The scenario repeats every week across businesses of all sizes: a click on an attachment, an unsecured RDP port, a reused password — and within hours, files are encrypted. Production stops. Servers go dark. The team is paralysed.
What determines what happens next is not the antivirus you had installed. It’s the backup you had — or didn’t have.
The first 72 hours are decisive
In the hours following a ransomware attack, two trajectories emerge.
Company A — clean, tested backup. The team isolates affected machines, contacts their provider, identifies the most recent uncompromised restore point. Within 4 to 24 hours depending on data volume, critical systems come back online. The week ends with a few days of lost data and stressed teams — but operations resume.
Company B — missing, corrupted, or untested backup. The team discovers that the backup was encrypted alongside everything else (the ransomware waited until it had infiltrated the network backups before triggering). Or the last restore test was 18 months ago. Or there was never a test. The options are then: pay the ransom (with no guarantee of recovery), bring in forensic specialists (cost: €20,000–€150,000), or rebuild from scratch.
According to ANSSI data and cyber insurers, more than 60% of SMBs hit by ransomware do not return to normal operations within 30 days.
What makes a backup resilient against ransomware
Not all backups are equal against this threat. Modern ransomware takes time to explore the network before activating — sometimes weeks — specifically to reach and encrypt accessible backups.
A resilient backup rests on three pillars:
Physical or logical isolation. Backups must not be writable from production systems. A network share permanently mounted on your file server is not a backup — it’s an additional target.
Sufficient retention. Ransomware can lie dormant for several days before activating. A 7-day retention window may not be enough. The common rule is 30 days minimum for critical data.
Immutability. Some solutions allow backups to be made immutable for a defined period — no modification or deletion is possible, even with administrator rights. This is today the strongest protection against ransomware targeting backups.
The real problem: untested backups
A backup that has never been restored is a hypothesis, not a protection.
Why tests are rarely performed: they take time, they require an isolated test environment, and in the absence of an incident, they seem unnecessary. Until the day they aren’t.
Problems commonly discovered during the first restore attempt in a real situation:
- Incomplete backups (directories excluded by misconfiguration)
- Silent errors not reported (jobs marked “success” but corrupted data)
- Actual restore times far exceeding estimates
- Unsaved dependencies (certificates, configurations, ancillary databases)
Annual restore testing is a minimum. Quarterly for critical environments.
The 3-2-1 rule: easy to state, rarely applied correctly
The 3-2-1 rule is a recognised backup standard:
- 3 copies of the data
- on 2 different media
- with 1 offsite
In practice, few SMBs apply it correctly. The common version is: 1 local copy (the NAS) + a cloud sync of the NAS — still accessible from the network. That’s not 3-2-1; it’s one copy in two places, both compromisable simultaneously.
The “offsite” element of 3-2-1 must be air-gapped or immutable: a copy the attacker cannot reach from your network.
Heavy Mind managed clients
Environments under contract include managed backup with storage on our cloud infrastructure in France, retention adapted to business requirements, and scheduled periodic restore tests. In the event of an incident, our teams coordinate restoration without you having to manage the situation under pressure.
You don’t have managed backup?
A ransomware incident is not a question of “if” but “when”. Heavy Mind can help you:
- Audit your current backup setup: coverage, retention, isolation, last tested restore
- Deploy managed backup: configuration, daily monitoring, failure alerts, periodic restore tests
- Define a recovery plan tailored to your context and continuity requirements
Let's talk about your needs and build the right solution together.
Contact usSources: ANSSI — Panorama de la cybermenace 2025 · Allianz Risk Barometer 2026 · Coveware Ransomware Report Q1 2026