Home › Insights / news › Why backups alone won't stop ransomware

Ransomware

Why ransomware crews steal your data before they lock it — and why 'we have backups' isn't enough

Insights · Key IT · By Elias Koziris, Owner & Technician · Published 23 May 2026 · Updated 12 June 2026

Ransomware gangs delete backups and steal data before encrypting. Here's why backups alone aren't enough — and what actually stops a Melbourne breach.

If your whole ransomware plan is "we have backups", a modern crew has already planned around it — here's what actually stops the bleeding.

Modern ransomware gangs assume you have backups — that's exactly why they steal a copy of your data first. The old picture of ransomware was simple: your files get scrambled, you restore from last night's backup, you're back in business by lunch. That picture is years out of date. Today's crews treat your backups as an obstacle to remove on the way in, and your data as a second hostage they can sell or leak whether or not you ever pay to unlock a single file.

The playbook changed: steal first, encrypt later

This is called double extortion, and it is now the default rather than the exception. The attacker copies your data out of the building — client records, financials, contracts, mailboxes — and only then triggers the encryption. Now they have two threats instead of one: pay to get your files back, and pay again so we don't publish what we took. Restoring from backup answers the first threat. It does nothing about the second.

Take Qilin, one of the most active ransomware operations through 2025 and into 2026. Security researchers and reporting outlets attributed more than a thousand victims to the group over the past year, and noted it leaned heavily on small and medium businesses. The reason crews like this favour SMBs is uncomfortable but simple: smaller teams tend to have flatter networks, thinner monitoring, and backups sitting on the same domain as everything else — which is precisely what an affiliate wants.

Why "we have backups" is false comfort

Affiliates following this playbook do three things before you ever see a ransom note, and each one undercuts the "we're fine, we have backups" assumption:

They hunt your backups first.

Once inside, attackers map the network looking for backup servers, cloud backup credentials and snapshot tools — then delete or encrypt them so you can't restore. Backups reachable with a normal admin login are the first thing to go.

They harvest credentials and move laterally.

Stolen passwords let them spread quietly from one machine to the whole estate, often over days or weeks. Traditional antivirus usually sees nothing during this phase.

They exfiltrate your data.

Gigabytes leave the building before encryption starts. Even a flawless restore can't un-leak data that's already on a criminal's server.

So the honest version of the question isn't "do we have backups?" It's "are our backups out of reach of an attacker who already has domain admin — and would we even notice the theft and the deletion before the encryption?"

What "out of reach" actually means: immutable and offsite

A backup only counts if the attacker can't tamper with it. That means immutable copies — backups written so they cannot be altered or deleted for a set retention period, even by someone holding your administrator credentials — and at least one copy held offsite or in a separate security boundary from your production environment. If your backup can be wiped with the same login that runs your file server, it's a convenience feature, not a safety net.

This is the difference between a bad week and a closed business, and it's the backbone of a proper disaster recovery and business continuity setup. The same logic applies to your Microsoft 365 tenant: mailboxes, SharePoint and OneDrive need their own immutable backups, because Microsoft's retention defaults are not a recovery plan.

Catching the dwell time before encryption ever happens

Here's the encouraging part: the steal-first approach takes time. The window between initial access and encryption — the dwell time — is where attacks are won or lost. If you can spot the credential theft, the unusual lateral movement, or the large outbound data transfer while it's happening, you can contain the intruder before they detonate anything or finish stealing your files.

That's the job of endpoint detection and response (EDR) feeding a human team that's actually watching. EDR sees process behaviour, not just known virus signatures, so it catches novel ransomware and "living off the land" tactics. Behind it, our in-house 24/7 Security Operations Centre investigates the alerts around the clock — because attackers deliberately strike overnight and on long weekends, when an unmonitored network has nobody home.

Make it hard to get in, and contain it fast when they do

Detection works best when there's less to detect. Hardening the basics shrinks the number of open doors and slows anyone who gets through one:

Patch and harden relentlessly.

Internet-facing systems and unpatched software are common entry points. Mapping your controls to the ACSC Essential Eight — patching, application control, restricted admin rights — closes the doors crews rely on.

Lock down identity.

Multi-factor authentication and conditional access stop most stolen-password attacks cold and make lateral movement far harder.

Have a plan you've actually rehearsed.

A tested incident response plan means that when an alert fires, containment starts in minutes — isolate the host, cut the attacker's access, restore from clean immutable backups — rather than starting a frantic search for who to call.

And critically: test your restores. A backup you've never recovered from is a hope, not a capability. Tested disaster recovery tells you exactly how long you'd be down in a worst case, before the worst case arrives.

FAQ

Frequently asked questions

What is double extortion ransomware?

It's an attack where criminals steal a copy of your data before encrypting your systems. That gives them two demands: pay to unlock your files, and pay again to stop them publishing or selling the stolen data. Because the data theft happens first, good backups let you recover your files but don't undo the leak.

If we have backups, do we still need to worry about ransomware?

Yes. Attackers actively hunt for and delete backups before encrypting, so a backup reachable with normal admin access may already be gone when you need it. And because they exfiltrate data first, restoring files doesn't stop a leak. You need immutable, offsite backups plus detection that catches the attack early.

What makes a backup "immutable"?

An immutable backup is written so it cannot be changed or deleted for a set retention period — even by someone holding your administrator credentials. Combined with an offsite or isolated copy, it means an attacker who's deep inside your network still can't destroy your ability to recover.

How does a SOC help against data theft?

A 24/7 SOC watches for the warning signs that come before encryption: stolen credentials being used, unusual lateral movement, and large outbound data transfers. Spotting these during the dwell-time window lets the team contain the attacker before they finish stealing your data or lock your systems.

Keep exploring

Related Key IT services

24/7 security operations centre→Incident response→Essential 8→Disaster recovery & business continuity→

Keep reading

More insights

Ransomware12 June 2026

Book your free IT & Cyber Security Review

See exactly where your IT and security stand, and what to fix first. No jargon, no obligation.

Book a Free Review Call 1300 053 948