Ransomware and Backups: Don't Make This Costly Mistake

There is a dangerous assumption held by many small business owners: "We have backups, so ransomware is not really a threat to us." It is understandable — backups are supposed to be your safety net. But modern ransomware has specifically evolved to defeat standard backup strategies, and many businesses only discover this when it is far too late.

Ransomware attacks on Australian small businesses are rising. The ACSC's Annual Cyber Threat Report records ransomware as one of the most destructive threats facing Australian organisations of all sizes. The average downtime from a ransomware attack is measured in days or weeks — and that is before counting the financial cost, the reputational damage, and the potential regulatory consequences under the Privacy Act 1988.

This guide explains exactly how ransomware attacks backups — and what you need to do to make your backups genuinely ransomware-proof.

How Ransomware Targets Your Backups

Modern ransomware is not a blunt instrument. The people behind it are professional criminals running sophisticated operations. Before encrypting your data, they typically spend days or weeks quietly exploring your network, specifically looking for and neutralising your backups before triggering the attack. Here is how they do it:

Encrypting connected backup drives

If you have an external hard drive permanently plugged into your computer or server, ransomware will find it and encrypt it along with everything else. From the ransomware's perspective, it is just another storage device. The backup you thought was protecting you disappears at the moment of the attack.

Targeting backup software and network shares

Many ransomware variants are specifically programmed to look for common backup software installations (Veeam, Backup Exec, etc.), disable them, and delete backup files. If your backup data is stored on a network share that the infected machine can access, that data is also at risk.

Waiting until backups are also encrypted

Ransomware typically spends days to weeks on a network before triggering. During this time, your automated backups are running normally — but they are backing up increasingly compromised data. By the time the attack is visible, your recent backups may contain the ransomware or already-encrypted files. If your backup retention period is too short, all your available restore points may be compromised.

Deleting cloud backup snapshots

If criminals compromise your administrative credentials (email account, cloud console), they may be able to delete your cloud backup snapshots or reduce their retention to nothing before triggering the encryption. This is why protecting administrative accounts with MFA is so important.

What Makes a Backup Ransomware-Proof?

A ransomware-resilient backup strategy has three essential characteristics:

1. Immutability

Immutable backups are copies that cannot be modified, deleted, or overwritten — even by an administrator with full credentials. They are locked for a defined retention period. Even if ransomware or a criminal with your admin password tries to delete them, it cannot.

Most enterprise-grade cloud backup services now offer immutable storage as an option. Look for terms like "WORM storage" (Write Once, Read Many), "object lock," or "immutable backups" when evaluating solutions. Providers like Acronis Cyber Protect, Veeam with immutable repositories, and Backblaze B2 with Object Lock all support this.

2. Air-gapping

An air-gapped backup is one that is physically or logically disconnected from your network — and therefore completely inaccessible to ransomware running on that network.

Physical air-gapping means taking a backup drive offline and storing it at a separate location. Logical air-gapping means using a backup service that is completely separate from your main systems and cannot be accessed via the same credentials or network connection.

Some cloud backup services create a logical air gap by design — the backup credentials are entirely separate from your main cloud account, and the backup data cannot be accessed or deleted even if your main account is compromised.

3. Sufficient retention period

Because ransomware often lies dormant for weeks before triggering, you need backup retention long enough to have clean restore points that predate the compromise. A retention period of 30 days is a reasonable minimum; 90 days is better for higher-risk environments.

If your backup solution only keeps the last seven days of backups and ransomware has been lurking on your network for three weeks, all your restore points may be compromised.

Practical Steps to Ransomware-Proof Your Backups

1. Stop leaving backup drives permanently connected. If you use external drives, connect them only during the backup window, then disconnect and store them offline. For added protection, rotate between two drives stored at different locations.
2. Enable immutable backup storage. Review your current backup solution and check whether immutable storage is available. If not, consider switching to one that offers it. This single change can be the difference between recovery and paying a ransom.
3. Extend your backup retention period. Ensure you have restore points going back at least 30 days, preferably 90. Check your current backup software settings.
4. Follow the 3-2-1 rule. Three copies, two media types, one offsite or offline. See our dedicated guide on the 3-2-1 backup rule for a full walkthrough.
5. Separate your backup credentials from your main accounts. Use a dedicated, separate email address and password for your backup service console. Protect it with MFA. Never use your main admin credentials.
6. Test your restores regularly. An untested backup is an untrusted backup. Run test restores every quarter — including testing that you can restore from your oldest available backup point.
7. Monitor backup jobs actively. Set up alerts so you know immediately if a backup job fails. A silent backup failure means you may have no protection at all.

What About Paying the Ransom?

The Australian Government's official guidance, reflected in advice from the ACSC, is to not pay ransoms. Payment does not guarantee recovery of your data, encourages further attacks, and may have legal implications depending on who is behind the attack.

The best protection against the ransom decision is never having to make it — which means having verified, ransomware-proof backups you can actually restore from.

The Cost of Getting This Wrong

The average cost of a ransomware incident for a small business — including downtime, recovery costs, and potential data breach notification — is substantial. According to figures cited by the ACSC, the average self-reported loss from ransomware for small businesses runs to tens of thousands of dollars per incident. For businesses without adequate backups, the figure is often much higher, or the business does not survive the incident at all.

The cost of implementing proper immutable backups is a fraction of this — often just a few hundred dollars per month for a comprehensive cloud backup solution with immutable storage.

Key Takeaways

• Modern ransomware specifically targets and destroys backups before triggering — a standard connected backup drive is not ransomware-proof
• Immutable backups cannot be deleted or modified even by administrators — this is the most important protection against ransomware targeting your backups
• Air-gapped backups (physically or logically disconnected from your network) are also highly effective
• Extend your backup retention to at least 30 days so you have clean restore points predating any ransomware dormancy period
• Use separate credentials for your backup service and protect them with MFA
• Test your restores regularly — a backup you have never tested may not work when you need it
• Do not pay the ransom — the best defence is never needing to

Is your backup strategy actually ransomware-proof? Find out with a free assessment at flagged.com.au — a cyber risk tool built specifically for Australian small businesses that helps you understand your real exposure and what to do about it.