At least once a quarter, someone confidently tells us: “We’re fine on ransomware. We have backups.” The conversation that follows is one of the more uncomfortable parts of our job, because in 2026, “we have backups” is roughly the equivalent of “we have a fire extinguisher” — true, useful, and not a strategy.
This isn’t doom-mongering. It’s a calibration problem. Ransomware playbooks have outpaced the defensive playbooks at most mid-market firms, and the gap is widest in the parts of the program leadership feels confident about: the backup, the EDR, the “we ran a tabletop in 2023.”
The “we have backups” lullaby
Backups solve a specific problem: data loss. Modern ransomware creates a different problem: operational shutdown plus reputational leverage plus regulatory exposure. Backups address roughly one-third of that, and only if the rest of the program holds up.
Three uncomfortable realities about backups in 2026:
- The backups are on the same domain as everything else. A domain-admin token — or a compromised backup-admin service account — can delete or encrypt them. Most ransomware kits do this beforedetonation.
- The last full restore was theatrical. Restore drills are often performed on a clean tier-3 file server with the original team pre-warned. The 3 AM restore — without your senior engineer, with the pressure of a SLA timer, against an Active Directory that may also be encrypted — is a different exercise.
- RTO and RPO targets are aspirations, not measurements.We’ve seen four-hour RTOs that quietly mean “four hours afterwe get DNS, AD, and the VPN back.” The real timer is closer to 36.
What modern ransomware actually does
Today’s ransomware is built to bypass the three things most teams rely on: backups, security tools, and incident response plans. The pattern is consistent across the families we see in client environments:
- Quiet entry. Phished credentials, an unpatched VPN, or a third-party SaaS token that turned out to have surprising blast radius.
- Patient enumeration. Days, sometimes weeks, of living-off-the-land reconnaissance before any tooling is dropped. EDR telemetry shows nothing because nothing “malicious” runs.
- Backup-system targeting. Disable or delete on-prem backup jobs. Where possible, log into the backup vendor’s cloud console with stolen MFA and remove the off-site copy too.
- Data exfiltration. Stage 100–500 GB of data to attacker infrastructure for double-extortion leverage.
- Detonation. Encrypt, drop ransom note, post a sample of the exfil to a leak site. The clock starts.
Notice that “encrypt” is the fifth step. The first four are designed to destroy your recovery options before you know you’re recovering.
Identity is the new perimeter
Almost every successful ransomware incident we’ve cleaned up in the last two years has identity as the root cause: a credential that shouldn’t have existed, a permission that shouldn’t have been so wide, an MFA prompt that someone got tired of denying. The defensive priority shift is unambiguous:
- Conditional access on every privileged sign-in, with a real risk policy — not just “require MFA” (everyone has that, and attackers have figured it out).
- Just-in-time admin elevation. Standing domain-admin accounts are an artifact of the 2010s. Use PIM, Privileged Access Management, or hand-rolled JIT scripts — anything but always-on.
- Service account hygiene. Inventory, justify, rotate, expire. The backup service account is usually the riskiest credential in the business.
- Phish-resistant factors. FIDO2 / Passkeys for the dozen people who matter. Authenticator codes are still phishable.
Test the restore, not the backup
Your backup product’s success rate is irrelevant. What matters is the end-to-end restore success rate, with a stopwatch, on a day no one is expecting it. Three things separate teams that survive ransomware from teams that endure it:
- Immutable, off-account storage. Object-lock or vendor-side immutability that your domain admin cannot defeat.
- Identity-independent restore. A pre-staged clean Active Directory you can promote in under four hours without the production AD being available.
- A real tabletop on a Tuesday. Pull a senior engineer’s laptop access, simulate AD encryption, and time the restore. Do it again next quarter with different people.
Three honest questions to ask the room
We use these in nearly every executive briefing. They’re short, and the answers are revealing:
- If our domain-admin credential leaked tonight, what’s the first business process to fail tomorrow morning? If the team can’t answer in under a minute, the work to do is mostly clarity, not technology.
- When did we last restore a critical workload from backup, end to end, without notifying the owner of that workload in advance? “Never” is the most common honest answer.
- Who has the legal authority to decide whether we pay a ransom? The longer the discussion, the less ready you are.
A 10-line readiness check
If you can answer “yes” to all of these, you’re ahead of most:
- Backups are immutable for at least 14 days, in a tenant your domain admin can’t reach.
- You have an isolated, pre-staged recovery domain.
- FIDO2 / Passkeys are enforced for executives, IT, and finance.
- Privileged accounts are JIT and audited weekly.
- EDR is on every endpoint, including contractors and break-glass laptops.
- You’ve restored a tier-1 workload end-to-end in the last 90 days.
- Your IR plan is one page and names humans, not roles.
- Cyber insurance reviewed in the last 12 months.
- A retainer with an IR firm signed before you need it.
- The CEO can repeat the first three steps of the runbook from memory.
None of this is glamorous. It’s also nothing you have to build alone. We run this exact assessment for clients in a single 90-minute session and send back a one-page risk gap with priorities. Want one?