In 2025, ESG (part of Omdia) found that 92% of organizations experienced a ransomware attack in the previous twelve months, and close to half discovered the malware had been lurking in their environment for eight days or longer before anyone noticed.3 That dwell time matters far more than most security teams appreciate. Modern ransomware operators don't detonate on arrival. They move laterally, escalate privileges, and steal whatever they can reach. They only start encrypting after they've taken everything worth stealing. The encryption is a parting shot.
Backups have become the primary target
When cybercriminals deliver the coup de grace, they want to ensure it sticks. That's why ransomware thieves target more than just your operational data when the encrypt happens; they go after your backups, too. ESG found more than four in 10 (41%) of impacted organizations identified backup infrastructure as a target. That's the single most common response.
That shift is strategic, not accidental. Attackers figured out that if you destroy an organization's ability to restore, the ransom question answers itself.
Despite years of investment in ransomware protection, ESG found 69% of attacked organizations paid up when hit. After spending billions collectively on backup modernization, endpoint detection, and incident response retainers, more than two-thirds end up sending the bitcoin or monero (XMR) that the thieves ask for. Among those suffering a successful attack, 53% reported a financial impact totaling a million dollars or more.
Even if backups aren't hit, that doesn't get companies out of the woods. The Colonial Pipeline case of 2021 illustrates why. The company paid the ransomware gang that hit them not because they couldn't restore, but because when the CEO asked the IT team how long restoration would take, nobody had an answer. If you can't credibly say how long it will take to recover, you're still paying.
The case for minimal viable business recovery
So where does that leave the enterprise that wants to be prepared? The instinct is to protect everything equally and assume that you can restore it all at once. In practice, most organizations doing that end up testing and timing none of it.
A better starting point is minimal viable business recovery. The question becomes: What do I, as a company, truly need to continue operations? Can I still sell, take payment from customers, and pay my people?
Organizations that can prioritize a subset of things it needs to operate while scheduling the rest for later recovery tend to have a better protection strategy. They've narrowed the scope enough to actually verify the restoration process.
Layered defenses around the core
Once you've identified what must survive, protect it as though your organization's existence depends upon it, because it does. There are some key principles to cyber resilience that support minimum viable business operations (MVBO):
Assume compromise: Zero-trust principles apply. Assume that attackers are already inside your infrastructure and that they're coming after your backups.
Use immutable data storage: These are backup copies that are protected at a firmware or hardware level, so that they cannot be altered by any credential in your production environment.
Add air-gapped isolation: Separate your critical copies with independent management paths, distinct credentials, and multi-factor authentication. 3-2-1 backups: Three copies of data including the production copy, two separate media (keep one immutable), and one offsite copy (perhaps in the cloud) provides excellent protection.
Consider backup anomaly detection: Detecting suspicious patterns in your backups alone won't prevent compromise. Once you've spotted ransomware in your backups, it's already too late, after all. But it accelerates forensics, helps isolate clean copies, and shortens recovery times.
County of Kaua’I Customer Story- Protecting paradise with smart solutions
The County of Kaua’i needed to safeguard the island’s critical infrastructure by implementing a robust, modern data center with advanced cyber resilience. Dell PowerProtect Data Manager and PowerProtect Cyber Recovery proactively protects the county’s systems and community from natural and man-made threats.
Download NowTesting, timing, and having the confidence to say no
All of the above is necessary, but none of it is sufficient without tested, timed and verified recovery. The real question every enterprise should answer is not just whether they can recover, but how fast they can restore critical business functions.
Your plan cannot be that everyone executes perfectly under pressure. Drill the recovery and time it. Identify what breaks, then refine and repeat. The organization that can give its CEO a credible restoration estimate is the one that gets to say no when the ransom demand arrives. As the numbers show, most can't do that today. That’s the gap that modern, cyber resilient backup and recovery architectures — anchored by immutable storage, isolated cyber vaults, intelligent anomaly detection, and proven rapid restore capabilities — are purpose-built to close.
Source: Complete Survey Results: The Ransomware Reality: Cyber Resilience, Data Resilience, and Data Protection, Dec 2025. All research data in this article is from this study.
