom demand has climbed past $1 million. And here's the fun part: even if you pay, there's only a 65% chance you'll actually get your data back.
Ransomware isn't a hypothetical threat. It's a thriving criminal industry that extracted $20 billion from victims last year alone. And it's getting worse.
But here's the thing nobody talks about: ransomware is fundamentally a backup problem. If you have good backups, ransomware is an inconvenience. If you don't, it's an extinction event.
How ransomware actually works
Let's demystify this. Ransomware is malware that encrypts your files using cryptography so strong that breaking it would take longer than the remaining lifespan of the sun. The attackers hold the decryption key and demand payment—usually in cryptocurrency—to release it.
Modern ransomware is sophisticated. It doesn't just encrypt your documents. It hunts for backups. It targets network shares. It waits quietly for weeks, spreading through your systems, before detonating all at once.
The attackers know that if they only encrypt your main files, you'll just restore from backup and tell them to get lost. So they specifically target your backup infrastructure. They delete shadow copies. They corrupt backup repositories. They encrypt the backups themselves.
This is why "we have backups" isn't a ransomware strategy. You need ransomware-resistant backups.
The backup strategies that actually work
Let's be specific about what protects you:
Air-gapped backups. If your backup storage isn't connected to your network, ransomware can't reach it. Period. This means physically disconnected drives, offline tape storage, or cloud backups with credentials that aren't cached on any compromised machine.
Immutable backups. Storage that physically cannot be modified or deleted for a set period. Even if attackers get the credentials, they can't touch the data. Many cloud providers offer this, and it's worth every penny.
Versioned backups with retention. Keep multiple versions going back weeks or months. Ransomware often lies dormant before activating. You need to be able to restore from before the infection started, not just from yesterday.
Separate authentication. Your backup system should have completely different credentials than your main infrastructure. Different passwords, different accounts, ideally different identity providers entirely.
Regular testing. A backup you've never tested is not a backup. It's a hope. Test your restores regularly. Time them. Know exactly how long recovery takes.
The 3-2-1 rule, modernized
The classic 3-2-1 backup rule says: 3 copies of your data, on 2 different media types, with 1 copy offsite. It's good advice that's been around for decades.
For ransomware protection, we need to extend it: 3-2-1-1-0.
3 copies. 2 different media. 1 offsite. 1 offline or immutable. 0 errors (verified backups).
That extra "1 offline" is what saves you from ransomware. It's the backup that can't be touched because it's not connected to anything the attackers can reach.
What happens when you don't have good backups
Let me paint a picture. A mid-size company gets hit on a Friday night. The ransomware spreads across 200 workstations and 50 servers before anyone notices. By Monday morning, everything is encrypted.
They check their backups. The backup server? Encrypted. The NAS? Encrypted. The cloud sync? It helpfully synced all the encrypted files. The USB drive in the IT closet? Three months old and also connected to the network.
Now they have a choice. Pay $2 million in Bitcoin to criminals who may or may not actually give them the decryption key. Or accept that everything—customer data, financial records, proprietary systems, years of work—is gone.
This isn't hypothetical. This happens every day. Companies that thought they were protected discover, in the worst possible moment, that their backup strategy had fatal flaws.
The encryption paradox
Here's an irony: encryption is both the weapon ransomware uses against you and the tool that protects your backups.
Your backups should be encrypted. If attackers can't read your backup data, they can't selectively target valuable files. They can't verify they've corrupted everything. They can't exfiltrate your data before encrypting it (a common double-extortion tactic).
But the encryption key for your backups must be stored separately from the backups themselves. If it's on your main network, attackers can grab it. Store it offline. Print it on paper. Put it in a safe deposit box. Just don't keep it anywhere the ransomware can reach.
Prevention is not enough
Yes, you should have endpoint protection. Yes, you should train employees not to click suspicious links. Yes, you should patch your systems and segment your network and all the other security best practices.
But prevention-only strategies fail. They fail because humans make mistakes. They fail because zero-days exist. They fail because your security is only as strong as your weakest vendor or contractor or employee having a bad day.
The question isn't "how do we prevent ransomware?" The question is "when ransomware gets through—and it will—how do we recover?"
That's a backup question.
Building your ransomware recovery plan
Here's what you need:
Document everything. Your backup schedule. Your retention policy. Where the offline copies are stored. Who has access to restoration credentials. How long recovery takes. All of it, written down, stored offline.
Test quarterly. Pick a critical system. Pretend it's encrypted. Time how long it takes to restore from your offline backups. Find the gaps before attackers do.
Assume breach. Design your backup architecture assuming attackers are already in your network. What can they reach? What can't they? The "can't reach" category better include at least one complete, recent backup.
Calculate your RTO and RPO. Recovery Time Objective: how long can you be down? Recovery Point Objective: how much data can you afford to lose? Your backup strategy must meet both numbers, or you're gambling.
The real cost of skipping this
Good backup infrastructure isn't free. Air-gapped storage costs money. Immutable cloud storage costs money. The time to test restores costs money.
But here's the math: the average ransomware incident costs a mid-size company $1.85 million in ransom payments, downtime, recovery efforts, and reputation damage. The companies that could restore from backups? Their average cost was under $100,000.
Proper backups aren't an expense. They're the cheapest insurance you'll ever buy.
Start today
If you're reading this and realizing your backup strategy has holes, fix them now. Not next quarter. Not after the next budget cycle. Now.
Get an external drive. Back up your critical data. Disconnect it. Put it somewhere safe. That's 30 minutes of work that could save your business.
Then build from there. Add cloud backups with separate credentials. Enable immutability. Set up automated testing. Each layer you add is another barrier between you and catastrophe.
Ransomware attackers are counting on you to procrastinate. They're betting that you'll put off your backup improvements until it's too late.
Prove them wrong.
—Your data, your responsibility