Your Backups Won't Survive Ransomware. Test It in 1h

"We have backups" is one of the most dangerous sentences in IT. It feels like an answer. It is usually a hope.A backup you have never restored is not a backup. It is a hypothesis. And ransomware is built specifically to disprove that hypothesis: modern attackers go after your backups first, before they encrypt anything you would notice.You do not need a consultant to find out where you stand. You need about an hour. Here is the test.

Key takeaways

• Backups are the primary target, not an afterthought. Around 96% of ransomware attacks go after backup repositories, and roughly 76% of those attempts succeed (Veeam 2024).
• Having backups and being able to recover are different things. The gap is testing, isolation, and immutability.
• Small and mid sized companies are the main target. The median ransomware victim has about 228 employees (Coveware, Q1 2025), not thousands.
• When backups are compromised, recovery costs run far higher, by roughly 8x in some analyses.
• You can self assess in about an hour with three concrete tests. If any answer is "no" or "we don't know," you have a finding.

Why "we have backups" is not the answer you think it is

Attackers learned years ago that backups are the one thing standing between them and a paid ransom. So they hunt them. Current data shows backup repositories are targeted in the vast majority of attacks, and most of those attempts succeed at degrading the victim's ability to recover.It gets worse. Attackers now sit inside networks for several days before pulling the trigger, often four to five days, quietly finding and corrupting or deleting backup copies so that when encryption hits, there is nothing clean to restore from. If your backups are reachable from the same network and credentials the attacker already owns, they are not a safety net. They are just more files to encrypt.This is why so many organizations that "had backups" still paid. In 2025, only about 54% of victims actually used backups to restore, a multi year low, largely because those backups were compromised (Sophos 2025).

The one hour test

Block one hour. Take one critical system. Do not theorize, actually try.Test 1, the restore (about 20 min). Pick one important system or dataset. Restore it to an isolated, separate environment. Time it. The point is not perfection, it is reality: can you do it at all, does anyone know how, and how long does it take? If the honest answer is "we have never actually tried," that is finding number one, and it is the most common one.Test 2, the isolation (about 15 min). Find one backup copy that is offline or immutable, meaning it cannot be changed or deleted from the production environment. If every copy you have is online and writable using production credentials, then ransomware that reaches production reaches your backups too. One protected copy is the difference between a bad week and a closed business.Test 3, the clock (about 15 min). Check the last date a restore was actually tested. Not the last date a backup job reported success, those are different things. A green backup job tells you data was copied, not that it can come back. Then ask: what is our recovery time objective, how many hours until we are operational again? If nobody can answer, that is the finding.Bonus (about 10 min). Confirm that restored data is scanned for malware before it goes back into production. Roughly 44% of organizations stage and re-scan data before reintroducing it (Veeam). Skipping this is how companies reinfect themselves during recovery.Scoring is simple. Every "no," "never," or "we don't know" is a gap that an attacker will find for you.

What ransomware resilient backups actually look like

The fix is not "more backups." It is backups built to survive an attacker who is already inside:

• The 3-2-1 baseline: three copies, two media types, one off site, with at least one copy immutable or air gapped.
• Backups isolated from production credentials, so a compromised admin account cannot reach them.
• Endpoint detection and response (EDR) to catch the intruder during those four to five quiet days, before they touch the backups.
• Encryption of data at rest and in transit.
• A documented, tested restore with a known recovery time objective, rehearsed at least once or twice a year.

Worth noting: in one survey 98% of organizations had a ransomware playbook, but fewer than half had tested backup verification, and only about 30% had a defined chain of command (Veeam 2025). A plan on paper is not a tested recovery. The test is the point.

Find your gaps before an attacker does

Our 🛡️ Security and Backup package covers exactly this: a 3-2-1 strategy with immutable copies, EDR, encryption, and a tested restore with a defined recovery time. Fixed scope, fixed price from $1,860, with a written quote within 4 working hours. No retainer required, no surprise invoice.If you only harden one thing this quarter, make it the thing an attacker is already planning to take from you.Request the Security and Backup package — quote in 4 hours →