A ransomware attack doesn’t start with encryption. It starts with wiping backups.
Data encryption is the final step. 2025 data shows why the traditional “we have backups, we’re safe” mindset isn’t enough and what a real compromise looks like from the inside.
The numbers that change the perspective
Last year, 69% of organizations experienced a ransomware attack. That number alone may not be surprising anymore. What is more alarming is what happened next: 89% of those organizations confirmed that attackers specifically targeted their backups — not just production data. The number of attacks increased by 45% year over year. There are now 134 active ransomware groups, with as many as 85 operating at the same time.
And the median size of the affected company? 228 employees. In other words, ransomware is not just a problem for large corporations with complex IT environments. It is a problem for almost every everyone.
How an attack really unfolds
he idea of an attacker breaking into a network and immediately starting to encrypt data is outdated.
Modern ransomware operations are methodical, patient and targeted.
Phase 1: Initial access
The most common entry points are surprisingly balanced. Phishing, compromised VPN credentials and unpatched vulnerabilities each account for roughly 25 – 30% of initial access scenarios. No single vector clearly dominates. The attacker enters quietly. No visible alarm.
Phase 2: Silent mapping
After gaining access, the attacker does not rush. They map the network, escalate privileges, identify critical systems and look for the backup infrastructure.
Phase 3: Data exfiltration
Before any destructive action takes place, data is often exfiltrated. This is where another important number matters: 74% of ransomware attacks today do not encrypt data at all. The attacker steals the data and leaves. Encryption has become an optional extra step. Extortion works even without it.
Phase 4: Destroying backups
Only then does the destructive phase begin and it starts with backups. The attacker deletes snapshots, stops backup services, and overwrites the retention policy in the repository. The backups are gone before anyone realizes an attack is underway.
Phase 5: Encryption — typically on a Friday evening
The final step arrives at the moment when recovery is least likely — typically before a long weekend. By this point, there is nothing left to restore.
Why backups fail
Most attacked companies did have backups. The problem wasn’t their absence, but the fact that they were compromisable, inaccessible, or non-functional in ways nobody had tested in advance.
The four most common weaknesses:
- Backup server joined to the domain. If an attacker takes control of Active Directory, the backups fall with it. No separation, no protection.
- No immutable storage. Without immutability, an attacker can overwrite the repository or delete the retention policy — while monitoring dashboards stay green.
- Privileged accounts without MFA. Backup management credentials can be stolen with a single phishing attempt. A few commands are all it takes.
- Backups were never tested in a real scenario. This is the most widespread problem. The backup job reports “done,” reports look fine, but the first real restore test happens during the incident. By then, it’s too late.
What comes after an attack
The average recovery time in 2025 was 24 days. For comparison, just a few years ago it was measured in single digits. The increase isn’t caused by worse technology. It’s caused by backups being compromised or unprepared for an actual recovery scenario.
The financial reality is equally harsh. The average ransom exceeded one million dollars, with the median around $400,000. Only one in four companies pays — and even then, there’s no guarantee the data will come back in a usable state.
Backups are a Tier 0 asset
Backup infrastructure needs the same level of protection as production systems — or higher. In practice, that means:
The backup server must sit outside the domain or use strictly separated credentials. The repository must be protected by immutability — either as a Hardened Repository or S3 object storage with immutable retention configured. Access to backup management must require MFA, without exception. And recovery must be regularly tested in an isolated environment.
Tools like Veeam SureBackup allow you to verify restorability in isolation without any impact on production. The difference between “we have a backup” and “we have a verified recovery” lives exactly here.
Companies also need to know their RTO (how long a service can be offline) and RPO (how much data they can afford to lose). Without these parameters, you can’t decide what’s sufficient to back up and where a disaster recovery scenario with replication to a separate DR site starts to make sense.
Conclusion
In 2025, attackers aren’t bypassing backups. They are deliberately removing them — and only then striking production. 89% of attacked organizations confirm this from firsthand experience. Backups remain the absolute foundation. Without them, there’s no point talking about resilience. But the mere existence of a backup isn’t enough. A backup that isn’t separated from the domain, protected by immutability, and regularly tested isn’t a backup. It’s a false sense of security.
