• Home
  • cyber
  • Acronis: Why ransomware attacks succeed even when backups exist
cyber Ransomware

Acronis: Why ransomware attacks succeed even when backups exist

May 6, 2026 3 min read
Acronis: Why ransomware attacks succeed even when backups exist

Ransomware Attacks Are Systematically Destroying Backups Here’s Why Recovery Fails

Ransomware attacks are increasingly targeting backup systems, rendering traditional recovery strategies ineffective. According to Acronis’ Cyberthreats Report H2 2025, ransomware incidents surged by 50% last year, with attackers deliberately dismantling backups before deploying encryption. What was once considered a failsafe backup infrastructure has become a single point of failure in modern cyberattacks.

How Attackers Compromise Backups

Most ransomware attacks follow a predictable sequence:

  1. Initial access (phishing, exploits)
  2. Credential theft (harvesting admin privileges)
  3. Lateral movement (spreading across networks)
  4. Backup discovery (locating and mapping backup systems)
  5. Backup destruction (deleting or encrypting backups)
  6. Ransomware deployment (encrypting production data)

Once attackers gain administrative access, they exploit weak security controls to:

  • Delete or encrypt backup files and snapshots (including Volume Shadow Copies on Windows).
  • Disable backup agents and scheduled jobs (using legitimate admin tools).
  • Modify retention policies (erasing recovery points).
  • Exploit cloud backup APIs (targeting unprotected storage).

By the time ransomware executes, recovery options are often already eliminated.

Why Backups Fail in Ransomware Incidents

Acronis’ incident response investigations reveal recurring vulnerabilities:

  • No isolation between production and backup – Backup systems often share the same domain, credentials, and network access as compromised hosts.
  • Weak access controls – Lack of multifactor authentication (MFA) and overprivileged service accounts allow easy entry.
  • No immutability – Traditional backups can be modified or deleted, offering little resistance.
  • Untested recovery processes – Organizations frequently discover backups are incomplete, corrupted, or too slow to restore at scale.
  • Siloed security and backup tools – Attacks on backup infrastructure go undetected due to fragmented monitoring.

The Critical Role of Immutability

Immutable backups storage that cannot be altered or deleted for a set period are essential for ransomware resilience. Key features include:

  • Write-once, read-many (WORM) storage (preventing modifications).
  • Time-based retention locks (enforcing recovery point availability).
  • Protection against API and credential misuse (securing access at the storage layer).

Even with full administrative access, attackers cannot tamper with immutable backups, ensuring a clean recovery point remains available.

Building a Ransomware-Resilient Backup Strategy

To counter modern threats, organizations must adopt a resilience-first approach, integrating security and backup into a unified framework. Key measures include:

  1. Enforcing identity separation – Using dedicated credentials and MFA for backup systems.
  2. Isolating backup environments – Segmenting networks and restricting access.
  3. Implementing immutable backups – Preventing deletion or modification.
  4. Monitoring backup activity – Detecting abnormal behavior early.
  5. Testing recovery processes – Validating backups can be restored under attack conditions.

The Shift to Integrated Cyber Protection

Traditional architectures where endpoint protection, backup, and monitoring operate in silos create blind spots that attackers exploit. A more effective model consolidates these capabilities into a unified platform, enabling:

  • Threat detection before backup compromise (identifying attacks early).
  • Protection of backup infrastructure (applying the same security rigor as production systems).
  • Verified recovery points (ensuring backups remain intact).
  • Centralized visibility (monitoring anomalies across environments).

The Core Problem: Exposed Backups

Backups remain critical to ransomware defense but only if they are designed to withstand active attacks. The fundamental issue is not the absence of backups, but their lack of security. To ensure recovery in modern threat landscapes, organizations must rethink backup architecture with immutability, isolation, monitoring, and integration at its core. Without these safeguards, backups become just another target.

Source: https://www.bleepingcomputer.com/news/security/why-ransomware-attacks-succeed-even-when-backups-exist/

Acronis TPRM report: https://www.rankiteo.com/company/acronis

"id": "acr1778077431",
"linkid": "acronis",
"type": "Ransomware",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'attack_vector': ['Phishing', 'Exploits'],
 'data_breach': {'data_encryption': 'Backup files and snapshots encrypted',
                 'type_of_data_compromised': 'Backup data'},
 'date_publicly_disclosed': '2025-01-01',
 'description': 'Ransomware attacks are increasingly targeting backup systems, '
                'rendering traditional recovery strategies ineffective. '
                'Attackers deliberately dismantle backups before deploying '
                'encryption, turning backup infrastructure into a single point '
                'of failure. The incident highlights vulnerabilities in backup '
                'security, including lack of isolation, weak access controls, '
                'and untested recovery processes.',
 'impact': {'data_compromised': 'Backup files and snapshots',
            'operational_impact': 'Inability to recover data post-attack',
            'systems_affected': ['Backup systems', 'Production data']},
 'initial_access_broker': {'entry_point': ['Phishing', 'Exploits'],
                           'high_value_targets': 'Backup systems'},
 'lessons_learned': 'Traditional backup strategies are insufficient against '
                    'modern ransomware attacks. Backup systems must be secured '
                    'with immutability, isolation, and monitoring to ensure '
                    'recovery. Integrated cyber protection platforms are more '
                    'effective than siloed security and backup tools.',
 'motivation': 'Financial gain',
 'post_incident_analysis': {'corrective_actions': ['Enforce MFA and dedicated '
                                                   'credentials for backup '
                                                   'systems',
                                                   'Implement network '
                                                   'segmentation and access '
                                                   'restrictions',
                                                   'Deploy immutable backups '
                                                   'with WORM storage',
                                                   'Monitor backup activity '
                                                   'for anomalies',
                                                   'Test and validate recovery '
                                                   'processes'],
                            'root_causes': ['Lack of isolation between '
                                            'production and backup systems',
                                            'Weak access controls and '
                                            'overprivileged service accounts',
                                            'Absence of immutable backups',
                                            'Untested recovery processes',
                                            'Siloed security and backup '
                                            'tools']},
 'ransomware': {'data_encryption': 'Production data and backups encrypted'},
 'recommendations': ['Enforce identity separation for backup systems',
                     'Isolate backup environments from production networks',
                     'Implement immutable backups with WORM storage and '
                     'retention locks',
                     'Monitor backup activity for abnormal behavior',
                     'Test recovery processes under attack conditions',
                     'Adopt a unified cyber protection platform for '
                     'consolidated security and backup'],
 'references': [{'source': 'Acronis Cyberthreats Report H2 2025'}],
 'response': {'containment_measures': ['Isolating backup environments',
                                       'Restricting access'],
              'enhanced_monitoring': 'Monitoring anomalies across environments',
              'network_segmentation': 'Segmenting networks',
              'recovery_measures': ['Testing recovery processes'],
              'remediation_measures': ['Enforcing identity separation',
                                       'Implementing immutable backups',
                                       'Monitoring backup activity']},
 'title': 'Ransomware Attacks Systematically Destroying Backups Leading to '
          'Recovery Failures',
 'type': 'Ransomware',
 'vulnerability_exploited': ['Weak access controls',
                             'Lack of multifactor authentication (MFA)',
                             'Overprivileged service accounts',
                             'Unprotected cloud backup APIs']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.