Traditional data backup strategies no longer address the full scope of the ransomware problem. For years, backups served as the default insurance policy against encryption-based disruption. Modern ransomware changed that model.

Operators now target backup infrastructure early, exfiltrate sensitive data before encryption, and create extortion pressure that restoration does not resolve. This gap is real, and it's costing organizations millions. Traditional backups were built to recover lost data, but today's attacks are built to steal it, leak it, and extort you for it.

• Modern ransomware groups systematically destroy backup infrastructure as a documented, sequenced step before deploying encryption.
• Double extortion, in which attackers exfiltrate data before encrypting it, poses a threat that backup restoration cannot address.
• NIST SP 800-184 and the CISA StopRansomware Guide position backup as a single cybersecurity function within a broader recovery and response model. Detection is a formal prerequisite to safe restoration.
• The ransomware kill chain consists of sequential stages, starting with initial access via email or stolen credentials. Disrupting the chain early can prevent backup destruction from ever occurring.
• Legacy email security tools often struggle to detect the socially engineered, payload-free attacks that initiate modern ransomware campaigns.

Traditional data backup strategies were built to recover from failure, not to withstand an active adversary. NIST's ISSA Special Interest Group on Cyber Resilience identifies this gap directly: Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are concepts that apply to non-adversarial disruptions.

Every common backup framework, from the 3-2-1 rule to scheduled snapshots to air-gapped repositories, was designed to solve a specific problem: restoring data availability after a hardware failure, a natural disaster, or an accidental deletion. The sections that follow examine three structural weaknesses in these legacy approaches:

The 3-2-1 rule assumes administrative control remains intact. It specifies three copies across two media types, with one stored offsite. It contains no guidance on credential isolation, privileged access management, or separating administrative access between production and backup environments.

When an attacker obtains backup administrator credentials, the number of copies and their physical distribution become far less meaningful. NIST SP 800-209 documents this directly: compromise of administrative systems leads to "compromise of existing and future backups, ransomware attack, DoS attack, tamper storage-related log and audit data, unsafe storage configuration parameters."

Standard RTO and RPO calculations understate recovery time during a ransomware incident. They assume the recovery environment is trustworthy and that restoration can begin immediately. In adversarial scenarios, both metrics require forensic validation steps that standard calculations exclude.

The same NIST ISSA Cyber Resilience publication referenced earlier defines Cyber RTO as the maximum tolerable time to restore critical functions "to a trusted operational state." Cyber-specific objectives "are expected to be longer than standard RTO/RPO due to additional integrity verification, forensic analysis, and validation steps required to ensure system trustworthiness before reactivation."

Organizations that have tested RTO/RPO against clean disaster scenarios will systematically underestimate actual recovery timelines during a ransomware incident.

Snapshots can fail when attackers quietly poison future recovery points over time. Returning to NIST SP 800-209, which we linked to above, the attack pattern is described explicitly: when existing copies cannot be compromised, attackers interfere with the backup process itself to gradually poison future copies. After enough time passes, the attacker returns to compromising primary data, knowing that the only available copies for recovery fall outside the retention window. If an organization maintains a limited snapshot window and an attacker conducts silent data poisoning for longer than that period, no usable recovery point exists.

Backup destruction is a preparatory step before encryption, not an afterthought. Ransomware operators systematically neutralize recovery infrastructure to maximize extortion leverage, and CISA and FBI advisories document the playbook in detail. The four techniques below, i.e shadow copy deletion, backup service termination, direct exploitation of backup software, and security tool disablement, typically execute in sequence during the pre-encryption phase.

Deleting local recovery artifacts is a routine early move in ransomware operations. The CISA StopRansomware Guide (March 2025) documents canonical pre-encryption commands including vssadmin.exe Delete Shadows /all /quiet and bcdedit.exe /set {default} recoveryenabled no. MITRE ATT&CK T1490 catalogs VSS deletion across Ryuk, LockBit, REvil, RansomHub, Royal/BlackSuit, Medusa, and others.

The CISA advisory on Medusa ransomware (AA25-071A) documents its gaze.exe tool specifically targeting .bac, .bak, .wbcat, .bkf, and .VHD file extensions, wiping backup artifacts across the filesystem.

Ransomware often terminates backup agent processes before deletion and encryption. That sequencing reduces the chance of emergency snapshots or administrative alerts. The CISA BlackSuit advisory (AA23-061A) documents a specific sequence: BlackSuit uses Windows Restart Manager to identify files held open by backup agents, then deletes shadow copies via vssadmin.exe before beginning the encryption pass.

Backup servers are high-value targets because they store credentials for protected systems and maintain broad network access by design.

The FBI/CISA/DC3/HHS joint advisory on Akira (AA24-109A), referenced earlier in this section, documents systematic exploitation of backup software vulnerabilities, specifically CVE-2023-27532 and CVE-2024-40711, a critical unauthenticated remote code execution flaw. A compromised ESXi host can simultaneously encrypt many VMs and their associated backup snapshots.

Attackers may disable security tooling before executing backup neutralization. Backup destruction generates behavioral signals that endpoint detection platforms can pick up, so operators increasingly try to reduce visibility first. Akira uses POORTRY malware via BYOVD techniques to terminate antivirus processes and explicitly uninstalls endpoint detection systems prior to backup destruction. Medusa disables Windows Defender before deploying its backup-targeting payload.

Double extortion shifts the main risk from availability to confidentiality. Backup restoration addresses data availability. It does not reverse the exposure created when attackers steal data before encryption.

CISA formally documents double extortion as standard operating procedure across multiple active threat groups. Play ransomware encrypts systems after exfiltrating data. Black Basta affiliates both encrypt systems and exfiltrate data. BianLian has shifted primarily to exfiltration-only operations, no encryption at all, making backup capability irrelevant to the extortion equation.

Backups apply at one late stage of the attack chain. By then, the main confidentiality event has already occurred. Consider the full sequence of a modern ransomware campaign:

• Credential Theft and Access Broker Sale: Backups provide no protection.
• Initial Access via Stolen Credentials: Backups provide no protection.
• Lateral Movement and Reconnaissance: Backups provide no protection.
• Data Exfiltration to Attacker Infrastructure: Backups provide no protection.
• Encryption Deployment: Backups address this stage only.
• Ransom Demand for Data Suppression: Backups provide no protection.
• Data Publication on a Leak Site: Irreversible. Backups are meaningless.

According to the IBM/Ponemon Institute Cost of a Data Breach Report 2025, the average cost of an extortion or ransomware incident is $5.08 million when the attacker discloses data, regardless of whether a ransom is paid.

Real incidents show that restoring operations does not resolve the full impact of extortion.

In February 2024, ALPHV/BlackCat attacked Change Healthcare, exfiltrating protected health information for an estimated 190 million individuals. Change Healthcare reportedly paid $22 million for a decryption key and a promise not to leak stolen data. Despite payment, the data appeared on the dark web. A second ransomware group, RansomHub, then claimed possession of stolen data and issued a separate demand. The organization both paid the ransom and restored operations, yet still faced multiple extortion demands, regulatory scrutiny, and class action litigation.

In June 2024, the Qilin ransomware group attacked Synnovis, a pathology services provider to NHS London hospitals. Synnovis did not pay and rebuilt its IT infrastructure from scratch, the textbook-recommended response. Despite executing the preferred playbook, stolen patient data was published, hospitals experienced prolonged operational disruption, and an NHS patient death was tied to the attack. The data exfiltration harm was irreversible regardless.

Email remains one of the most common attack vectors in ransomware intrusions. MITRE ATT&CK T1566 documents phishing as an initial access technique used by INC Ransom, REvil, and Royal ransomware. CISA Advisory AA23-320A documents Scattered Spider intrusions beginning with organization-specific phishing and social engineering, targeting IT help desks and using SIM swapping, push bombing, and vishing.

The Verizon 2025 DBIR found ransomware in 44% of breaches and that 54% of ransomware victims had their domains appear in credential dumps, pointing to access broker involvement via email-based vectors as a dominant initial access source.

Delay between initial compromise and encryption gives attackers time to move toward backup infrastructure and stage extortion. Analysis of the Marks & Spencer/Scattered Spider incident documents the theft of the Active Directory credential database as early as February 2025, with ransomware deployed on April 24, 2025 and a dwell period of approximately two months.

During that window, attackers harvested credentials, moved laterally to backup infrastructure, exfiltrated data, and positioned encryption payloads. The encryption event visible to defenders was the terminal stage of a campaign that began weeks or months earlier.

This sequential dependency explains why upstream detection at the email layer matters. Interrupting initial access can stop credential theft, lateral movement, backup destruction, and data exfiltration before the final payload ever runs.

Current guidance treats backup as one component of a broader cyber resilience strategy. NIST SP 800-184 situates recovery within the NIST Cybersecurity Framework's five functions:

• Identify: Understand the assets, data, systems, and risks that need protection across the organization.
• Protect: Implement safeguards such as access controls, encryption, and privileged access management to limit attacker reach.
• Detect: Continuously monitor for anomalous activity, intrusions, and indicators of compromise before they escalate.
• Respond: Contain incidents, coordinate communications, and execute the playbook actions that limit damage during an active event.
• Recover: Restore affected systems and data to a trusted operational state, including backup restoration and integrity validation.

These are described as "all critical for a complete defense and may be executed simultaneously instead of occurring sequentially." Recovery is one of five equal functions, not the primary strategy.

In practice, this reframing translates into two concrete shifts that move beyond legacy backup thinking: stricter requirements for the backups themselves, and a formal dependency on detection before any recovery action begins.

Current backup guidance emphasizes properties that reduce attacker access and improve confidence in recovery. Across multiple StopRansomware advisories, CISA StopRansomware Guide specifies backup requirements that go well beyond copy count and placement:

• Encrypted: Backup data must be encrypted in transit and at rest.
• Offline/Air-Gapped: Must be stored separately from source files and the production network.
• Tested Regularly: Availability and integrity must be verified in disaster recovery exercises with recorded metrics.
• Organizationally Complete: Must cover the organization's data infrastructure.
• Immutable Where Feasible: NIST SP 800-209 formally defines immutability as "the ability to lock data after it has been created, thereby preventing it from alteration or deletion."

Recovery depends first on understanding the scope and timing of the compromise. NIST SP 800-184 addresses the timing problem directly: the incident response team must work with the recovery team "to update the recovery playbook to include the time of infection, so that the corresponding backups can be identified and checked for data integrity."

Recovery cannot safely begin until the scope of compromise is understood. NIST IR 8374r1 (January 2025) elevates backup integrity verification to Priority 1 under outcome RC.RP-03, and maps equally weighted Priority 1 controls to Protect and Detect functions alongside Recover. Backup controls do not operate independently of detection capabilities.

Legacy email security tools often struggle with the socially engineered attacks that start modern ransomware campaigns. The detection gaps in traditional email security tools directly enable the ransomware kill chain documented above.

Secure email gateways (SEGs) inspect inbound email at the perimeter against known-bad indicators: signatures, URL reputations, and keyword patterns. This model has structural limitations that sophisticated attackers routinely exploit.

Signature-based detection requires a previously cataloged fingerprint to trigger a match. It structurally cannot detect what it has never indexed. Attackers exploit the window between campaign launch and signature creation, meaning the earliest phase of any novel campaign passes through undetected.

Reputation filtering can struggle when attackers route phishing content through major cloud platforms that carry built-in domain trust. These emails pass DMARC and SPF validation because they technically originate from authorized infrastructure.

CISA's phishing guidance identifies this at the protocol level: email authentication mechanisms verify that an email was sent from authorized infrastructure for a given domain but "do not and cannot verify whether the person controlling that infrastructure has malicious intent."

Rule-based filters often miss business email compromise (BEC) attacks because those messages frequently contain no malicious technical payload. They are plain-text social engineering. Rule-based filters are designed to match against malicious indicators; BEC attacks are specifically constructed to contain none.

The same CISA phishing guidance cited above explicitly recommends behavioral and anomaly-based detection capabilities because BEC-style attacks do not produce discrete indicators of compromise.

Modern ransomware defense requires recoverability and earlier detection at the email layer. Data backup strategies remain necessary, but modern ransomware operators exfiltrate data and compromise backup infrastructure before recovery plans can be implemented. Organizations need to stop attacks before data leaves the network and before backup infrastructure is compromised.

Email remains a primary entry point for the credential theft and social engineering that initiate ransomware kill chains. Traditional email security tools often struggle to detect the socially engineered, payload-free attacks that begin these campaigns. Behavioral AI, which models normal communication patterns and identity signals to flag deviations, is designed to detect the contextual and identity-based attacks that rule-based systems miss.

Recognized as a Leader in the Gartner® Magic Quadrant™, Abnormal is designed to help surface these threats at the email layer, complementing existing infrastructure to help stop the attack chain before it reaches backup systems.

Book a demo to see how behavioral AI can help close the detection gaps in your email security stack.