All articles
Resilience · 3 Jul 2025 · 2 min read

Ransomware readiness: beyond backups

Ransomware remains one of the most potent threats facing Australian businesses. Robust backups are vital, but true readiness extends well beyond simply copying data. Here is how to build resilience that can withstand a full-scale ransomware onslaught.

1. Immutable storage and air-gapped snapshots

Traditional backups can be encrypted, or worse, deleted, by a determined attacker. Immutable storage (where data cannot be altered or deleted for a set period) and air-gapped snapshots (offline copies inaccessible from the network) ensure clean copies survive even a full ransomware sweep. Configure immutability policies for your most critical datasets, financial records and customer databases first, so recoverability is guaranteed.

2. Recovery drills and playbooks

A backup that has not been tested is not a backup. Schedule quarterly recovery drills that restore a subset of data, or entire systems, into a sandbox. Validate not just file integrity but application functionality and user access. Document every step, who ran the restore, how long it took, what broke, and refine the playbook. These exercises surface hidden gaps before a real crisis does.

3. Segmentation and least-privilege access

Ransomware spreads laterally through compromised credentials and privileged paths. Limit the blast radius by segmenting networks and applying least privilege to administrative accounts. Restrict backup service accounts so they can write to storage but not execute binaries or change system configuration. When encryption starts, segmentation stops it hopping unchecked across the environment.

4. Early detection and automated response

Recovering after encryption is costly; catching it early enables near-instant containment. Use file-integrity monitoring to watch for mass renames and encryption patterns, feed those alerts into your SIEM or Microsoft Sentinel, and build automated playbooks, such as isolating affected devices or revoking credentials, to halt the spread within minutes.

5. Governance and executive buy-in

Ransomware preparedness is not purely technical; it needs board-level sponsorship. Frame it in business terms: estimated downtime cost, obligations under the Notifiable Data Breaches scheme, and the reputational impact of an extended outage. Show how immutable storage and tested drills cut average downtime from days to hours, and the investment makes itself.

This is the thinking behind our work with Veeam for immutable backup and recovery, mapped into the Essential Eight and a wider endpoint security posture. A cyber health check tells you where your recovery position really stands.

Could you recover from ransomware in hours, not days?