Your Backups Were Gone Before You Saw the Ransom Note

A business owner arrives at work, turns on their computer, and sees the ransom demand filling the screen. Their first instinct is relief: they have backups. Then the call comes back from IT, and the news is not what they expected: the backups are gone, too.

This is not a rare or unlucky outcome but the intended result of how modern ransomware attacks are designed.

The attack already happened weeks ago

Ransomware groups changed their approach years ago, once they noticed that businesses with good backups simply were not paying ransoms. If a company could restore its data in a day or two, the leverage disappeared, so attackers adapted by making backup destruction their first priority, not an afterthought.

Before any file gets locked, a modern ransomware attack spends days or weeks inside a network quietly removing the recovery options. The moment files get locked is not the start of the attack but the end of it, and by the time that ransom note is visible, the work that actually mattered is already done.

What the attacker does before you know they are there

The sequence follows a consistent pattern: gain access through a phishing email or a stolen password; quietly work toward the accounts that control everything on the network; turn off the alerts that would otherwise give them away; find and destroy the backup system; then lock the files and finally make their presence known.

Steps one through four can take weeks, and most businesses have no indication anything is happening during that time.

Why your backup system is easy to reach

This is the part that surprises most business owners. The backup system in a typical business shares the same logins as the rest of the network, which means whoever controls one controls the other. Once an attacker gets hold of a master-level account, which is a common result of a single successful phishing email, the backup system is just as accessible as any other part of the network. There is no extra wall to climb, and the same login that unlocks everything else also unlocks the backups.

Some attackers go further by quietly corrupting restore points over several weeks, so that by the time a recovery is attempted, the backups themselves are already damaged. Others wait until the full backup-retention window has cycled through, meaning every available restore point is already compromised before the file-locking begins.

What genuinely protected backups look like

A backup strategy that holds up against a modern ransomware attack has a few specific characteristics: the backup data is stored somewhere not accessible using the same logins as the rest of your systems; some or all copies are stored in a way that prevents them from being changed or deleted, even by someone with full access to the network; and the backups are tested regularly, not just created, so that damage is caught before it matters.

Most small businesses do not have this level of separation in place. This is not a criticism, as it’s simply not something the average business owner would know to ask for.

Let's talk about your backup setup

If you are not certain whether your backups could survive a targeted attack, that conversation is worth having. The question is not whether you have backups but whether those backups are out of reach of anyone who might break into your systems. Get in touch, and we can take a look at what you have.