Myth: We Have Backups and Can Just Pay the Ransom — So Ransomware Isn't a Big Threat

Ransomware attacks have become a billion-dollar industry. It is an evolving, hyper-profitable business that hits companies of all sizes and activities. In this post, third in a series about common myths in cloud cybersecurity, we discuss the dangerous misconception that having backups and the willingness to pay ransom provides adequate protection against modern ransomware threats. You can read our previous post in which we explain why the cloud alone won’t save you: Myth: “The Cloud Has My Back”.

It’s a common belief in cybersecurity:

“We’re not too worried about ransomware. We have strong backups — and worst case, we could just pay the ransom.”

Unfortunately, that confidence is dangerously outdated.

Modern ransomware groups don’t just encrypt your data—they delete your backups, steal your files, threaten to leak them, and still may not restore your systems even if you pay. The ransomware landscape of 2025 has evolved far beyond simple file encryption schemes. Today’s cybercriminals operate sophisticated, multi-stage attacks that specifically target the very safeguards businesses think will protect them.

Let’s break down why backups + willingness to pay ≠ protection in 2025.

Attackers Target Your Backups First

Ransomware operators know backups are your last line of defense, so they destroy them before triggering encryption. This isn’t an accident or oversight; it’s a calculated strategy that has become standard operating procedure for virtually every major ransomware group.

The approach is methodical and devastating. Modern ransomware operators spend weeks or even months inside victim networks, carefully mapping out backup infrastructure, identifying storage locations, and understanding recovery procedures. They study your backup schedules, locate offline storage systems, and identify administrative credentials that could grant access to backup management systems.

The NSA and CISA repeatedly warn that attackers “deliberately search for and delete backups or shadow copies” before deploying ransomware. This warning isn’t theoretical, it’s based on thousands of real-world incidents where victims discovered their supposedly secure backup systems had been systematically compromised.

Many ransomware strains like Ryuk, LockBit, and Conti include automated scripts to wipe snapshot folders and disable backup agents. These scripts don’t just delete files, they corrupt backup databases, modify backup configurations to fail silently, and even manipulate backup verification processes to report success when backups are actually incomplete or corrupted.

The 2021 ransomware attack on Waikato District Health Board in New Zealand is a clear example of attackers deliberately targeting backup infrastructure. According to public reporting, the intruders not only encrypted core hospital systems but also deleted most of the existing backups, severely hindering recovery efforts. This demonstrates that having backups is not enough—if adversaries gain deep access before detection, they may actively destroy or tamper with recovery mechanisms to eliminate fallback options.

This patient, methodical approach has become the gold standard for professional ransomware operations. Groups like LockBit and BlackCat have developed sophisticated toolkits specifically designed to identify and neutralize backup systems. They target everything from traditional tape backups to modern cloud-based solutions, ensuring that when the encryption phase begins, victims have no alternative but to negotiate.

Understanding what makes backups truly ransomware-resistant requires examining three critical characteristics that work together to create an effective defense:

• Immutable backups cannot be modified or deleted once written. This isn’t just about setting file permissions—true immutability is enforced at the storage level using technologies like WORM (Write Once, Read Many) storage or blockchain-based verification. When attackers gain administrative access to your network, they can typically override standard file protections, but they cannot alter storage that is physically or cryptographically immutable. Modern cloud providers offer immutable storage options where even account administrators cannot delete data before a predetermined retention period expires.

• Segmented backups are isolated from production networks through air-gapped storage, network segmentation, or zero-trust access controls. The key principle is that backup systems should not be accessible from the same network paths that attackers use to move laterally through your infrastructure. This might involve offline tape storage rotated to secure locations, cloud storage accessed through dedicated network connections, or backup systems that only accept data during specific time windows and are otherwise completely disconnected from production networks.

• Access-controlled backups implement strict authentication and authorization that prevents unauthorized access even by compromised administrative accounts. This involves multi-factor authentication for backup administrators, role-based access that limits which personnel can access different backup sets, and privileged access management that requires explicit approval for backup restoration operations.

Only backups that combine immutability, segmentation, and access control survive determined ransomware attacks—and even these require careful implementation, regular testing, and continuous monitoring to remain effective against evolving criminal tactics.

Double Extortion: They Still Win Even If You Can Restore

Even if you could recover systems from backup, attackers now use data theft as leverage. The era of simple encryption-based ransomware ended years ago. Today’s attacks follow what cybersecurity experts call the “double extortion” model, where data theft occurs before encryption, creating multiple pressure points for victims.

This evolution fundamentally changes the ransomware equation. Even organizations with perfect backup systems and rapid recovery capabilities find themselves trapped by the threat of data exposure. The stolen data becomes a separate ransom demand, often exceeding the cost of the original encryption ransom.

66% of ransomware attacks now involve data exfiltration before encryption. This statistic represents a complete transformation of the threat landscape. Modern ransomware operations are intelligence-gathering missions first and encryption attacks second. Criminals spend substantial time identifying the most sensitive and valuable data within victim networks before beginning the encryption process.

The sophistication of these data theft operations is remarkable. Attackers don’t simply grab random files—they conduct targeted reconnaissance to identify intellectual property, customer databases, financial records, and other high-value information. They understand which data types will create the most pressure for payment and focus their exfiltration efforts accordingly.

If you refuse to pay, groups like LockBit, BlackCat, and Clop publish your data on leak portals, Telegram channels, or email your customers directly. These aren’t idle threats, they represent well-established business processes for criminal organizations. The leak sites operate like professional marketplaces, complete with search functionality, victim profiles, and countdown timers that create artificial urgency for payment.

The psychological warfare extends beyond simple publication. The Egregor group once hacked victims’ printers to spam ransom notes across offices. This wasn’t just about creating awareness—it was about demonstrating the depth of network penetration and creating panic among employees and customers.

REvil even launched public auctions of stolen corporate data, turning data breaches into public spectacles. These auctions attracted not just competitors looking for industrial espionage opportunities, but also other criminal groups seeking to weaponize the stolen information for additional attacks.

Restoring from backup doesn’t undo reputation damage, regulatory violations, or competitive intelligence losses.

”We’ll Just Pay the Ransom” — That Rarely Works Out

Paying the ransom sounds like a shortcut, especially when faced with mounting pressure from customers, regulators, and business continuity requirements. But the data tells a different story—one where payment rarely leads to full recovery and often creates additional problems.

The harsh reality is that ransomware groups are criminal organizations, not legitimate service providers. They have no customer service departments, no service level agreements, and no legal recourse if they fail to deliver on their promises. Even when groups have reputations for “reliable” decryption, technical failures, corrupted keys, and incomplete recoveries are common.

According to Sophos 2024 report , 68% used their own backups, 56% paid the ransom (47 did both !). Often the data is corrupted or incomplete.

The technical challenges of ransomware decryption are substantial. Decryption keys may be corrupted, incomplete, or applied incorrectly. The decryption process itself can fail partway through, leaving systems in an unstable state that’s worse than the original encryption. Some ransomware variants have inherent flaws that make complete decryption impossible, even when attackers provide legitimate keys.

In one well-documented incident, a company paid ALPHV/BlackCat, and still had their data leaked publicly. This case illustrates how payment doesn’t guarantee compliance with criminal promises. The organization found itself paying twice—once for decryption that didn’t work properly, and again through the costs associated with data breach notification, legal liability, and reputation management.

The repeat victimization statistic is particularly concerning. Organizations that pay ransom essentially advertise their willingness to negotiate with criminals and their lack of adequate security controls. They become preferred targets for future attacks, creating a cycle of victimization that can persist for years.

Paying ransom is not recovery, it’s negotiating with someone holding your reputation hostage, with no guarantee of a successful outcome.

The Real Damage Isn’t the Ransom — It’s the Downtime

Even when backups do exist and decryption does work, business interruption is the real killer. The focus on ransom amounts obscures the much larger economic impact of extended downtime, customer loss, and recovery operations.

Modern businesses operate with just-in-time supply chains, real-time customer expectations, and interconnected systems that amplify the impact of any disruption. When ransomware strikes, the ripple effects extend far beyond the directly affected systems, creating cascading failures that can persist long after technical recovery is complete.

The hidden costs include forensic investigations to understand attack scope, legal fees for breach notification and regulatory compliance, customer service costs for managing angry clients, lost revenue from interrupted operations, and the long-term impact of reputation damage on customer acquisition and retention.

Recent high-profile attacks continue to illustrate these principles. The 2025 ransomware attack on Jaguar Land Rover disrupted production and supply chain operations across multiple facilities, demonstrating how modern attacks target operational technology alongside traditional IT systems. It forced Jaguar Group to ask a 1.5 billion $ loan for the UK government.Similarly, the attack on Marks & Spencer highlighted how retail organizations face unique challenges when customer-facing systems are compromised during peak business periods.

These cases show that successful ransomware attacks in 2025 target business continuity rather than just data availability. Modern attackers understand that causing maximum operational disruption creates the most pressure for payment, regardless of backup availability.

Final Word: Backups Are Essential — But Not Enough

“Having backups” is not the same as “being resilient.”

The myth that backups and ransom payment provide adequate ransomware protection reflects an outdated understanding of modern cyber threats. While backups remain a critical component of any security strategy, they must be part of a comprehensive approach that addresses the full scope of contemporary ransomware operations.

True ransomware resilience requires a defense-in-depth strategy that assumes backups will be targeted and that payment may not guarantee recovery. Organizations must invest in prevention, detection, and response capabilities that go far beyond traditional backup and recovery planning.

To truly neutralize ransomware risk, cybersecurity teams must implement comprehensive protection strategies that include protecting backups with immutability and segregation to ensure they survive targeted destruction attempts, monitoring for backup tampering and credential abuse to detect attacks before encryption begins, detecting data exfiltration early to prevent double extortion scenarios, and maintaining a tested incident response plan that addresses both technical recovery and business continuity challenges.

The integration of these elements creates a security posture that makes ransomware attacks significantly less likely to succeed and dramatically reduces recovery time when attacks do occur. This approach transforms ransomware from an existential threat into a manageable business risk.

How PanIAM Helps You Build True Ransomware Resilience

At PanIAM, we don’t just help you recover, we help you prevent disaster before it happens. Our approach recognizes that modern ransomware attacks require modern defense strategies that go beyond traditional backup and recovery planning.

We provide visibility into data exfiltration behaviors, catching attackers before leaks occur. Our advanced capabilities identify the subtle ways for data theft that occur during attacks, giving you the opportunity to prevent an attack.

Our blast radius analysis helps you understand how far an intruder could spread through your network, enabling you to implement targeted containment strategies that limit attack scope. This capability is crucial for preventing the lateral movement that allows attackers to find and destroy backup infrastructure.

Cloud providers protect infrastructure. We protect your responsibility—your data, your resilience, your reputation. While major cloud platforms provide excellent security for their infrastructure, the shared responsibility model means that data protection, access control, and threat detection remain your responsibility.

📩 Want to make ransomware irrelevant instead of inevitable? Let’s talk about building comprehensive resilience that goes beyond backups and ransom payments.