For years, the standard ransomware advice was "make sure you have backups." That advice is now incomplete in a way that's costing manufacturers weeks of downtime and, in some cases, the ransom payment they were trying to avoid.
The reason is: ransomware operators have updated their playbook. Before they encrypt anything, they find your backups. Then they encrypt or destroy those first.
According to Veeam's 2025 Data Protection Trends Report, over 93% of ransomware attacks now specifically target backup repositories as part of the attack sequence. The logic is straightforward: if the victim can restore quickly, they don't pay. So the attackers remove that option before they reveal themselves.
The IBM X-Force Threat Intelligence Index 2026 documents this as a deliberate strategic shift, which the report calls "recovery denial." Attackers are systematically targeting backup infrastructure, identity services, and virtualization management layers specifically to eliminate the victim's ability to recover without paying.
What "recovery denial" looks like in practice
The attacker gains initial access typically through a phishing email, a compromised VPN credential, or an unpatched network appliance. Then they spend days or weeks moving laterally and mapping the environment. They're not looking for the crown jewels yet. They're looking for the backup server.
If your backup server is on the same network as your production environment and uses the same or similar credentials, they find it. They encrypt it first, or they delete the backup catalog, or they compromise the backup software console with admin access. By the time the ransomware payload executes across your production systems, your recovery option is already gone.
The three questions that determine your exposure
Whether your backups survive a ransomware attack comes down to three things:
1. Are they reachable from the production environment?
Backups stored on a network-attached share accessible from the same domain, or a backup server that uses the same admin credentials as your production servers, sit inside the blast radius. An attacker who has compromised your production environment has a path to them.
The standard that carriers and auditors now require is immutable backups (data that cannot be modified or deleted for a defined retention period, enforced at the storage level) or air-gapped backups (physically or logically disconnected from the production network), and preferably both.
2. Do backup admin accounts share credentials with production accounts?
This is the most common gap. The backup software console is protected by a local admin account using the same password rotation schedule (or lack thereof) as everything else. An attacker with domain admin on your production environment has a short path to the backup console.
Backup infrastructure should be managed through dedicated accounts that exist nowhere else: separate credentials, separate MFA, separate access paths. If compromising your production admin account also means compromising your backup admin account, you have one layer where you need two.
3. Has a restore actually been tested?
This is distinct from the first two, but it matters for a different reason. Even backups that are properly isolated can fail to restore if the process has never been rehearsed. The most common scenario: backups have been running nightly for two years, nobody has performed an actual restore test, and when ransomware hits, the restore process fails or takes five times longer than expected because the team is running it for the first time under pressure.
Carriers now require documented restore tests, timestamped, with screenshots, completed within the last 90 days, not a backup job completion log.
How to find out where you stand
We built a short self-assessment (eight questions, two minutes) that scores your backup architecture against the criteria that ransomware operators are specifically targeting and that cyber insurance carriers are specifically requiring.
It doesn't ask for any system access or sensitive information. It asks about your architecture decisions. At the end, you get a score (Protected, At Risk, or Exposed) with a breakdown of which specific gaps your setup has.
If you'd rather talk through it directly, we can do a free 20-minute backup architecture review for manufacturers in the area. No pitch. Just a clear picture of where you stand before it matters.
Over 90% of ransomware operators target backup infrastructure first. Score your architecture against the exact criteria they exploit — and find out where you stand.
8 questions · 2 minutes · Instant score
