The Ransomware Math: Why Backups Alone Won't Save You Anymore

For about a decade, the standard small-business cybersecurity advice ended with “and have a good backup.” It worked, mostly, because ransomware attackers were lazy: they encrypted what was easy and moved on. If your backup was a different filesystem or another machine, you restored from it and went back to work.

That advice is now incomplete. Modern ransomware operators specifically hunt for backup repositories before they detonate the main encryption. The reasoning is mercenary and obvious: a victim with no backup pays. A victim with a working backup doesn’t.

This post walks the math on what it takes to have a backup that actually survives a modern attack.

What ransomware actually does in 2026

A typical ransomware playbook now looks like:

1. Initial access. Phishing email, exposed RDP, supply chain compromise, or stolen credentials from a prior breach. Patient zero is usually a workstation.
2. Reconnaissance. Several days of quiet exploration. The attacker maps your network, finds the file servers, finds the domain controllers, finds the backup server, finds the cloud storage credentials.
3. Privilege escalation. Steal domain admin credentials. Often through cached tokens on compromised endpoints, or by exploiting a misconfigured service account.
4. Data exfiltration. Copy interesting files out before encryption. This is for the second phase of the extortion (pay or we publish your client list).
5. Backup destruction. Delete or encrypt the backup repository. Specifically. This is now a standard step.
6. Encryption detonation. All endpoints, file shares, and servers. Often timed for Friday evening or holidays.
7. Ransom note. Pay or stay encrypted. Pay extra or we publish what we exfiltrated.

The modern playbook treats your backup as the primary obstacle, not an afterthought.

What “immutable” and “air-gapped” actually mean

Two words get used interchangeably and shouldn’t be.

Air-gapped means the backup is physically or logically disconnected from the production network. Tape rotated to a vault is air-gapped. A USB drive carried home each Friday is air-gapped (though impractical at any scale).

Immutable means the backup, once written, cannot be modified or deleted for a defined retention period — even by an admin with valid credentials. Object lock on Amazon S3, Wasabi, or Backblaze B2 is immutable. Veeam’s hardened repository feature is immutable. A Synology with snapshot retention enforced at the volume level is partially immutable (admin can still wipe it).

For a backup to survive modern ransomware, it needs to be one or the other. Air-gapped is hard to scale. Immutable is the modern standard.

Three backup mistakes we still see weekly

1. Backup server on the same domain

The backup server is joined to the company Active Directory domain, with domain admin credentials accessible. When the attacker becomes domain admin, the backup server is theirs.

Fix: backup infrastructure on a separate identity/auth boundary. Local accounts only, MFA enforced, isolated from the production domain.

2. Backups stored on the same network with no immutability

Network-attached storage (NAS) sitting next to the file server it backs up. Same VLAN. Same credentials work. Same encryption fate.

Fix: off-network destination (cloud immutable storage), or a NAS with strict snapshot retention policies that the storage itself enforces independent of the user’s permissions.

3. No test restores

The single most common backup failure we encounter: a backup that runs nightly, reports success, and is corrupt. The first restore attempt is during the actual disaster.

Fix: quarterly test restores at minimum. Restore a representative sample (a server VM, a file share, a mailbox) to a test environment. Verify the data. Document the result. File the report.

The 3-2-1-1-0 rule

The modern restatement of the old 3-2-1 rule:

• 3 copies of the data
• 2 different storage media
• 1 off-site
• 1 immutable or air-gapped
• 0 errors on a verified test restore

If you cannot say yes to all five for the data your business genuinely cannot lose, you have a backup gap.

A real-world cost comparison

For a 10-person office with one server (~500 GB of business data):

Bad backup that won’t survive ransomware:

• NAS in the same closet, same network, no immutability: $1,200 hardware, $0/month. Good for accidental file deletion. Useless for ransomware.

Good backup that survives ransomware:

• Local backup target (Synology with snapshot retention or dedicated backup server): $1,500-$3,000 hardware
• Cloud immutable replica (Wasabi or Backblaze B2 with object lock): $5-15/month per 100 GB
• Backup software (Veeam Community + paid for cloud, or Comet, or N-able Cove): $30-80/month for the office
• Quarterly verified restore labor: 4-8 hours/year of engineering

Total: roughly $200-300/month all-in for a real, modern, tested backup posture for a 10-person office.

That number lands inside the bundled price of any Steel and up Managed plan. It is meaningful as a separate line item if you’re trying to do this without a plan.

What we deploy

For our Managed plan customers, the backup architecture is:

• Local backup target (varies by site)
• Cloud replica with object lock retention
• Quarterly verified restore (we do it, you sign off)
• Backup repository on isolated identity/auth, MFA on the backup admin account
• Documented restore runbook per customer

All of that is bundled into Steel, Titanium, and Carbon.

A two-minute self-check

For your current backup, can you answer yes to all of these?

1. Is there a copy stored somewhere that the production domain admin credentials cannot reach?
2. Is at least one copy in immutable / object-lock storage with a retention longer than your worst-case attacker dwell time (30+ days)?
3. Has a real restore test happened in the last quarter, with documentation?
4. Is the backup server on a different identity boundary from your production domain?
5. Can you produce a written incident response plan that includes the restore procedure?

A “no” to any of those is a real risk.

If you want a real audit, the Cyber Score covers backup posture among the questions. The deeper read happens in a free IT Blueprint Assessment, where we walk the actual backup setup and verify what it would do under attack.