Ransomware Backup Deletion: Why Attackers Destroy Your Recovery Options Before You Notice Them

Ransomware backup deletion is not a secondary step in a modern attack — it is the opening move. Across post-incident disclosures published in 2024 and 2025, one pattern repeats: ransomware groups spend days or weeks inside a network hunting for backup systems, shadow copies, and cloud-connected recovery repositories before they ever trigger the encryption payload. For small and midsize businesses, this changes everything about how recovery needs to be planned, built, and tested. The “restore from backup” safety net that businesses have relied on for a decade is the first thing attackers cut.

The Threat Landscape: How Ransomware Backup Deletion Became the Primary Attack Vector

For most of the 2010s, ransomware was a blunt instrument. A payload arrived via a phishing email, encrypted files on a workstation, and demanded a few hundred dollars in cryptocurrency. Backups were the obvious fix. The security industry’s advice was consistent: maintain good backups and you recover without paying.

Ransomware groups noticed. They adapted.

The shift from automated, scattershot ransomware to deliberate, human-operated attacks changed the entire threat model. Groups like BlackCat (ALPHV), LockBit, Black Basta, and Akira do not behave like automated malware. They operate like adversarial IT teams working against you. Their first goal — documented repeatedly in post-incident analyses — is to understand and neutralize your ability to recover before you know an attack is underway.

The CISA StopRansomware portal has published over 60 ransomware advisories since its launch, and backup targeting appears in the overwhelming majority of those involving human-operated ransomware groups. This is not a niche concern. It is the dominant attack pattern of the current era.

What 2024 and 2025 Disclosures Actually Show

The picture from 2024 and early 2025 public disclosures is stark. Several specific findings are worth examining directly.

Dwell Time Is Being Used to Map and Destroy Recovery Infrastructure

The Veeam Backup and Replication vulnerabilities disclosed in 2024 (CVE-2024-40711 and related CVEs) were actively exploited within weeks of publication. CISA issued an advisory noting that ransomware groups — specifically Akira and Fog ransomware affiliates — were exploiting these flaws not to immediately encrypt data, but to gain administrative access to backup servers. Once inside a backup platform, attackers delete restore points, corrupt backup catalogs, and exfiltrate data before the encryption phase begins.

The FBI’s Internet Crime Complaint Center 2023 annual report, published in early 2024, recorded adjusted losses from ransomware attacks exceeding $59.6 million — and noted that the most costly incidents consistently involved prior destruction of backup infrastructure, stretching recovery timelines from days to weeks or months.

Shadow Copy Deletion Is Now Standard Operating Procedure

Windows Volume Shadow Copies — the built-in snapshot technology most small business environments rely on as a first line of recovery — are deleted in virtually every documented human-operated ransomware incident. The command vssadmin delete shadows /all /quiet and its PowerShell equivalents appear in post-mortem analysis after post-mortem analysis. This has been true since at least 2019; by 2024, it is nearly universal.

Black Basta, linked to former Conti operators after that group’s structural collapse, was documented in a May 2024 CISA advisory as routinely targeting backup agents, disabling Windows Volume Shadow Copy Service, and using compromised domain administrator credentials to reach network-attached storage volumes where backup files lived.

Cloud-Connected Backups Are Not Safe by Default

One of the most significant shifts in recent disclosures: cloud backup destinations are no longer an automatic safe harbor. When backup agents maintain persistent connections to cloud storage — common in many small business configurations — attackers with access to those agents can instruct them to delete cloud-stored restore points.

The Microsoft Incident Response team documented this in their 2024 threat intelligence reporting. Attackers specifically targeted backup application credentials stored in memory or configuration files to authenticate against cloud storage APIs and purge backups remotely. A business that believed its cloud backups were protected because they were “off-site” may discover, post-attack, that those backups were deleted hours before the encryption payload executed. Ransomware backup deletion, in this context, is a fully remote operation requiring no physical access.

Who This Affects: The SMB Exposure Problem

Enterprise organizations typically maintain air-gapped backups, immutable storage tiers, and dedicated teams focused on backup security. These controls are expensive and operationally complex. Most small and midsize businesses — particularly those in the 10-to-150-employee range — do not have them.

The typical small business backup architecture looks like this: a cloud-connected backup agent on each server, a local network-attached storage device for on-site copies, and Windows shadow copies as a last resort. Every layer of that architecture is specifically targeted by the ransomware backup deletion tactics documented above.

The exposure problem is made worse by credential hygiene. Backup agents frequently run under domain administrator accounts — or accounts with equivalent privileges — because it is the path of least resistance during setup. Once attackers establish a foothold and escalate privileges (a process CISA advisories consistently show taking anywhere from two hours to two days), they have everything they need to reach backup systems with legitimate credentials. Security tools do not flag this activity as suspicious because the credentials are valid.

Businesses handling sensitive data — healthcare practices, financial services firms, professional services companies, and any organization subject to client security requirements — face additional compounding risk. A ransomware attack that destroys backups is not just a recovery problem. It is a regulatory notification event, a client-disclosure event, and potentially a contract-termination event. The downstream cost of extended downtime typically far exceeds the ransom demand itself.

Our team at managed IT services works specifically with small and midsize businesses to evaluate and redesign backup architectures against the current threat model — including explicit testing for ransomware backup deletion scenarios.

Real-World Post-Mortems: What the Disclosures Reveal

Public post-mortems are rare — organizations have strong incentives not to disclose exactly how they were compromised. But enough has entered the public record through CISA advisories, FBI flash alerts, and investigative journalism to draw clear conclusions.

The Akira Pattern

The CISA/FBI joint advisory on Akira ransomware, published April 2024, described a consistent operational playbook. Initial access came primarily through compromised VPN credentials, particularly on devices without multi-factor authentication. After establishing persistence, Akira operators used credential harvesting and lateral movement to locate backup servers.

They disabled or uninstalled backup agents, deleted local backup files, and only then deployed the encryption payload. The advisory noted Akira had compromised over 250 organizations and collected approximately $42 million in ransom payments by early 2024, with victims spanning healthcare, education, and financial services. Ransomware backup deletion was a consistent pre-encryption step in virtually every documented Akira incident.

The Black Basta Pattern

The May 2024 CISA advisory on Black Basta documented a group that had conducted over 500 attacks since April 2022. The advisory specifically called out backup infrastructure targeting: operators used domain administrator credentials to access backup servers, disabled Windows Defender and other security tools, ran vssadmin commands to remove shadow copies, and in several cases used the backup application’s own management console to delete stored recovery points before triggering encryption.

The sophistication of this approach — using legitimate administrative tools rather than custom malware — is precisely what makes it difficult to detect. Ransomware backup deletion carried out through native tools leaves minimal forensic signal until it is too late.

The Supply Chain Angle

The Change Healthcare incident, which began in February 2024 and became one of the most consequential healthcare-sector attacks on record, illustrated another dimension of the backup destruction problem. When a large upstream provider is compromised, downstream small businesses that depend on that provider’s systems find that their own backups only get them so far.

Change Healthcare’s extended outage affected thousands of medical practices, many of which had adequate local backups of their own systems but could not operate because the clearinghouse infrastructure they depended on was unavailable. This is not a backup problem in the traditional sense — but it confirms that recovery planning must account for external dependencies, not just internal backup integrity.

Defense Posture: Rebuilding the Recovery Calculus Against Ransomware Backup Deletion

The answer to ransomware backup deletion is not to abandon backup strategy. It is to build backups with the explicit assumption that an attacker will eventually have administrative access to your environment and will actively work to destroy your recovery options. That is a fundamentally different design constraint than traditional backup planning.

Immutable Backup Storage Is the Minimum Bar

Immutable storage — cloud or on-premises systems configured so that backup data cannot be deleted or overwritten for a defined retention period, even by an administrator — is no longer an enterprise luxury. It is the baseline. Major cloud storage providers offer object lock or immutability features at minimal additional cost.

The critical architectural point: the backup agent and the storage destination must have administrative access separated. The credentials used by the backup agent should not also carry delete rights on the stored data. This single configuration change directly breaks the most common ransomware backup deletion chain.

The 3-2-1-1 Rule Replaces the 3-2-1 Rule

The traditional 3-2-1 backup rule (three copies, two different media types, one off-site) has been extended by security practitioners to 3-2-1-1: three copies, two media types, one off-site, and one air-gapped or offline copy with no persistent network connection. The offline copy is what attackers with network access cannot reach. It is slower to restore from and more operationally complex to maintain — but it is the only copy that is reliably safe from a network-connected attacker executing ransomware backup deletion.

Backup Systems Need Their Own Security Posture

Backup servers and backup applications should be treated as high-value targets with hardened configurations, not as commodity infrastructure. This means dedicated service accounts with minimal privileges (not domain admin), network segmentation that restricts which systems can reach the backup server, multi-factor authentication on backup management consoles, and alerting on unusual activity such as mass deletion jobs or configuration changes.

Backup integrity verification — confirming that backups are actually restorable — should happen on a scheduled, documented basis, not just when a crisis hits. Regular restore tests are the only way to know whether your defenses against ransomware backup deletion are actually working.

Dwell Time Detection Matters

Because human-operated ransomware groups spend time inside environments before encrypting, detection during the dwell period is a genuine opportunity. Behavioral monitoring for lateral movement, unusual administrative tool usage (especially vssadmin, wmic, and backup agent management), and anomalous credential activity can surface an active intrusion before backup destruction begins. This is not foolproof — sophisticated operators know common detection signatures — but it materially changes the odds of catching ransomware backup deletion activity in progress.

Recovery Time Objectives Must Be Tested Against a Backup-Destruction Scenario

Most small businesses have never tested their recovery plan under the assumption that all on-site and cloud-connected backups have been destroyed. That specific scenario — now the most common scenario in documented ransomware incidents — produces a very different recovery timeline than a standard restore test.

Running a tabletop exercise or actual test recovery against only the offline or air-gapped copy, including time to procure replacement hardware if systems are encrypted, gives you a realistic picture of actual recovery time under attack conditions. That number is almost always significantly higher than businesses expect — and closing that gap is the core objective of any credible ransomware backup deletion defense program.

What to Ask Your IT Firm Right Now

If you rely on a managed IT provider or an internal IT resource for your backup and recovery strategy, the 2024 and 2025 ransomware disclosure record gives you specific, informed questions to ask. The answers will tell you whether your current posture reflects the actual threat environment — including the ransomware backup deletion tactics now used by every major threat group.

• Do any of our backup copies use immutable storage, and can you show me the configuration that prevents deletion even by an administrator?
• Do we have at least one backup copy with no persistent network connection — meaning an attacker with domain administrator access could not reach it remotely?
• What credentials does our backup agent run under, and do those credentials carry delete rights on the backup storage destination?
• When did we last perform a full restore test from our most isolated backup copy, and what was the measured recovery time?
• Is our backup management console protected by multi-factor authentication?
• Do we have alerting in place for mass deletion events or configuration changes in our backup platform?
• Has our recovery plan been tested against a scenario where all on-site and cloud-connected backups have been destroyed?
• Are our backup systems on a separate network segment from production, with firewall rules controlling which systems can initiate connections to the backup server?

These are not theoretical questions. They map directly to the documented tactics of the groups that caused the most damage to small businesses in 2024. A provider who cannot answer them clearly and specifically — or who treats them as excessive — is operating with an outdated threat model that does not account for ransomware backup deletion as a systematic pre-encryption step.

For organizations that want to see how their current cybersecurity posture and backup architecture hold up against the actual 2024–2025 threat landscape, the starting point is an honest assessment of every layer in the recovery stack — conducted with an IT partner who has read the same advisories you now have, and who builds environments around the assumption that the attacker will eventually hold administrative credentials. The businesses that recover quickly from ransomware are not the ones that paid for the most storage. They are the ones whose recovery architecture was explicitly built to survive an attacker who was trying to destroy it.

Book a Free Cybersecurity Strategy Call to walk through your current backup architecture against the threat patterns documented above. Twenty minutes. No pressure. You will leave knowing exactly where you stand.