Why Backups Alone Are Not Enough
The conventional advice — "maintain good backups and you'll recover from ransomware" — was valid in 2015. It is dangerously incomplete in 2025. Modern ransomware operators have adapted: before triggering encryption, they spend weeks inside your network mapping your backup systems, identifying and corrupting backup targets, and exfiltrating sensitive data for double-extortion leverage.
By the time encryption starts, your backups may already be compromised. Recovery from backup does not address the data exfiltration. And in regulated industries, the breach disclosure obligation persists regardless of whether you pay the ransom or recover from backup.
The Attack Kill Chain
Understanding how modern ransomware operates determines where your defenses should focus:
- Initial access: Phishing email, exposed RDP, VPN vulnerability, or compromised credential (the vast majority of cases)
- Persistence: Attacker establishes multiple footholds — scheduled tasks, registry keys, new admin accounts
- Lateral movement: Using legitimate admin tools (PsExec, WMI, PowerShell remoting) to move across the network — this phase can last weeks
- Data exfiltration: Sensitive data copied to attacker-controlled infrastructure before encryption begins
- Backup destruction: Volume shadow copies deleted, backup agents disabled, network shares with backup targets encrypted
- Encryption trigger: Ransomware deployed simultaneously across all compromised hosts
The Defense Architecture
Effective ransomware defense is a layered architecture, not a product purchase:
Layer 1 — Network Segmentation
Flat networks are ransomware's best friend. If the attacker compromises one endpoint and can reach every server, backup system, and domain controller on the same layer-2 network, the attack radius is unlimited. Proper segmentation using VLANs, firewall policies, and micro-segmentation limits lateral movement.
Layer 2 — Privileged Access Management
Most lateral movement relies on stolen privileged credentials. Implementing a PAM solution with just-in-time access, MFA for all administrative actions, and session recording dramatically raises the cost of lateral movement for attackers.
Layer 3 — Endpoint Detection and Response
Signature-based antivirus is ineffective against modern ransomware that uses legitimate system tools. EDR solutions with behavioral detection, process tree analysis, and automated isolation capability are required.
Layer 4 — Immutable Backup Architecture
Your backup system must be architecturally isolated from your production network. This means: a separate backup network with strict firewall rules, immutable storage (Veeam with hardened repository, Wasabi Object Lock, or tape with air-gap rotation), and offline/off-site copies on a schedule that ensures you can recover to a clean point-in-time before attacker persistence was established.
Layer 5 — Detection and Response
Preparation for ransomware means having a tested incident response plan before you need it: defined decision trees for isolation vs. continuity, pre-negotiated cyber insurance coverage, legal counsel briefed on breach notification obligations, and documented recovery runbooks.
The 3-2-1-1-0 Backup Rule
The modern backup standard for ransomware resilience:
- 3 copies of your data
- 2 different storage media types
- 1 copy off-site
- 1 copy offline or immutable (air-gapped or object-locked)
- 0 errors verified on restore tests — untested backups are not backups
What This Costs
A properly architected ransomware defense for a 200-user enterprise costs approximately $40,000–$120,000 to implement (network segmentation, EDR deployment, PAM, immutable backup infrastructure) and $18,000–$60,000/year to operate (EDR licensing, SOC monitoring, backup storage, annual pen test). Compare this to the average ransomware recovery cost of $4.5M for enterprises (IBM Cost of a Data Breach Report 2024), and the ROI calculation is straightforward.