Backups fail in ransomware attacks because attackers hunt them first

Ransomware operators no longer just encrypt production systems — they systematically destroy backups before triggering payloads. The standard kill chain runs from initial access through credential theft and lateral movement to backup discovery and destruction, then encryption. By the time the ransom note appears, recovery points are already gone. Acronis reports a 50% rise in attacks in the latest half-year period.

The recurring failure modes are architectural: backup systems share domains and credentials with production, sit reachable from compromised hosts, lack MFA on consoles, and run without immutability. Attackers wipe Volume Shadow Copies, abuse legitimate admin tooling (living-off-the-land), target hypervisor snapshots, and exploit cloud backup APIs. Siloed backup tooling that doesn’t feed security monitoring lets these actions proceed undetected.

The defensive shift is toward immutability enforced at the storage layer (WORM, time-locked retention) combined with identity separation, network isolation of backup infrastructure, behavioral monitoring of backup activity, and tested restore procedures. The piece is a sponsored argument for consolidating backup and security into a single platform — Acronis Cyber Platform — but the underlying technical point holds: a backup that an admin credential can delete is not a recovery mechanism, it’s a single point of failure.