DATA PROTECTION TRENDS, NEWS & BACKUP TIPS

Backups Are Not Enough When Attackers Skip Encryption

ransomware and backup

For years, ransomware has meant one thing in most boardrooms: encrypted systems and a race to restore from backup. If you could recover quickly, you had a real chance to avoid paying and get back to business.

Attackers have adjusted.

More campaigns now focus on stealing sensitive data and threatening to leak it, sometimes without encrypting anything at all. Your applications stay online. Your backups are intact. Yet you still face the same pressure, because the leverage is no longer “we locked your files,” it is “we will expose your data.”

In that world, having backups is necessary, but not sufficient. Resilience now means planning for extortion, not just recovery.

From encryption to exposure

Traditional ransomware revolved around availability. Attackers wanted to make your systems unavailable until you paid for a decryption key. Backup and disaster recovery were the natural counter. If you could restore clean data quickly, you broke the attacker’s business model.

Data extortion flips the script. The attacker:

  • Gains access to your environment
  • Finds high value data sets
  • Steals copies quietly, sometimes over days or weeks
  • Leaves systems running, or performs limited disruption
  • Demands payment in exchange for silence

Sometimes encryption still happens. Sometimes it does not. In both cases, the harm comes from exposure:

  • Customer data posted on leak sites
  • Confidential contracts and internal emails made public
  • Intellectual property offered to competitors
  • Regulatory scrutiny and legal action

You can restore from backup all day long and still have a serious incident on your hands if you have not prepared for this kind of pressure.

Why “we have backups” is no longer a complete answer

Backups solve a specific problem. They restore systems and data to a known good state. They reduce downtime. They keep you in control when files are locked or destroyed.

They do not, by themselves:

  • Limit what an attacker can see and steal
  • Reduce the sensitivity of what leaves your network
  • Handle regulatory notifications and legal risk
  • Protect your reputation when stolen data appears online

That means a modern ransomware strategy has to cover three layers, not one:

  1. Prevent and detect intrusions as early as possible.
  2. Limit what can be stolen and how useful it is if it leaves.
  3. Recover and respond in a way that restores operations and trust.

Backup and disaster recovery sit squarely in the third layer. They are critical, but they need to be tied into the others if you want a complete defense against data extortion.

Treat backups and archives as sensitive targets

Data extortion also affects how you think about your own backup environment.

Attackers know that backup and archive systems hold some of the most complete, long lived copies of your data. If they reach those systems, they can:

  • Access historical records that are no longer in production
  • Collect larger, richer data sets than they would find in one application
  • Destroy or tamper with restore points to add more pressure

So the first shift is cultural. Backup is no longer “just IT plumbing.” It is part of your sensitive surface.

Practical steps include:

  • Isolating backup networks from general user traffic
  • Using strong identity controls and multifactor authentication on backup consoles
  • Logging and reviewing backup configuration changes
  • Applying role based access so only a small group can modify retention or delete backups

At CyberFortress, we design backup platforms under the assumption that attackers will go looking for them. That mindset drives everything from network layout, to identity design, to how and where data is written.

Know what you are backing up, and why

In an extortion scenario, over retention can increase your risk. If you keep everything, forever, you are storing more information for attackers to misuse.

Work with data owners to:

  • Classify what data lives in which systems
  • Map those systems to backup policies
  • Match retention periods to real legal and business requirements
  • Reduce or tokenize sensitive data when possible

You still need to meet compliance obligations and litigation needs, but you should be intentional about the tradeoffs. CyberFortress teams often help customers tune retention so they protect what they must, without keeping unnecessary copies of high risk data.

Connect backup and DR to incident response

Data extortion incidents are not only technical events. They are business events.

Legal, compliance, communications, and leadership all need timely information. They need to know:

  • What categories of data were likely exposed
  • Which customers, partners, or employees might be affected
  • Which systems are safe to restore and which require further review

Backup and DR teams are central to those answers. They know where data lives and what restore points are available. Yet in many organizations, recovery plans and incident response plans sit in separate binders.

Bringing them together makes a big difference:

  • Include backup and DR stakeholders in incident response planning
  • Define how backup catalogs and recovery points will be used to support forensics and scoping
  • Document which environments can be used for clean, isolated restores during an investigation

CyberFortress aligns recovery runbooks with customer incident response processes. That way, when an event happens, operational recovery and business communication move together rather than in parallel.

Controls that reduce extortion leverage

If backups are your safety net, other controls help reduce how far you fall.

Key practices that complement backup include:

  • Segmentation and least privilege so that a single compromised account cannot see every data store in the organization.
  • Encryption of sensitive data at rest and in transit with proper key management, so stolen files are not immediately readable.
  • Monitoring for unusual data access and large transfers, especially from service accounts and administrative users.
  • Regular reviews of shadow IT and unsanctioned data stores, which often hold sensitive information outside of formal protection.
  • Tabletop exercises that simulate extortion scenarios, including ransom demands tied to leaks, public disclosure, and media interest.

These measures do not replace backup. They increase the likelihood that, if data is stolen, the amount and usefulness of that data is limited.

How CyberFortress guides customers through this shift

CyberFortress was built on a simple promise: when something goes wrong, you are not on your own.

In a world of data extortion, that promise covers more than restoring a few servers. It includes:

  • Designing backup and DR architectures that assume attackers might bypass encryption and go straight to data theft.
  • Implementing immutable, isolated backup copies so you have reliable recovery options even if production environments are compromised.
  • Helping teams align retention, classification, and backup policies with both resilience and privacy in mind.
  • Working alongside your security and incident response teams during an event, so you can move from uncertainty to a clear, guided plan.

Backups remain the foundation of recovery. They keep your business running when systems fail or attackers encrypt your data. When attackers skip encryption and move straight to extortion, that foundation still matters, but it has to be part of a broader structure.

Education, preparation, and the right partners turn “we have backups” into “we have a plan.”

CyberFortress is here to help you build that plan before you need it.

FEATURED RESOURCE

GET PRICING

istock 1348968263

Easy to Try, Easy to Buy

Calculate