Ransomware Payments Hit Record Highs — What NJ Businesses With Untested Backups Need to Know

Ransomware payments reached record highs in 2024, according to the FBI’s Internet Crime Complaint Center (IC3) annual report — and the businesses that paid were almost never the ones with a tested, reliable backup strategy. If your company has backups sitting somewhere but no one has verified they actually work, you are not protected. You are hoping. This post breaks down what the IC3 data shows, why untested backups are the silent risk inside most small and mid-sized businesses, and what a properly run IT environment looks like in response.

IC3 2024: What the Data Actually Shows About Ransomware Payments

The FBI IC3 2024 Internet Crime Report recorded over $16.6 billion in total reported cybercrime losses — the highest figure in the report’s history. Ransomware complaints rose 9% year over year, with critical infrastructure sectors reporting the highest volume. Healthcare, manufacturing, and financial services took the most hits, but small and mid-sized businesses across every industry were well represented.

What the headline number obscures is the breakdown behind it. Many organizations that paid a ransom did recover some data — but “some” is doing a lot of work in that sentence. Partial recovery, weeks of downtime, corrupted files, and residual malware left behind after payment are all documented outcomes. The IC3 data does not suggest that paying is a reliable path to recovery. It suggests it is an expensive coin flip.

For New Jersey businesses — particularly in professional services, healthcare, and light manufacturing concentrated across Burlington, Camden, and Gloucester counties — the implications are direct. You do not have to be a Fortune 500 target to get hit. Attackers increasingly use automated tools that probe millions of endpoints without human direction. Size is not protection.

Why Backups Fail When It Matters Most

Most business owners believe they have backups. Fewer can answer these three questions: When was the last time a full restore was tested? How long would a full restore actually take? Are the backups stored somewhere ransomware cannot reach and encrypt?

The gap between “we have backups” and “our backups will work under pressure” is where ransomware payments happen. Here is why backups fail in practice:

• Backups are stored on the same network they protect. Modern ransomware specifically hunts for backup repositories and encrypts them first. If your backup target is reachable from your primary environment, it is a target too.
• Backups run on a schedule but are never verified. A backup job that completes without errors is not the same as a backup that restores cleanly. Silent corruption, incomplete snapshots, and misconfigured agents are common — and invisible until recovery day.
• Recovery time has never been measured. Restoring 2TB of data from a cloud backup can take 18–72 hours depending on bandwidth and infrastructure. If your business cannot absorb three days of downtime, your backup strategy is incomplete even if the data itself is intact.
• The backup system is managed by the same vendor whose environment just got compromised. This is a conflict most businesses never consider until it matters.

None of these are exotic failure modes. They are routine. They appear in post-incident reviews after nearly every ransomware event that ends in a payment.

The Backup Testing Gap Most NJ Businesses Don’t Know They Have

Backup testing is not glamorous. It does not show up on a dashboard. It generates no alerts when it is not happening. That is exactly why it gets deprioritized — and why it is one of the clearest dividing lines between businesses that recover from ransomware in hours and businesses that write a check to an attacker.

A genuine backup testing program has a few non-negotiable components. Restores are tested on a defined schedule — not annually, not “when we get to it,” but on a calendar. Tests cover realistic scenarios: full system failure, not just single-file recovery. Recovery time is measured against the business’s actual tolerance for downtime. Results are documented and reviewed.

The IC3 2024 data reinforces what good IT teams have known for years: ransomware payments spike when backup confidence is low. Businesses pay not because the attacker’s decryptor is reliable — it often is not — but because they have no other visible path to getting their data back. Tested backups change that calculus entirely.

For a baseline framework on backup and recovery requirements, CISA’s guidance on ransomware prevention and response is worth reviewing. It is written for leadership audiences, not technical teams, and covers the organizational decisions that matter most.

What Paying the Ransom Actually Buys You

This section deserves plain language, because the misconception here is costly. Paying a ransomware demand does not buy you a clean recovery. It buys you a decryption key — which may or may not work, may decrypt data slowly over days, and does nothing to remove the attacker’s foothold in your environment.

The IC3 and independent researchers have documented cases where businesses paid, received a partial decryptor, and were hit again within 90 days by the same or an affiliated group. Ransomware payments send two signals to an attacker: you have money, and you will spend it when pressured. That is not a reputation you want in criminal forums.

Beyond the ransom itself, the total cost of a ransomware incident typically includes forensic investigation, legal notification requirements (New Jersey’s data breach notification law applies broadly), regulatory exposure, and reputational damage with clients. Average losses per incident have climbed steadily, according to IC3 data. For a small business, a single event can be existential.

The argument for not paying is not moral — it is practical. Organizations with tested backups and a documented recovery plan almost never pay. They restore, investigate, harden, and move on. That outcome is available to any business willing to build for it before the event happens.

What a Well-Run IT Environment Looks Like

At Xact IT Solutions, we have maintained a zero-client-breach record across more than 20 years. That is not luck, and it is not a single product doing the work. It is a philosophy: build environments that do not give attackers an easy path, and build recovery capabilities that make ransomware payments irrelevant.

In practical terms, a well-run environment includes the following:

• Immutable, offsite backups. Backup data is stored in a location — and in a format — that cannot be modified or deleted by ransomware running in the primary environment. This is the single most important technical control in a ransomware scenario.
• Documented and tested recovery procedures. Not a document that says “restore from backup.” A step-by-step runbook, tested against real failure scenarios, with measured recovery times.
• Layered access controls. Ransomware spreads by moving laterally across a network using credentials it finds along the way. Limiting what any single account can access limits the damage when credentials are compromised.
• Endpoint protection with behavioral detection. Signature-based tools catch known threats. Behavioral detection catches threats that do not match any known signature — which is increasingly how ransomware arrives.
• Email filtering and user awareness. IC3 data consistently identifies phishing as the leading way attackers get in. Technical controls reduce the volume; user awareness reduces the click rate on what gets through.

These are not enterprise-only capabilities. They are the baseline for any business that takes continuity seriously. Our cybersecurity practice is built around this kind of layered, quiet defense — environments that do not require drama because the foundation is solid.

A broader point worth making: if your current IT provider has not discussed backup testing with you in the last six months, that conversation is overdue. Not because something has gone wrong — because something could, and the time to find gaps is before an incident, not during one.

We pair cybersecurity with managed IT services because the two should not be handled separately. Backup integrity, patch discipline, access management, and endpoint protection all interact. When different teams handle them with different visibility, gaps appear. That is where attackers operate.

How to Assess Your Ransomware Payments Risk and Recovery Readiness

Knowing whether your business is genuinely prepared — or simply assuming it is — comes down to five specific questions. Most businesses that end up making ransomware payments did not plan to. They assumed their environment was in order. Answering these honestly closes the gap between assumption and reality.

1. Can you produce documentation of a successful full-system restore test conducted in the last 90 days? If the answer is no or “I think so,” your backup testing program has a gap.
2. Are your backups stored in a location that is logically and physically separate from your primary network? Backups on a network share — even a dedicated one — are often reachable by ransomware. Immutable cloud storage or air-gapped media is the standard.
3. Do you know your actual recovery time — not the theoretical estimate, but the one measured during a real restore test? Many businesses find their real recovery window is three to five times longer than they assumed.
4. Has your incident response plan been reviewed in the last 12 months? A plan written in 2021 may not reflect your current infrastructure, your current team, or current attacker techniques.
5. Does your IT provider give you written backup verification reports — not just verbal assurances? Accountability requires documentation. If your provider cannot produce those reports on request, you do not have verified backups. You have a vendor’s word.

If any of these questions surfaced a gap, you are not alone. The NIST Cybersecurity Framework — available at NIST.gov — provides a practical structure for assessing and improving your security and recovery posture. It is designed for organizations of any size, not just enterprises.

Closing these gaps rarely requires a large budget or a lengthy project. In many cases the changes are procedural: a documented testing schedule, backup targets moved to immutable storage, a simple recovery runbook. The hard part is not the technology. It is making the time to do it before you need it.

Our full range of IT and cybersecurity services is designed to help NJ businesses close exactly these kinds of gaps — systematically, without disrupting day-to-day operations.

The Bottom Line for NJ SMBs

The IC3 2024 data is not a scare statistic. It is a record of where other businesses failed to prepare — and what that failure cost them.

Ransomware payments are at record highs because the businesses making them had no reliable path back to normal operations. Tested backups are that path. They are not the only control that matters, but they are the one that most directly determines whether an attack ends in a payment or a recovery.

For New Jersey businesses — whether you are a professional services firm in Cherry Hill, a healthcare practice in Voorhees, or a manufacturer in Gloucester Township — the question is not whether ransomware is a risk your peers have faced. The IC3 data answers that. The question is whether your recovery capability has been tested against a real scenario recently enough to trust it.

If the honest answer is no — or you are not sure — that is worth a conversation. The strategy call is free, takes 20 minutes, and comes with no obligation. We will tell you plainly where your backup posture stands and what it would take to close any gaps. Book a Free Strategy Call.