---
title: "How Ransomware Destroys Backups: A Technical Analysis"
date: 2026-02-12T10:50:00+01:00
author: FAST LTA
canonical_url: "https://www.fast-lta.de//en/blog/wie-ransomware-backups-zerstört-technische-analyse"
section: "Entries: Articles"
---
### Phase 1: Reconnaissance and Privilege Escalation [\#](#phase-1-reconnaissance-and-privilege-escalation "Phase 1: Reconnaissance and Privilege Escalation")

Before encryption begins, ransomware executes several steps:

#### Step 1: Initial Access [\#](#step-1-initial-access "Step 1: Initial Access")

An employee clicks a phishing link, an RDP port is open, or a vulnerability is exploited. Ransomware gains its first foothold, often as a low-privilege user account.

#### Step 2: Privilege Escalation [\#](#step-2-privilege-escalation "Step 2: Privilege Escalation")

Ransomware attempts to escalate to admin rights. Common techniques:

- Local privilege escalation exploits
- Token impersonation
- Credentials stolen from memory (Mimikatz and similar tools)
- Misconfigurations (for example unprotected system services)

With admin rights, ransomware can act system-wide, including destroying backups.

---

### Phase 2: Four Concrete Tactics for Backup Destruction [\#](#phase-2-four-concrete-tactics-for-backup-destruction "Phase 2: Four Concrete Tactics for Backup Destruction")

#### Tactic 1: Shadow Copy Deletion [\#](#tactic-1-shadow-copy-deletion "Tactic 1: Shadow Copy Deletion")

**What is a shadow copy?** Windows Volume Shadow Copy is a built-in feature that automatically creates snapshots of files. Many organisations treat this as a backup, but it is only a local copy on the same disk.

**How ransomware proceeds:** A single command such as ​“vssadmin delete shadows /​all /​quiet” or ​“wmic shadowcopy delete” removes all local snapshots in seconds. The user notices nothing.

**Why this works:** Shadow copies are not immutable. With admin rights, anyone can delete them.

**Protection measure:** Shadow copies are not a backup. They are only a local, vulnerable copy. A real backup must be offline or immutable and on separate hardware.

#### Tactic 2: Backup Agent Termination [\#](#tactic-2-backup-agent-termination "Tactic 2: Backup Agent Termination")

Many organisations use software backup agents (for example Veeam Agent, Backup Exec, Commvault). These agents run as Windows services in the background.

**How ransomware proceeds:** Standard commands like ​“net stop” and ​“sc delete” terminate and deregister the backup service, or the process is killed directly with ​“taskkill”. Future backups silently stop occurring.

**Why this works:** Backup software runs as a service under the operating system’s control. With admin rights, which ransomware now has, it can be stopped at any time.

**Protection measure:** Backups must not depend solely on agents that an attacker can stop. A hardware air gap uses physical separation: even if the agent on the source is killed, existing backup copies remain unreachable and intact.

#### Tactic 3: Credential Theft for Cloud Backup Deletion [\#](#tactic-3-credential-theft-for-cloud-backup-deletion "Tactic 3: Credential Theft for Cloud Backup Deletion")

Many organisations back up to the cloud (AWS S3, Azure Blob, Google Cloud). These cloud services authenticate via API credentials. The credentials are often stored locally on the backup server, in config files, environment variables, or memory.

**How ransomware proceeds:**

1. **Extract API keys:** Ransomware scans local files and configuration for access key patterns.
2. **Connect to the cloud with stolen keys:** With legitimate credentials, the attacker authenticates like an administrator.
3. **Delete cloud backups:** A single recursive delete command empties the backup bucket.

**Why this works:** API keys are passwords. If they are locally available, they can be stolen. Cloud backups are only as secure as the credentials protecting them.

**Protection measures:**

- Do not store long-lived credentials locally on the backup server.
- Use managed identities (Azure) or IAM roles (AWS) with least privilege and deny-delete policies.
- Better still: keep the last line of defence on premises behind a hardware air gap, which requires no network credentials because the isolation is physical.

#### Tactic 4: Object Lock Governance Mode Bypass [\#](#tactic-4-object-lock-governance-mode-bypass "Tactic 4: Object Lock Governance Mode Bypass")

Many cloud providers offer Write Once Read Many (WORM) features via object lock. AWS S3 Object Lock has two modes:

**Governance mode:** Objects are write-protected, but accounts with the right permission (s3:BypassGovernanceRetention) can remove the protection. If ransomware steals credentials of such an account, it can bypass the lock and delete the backups.

**Compliance mode:** Stronger. Once set, the retention cannot be shortened and objects cannot be deleted before the retention period expires, not even by the root account.

**Why the governance bypass works:** Governance mode is intentionally weaker, designed for scenarios where administrators need an exit option. Ransomware exploits exactly that.

**Protection measure:** If you use cloud object lock for backups, use compliance mode, not governance mode, and set retention before data lands. For long-term regulated archives on premises, hardware WORM (such as Silent Cubes) enforces immutability at the storage level, independent of any account permissions.

---

### Phase 3: Destroying Backup Infrastructure [\#](#phase-3-destroying-backup-infrastructure "Phase 3: Destroying Backup Infrastructure")

After individual backups are destroyed, ransomware often attacks the backup infrastructure itself:

- The backup server is encrypted (if it was reachable over SMB even briefly).
- The backup repository is deleted (NAS shares, SAN targets).
- Backup administrators are locked out of their accounts or their credentials are reset.

---

### Why Network-Attached Backup Fails Against Ransomware [\#](#why-network-attached-backup-fails-against-ransomware "Why Network-Attached Backup Fails Against Ransomware")

The core problems, compared point by point:

**Reachability:** A network backup is reachable from the infected network. A hardware air gap is physically separated and not addressable.

**Credentials:** Network and cloud backups depend on credentials stored somewhere on the system, which can be stolen. A hardware air gap requires none; the separation is physical.

**Bypassability:** On a network target, admin rights equal access. A physically disconnected target cannot be reached without physical access.

**Clean recovery:** After an attack on networked backups, it is hard to know which version is clean. With an air-gapped copy, the last copy made before infection is verifiably intact.

---

### How a Hardware Air Gap Works (Silent Brick System) [\#](#how-a-hardware-air-gap-works-silent-brick-system "How a Hardware Air Gap Works (Silent Brick System)")

A hardware air gap works differently from network-based solutions:

1. **Physical separation:** With Silent Brick Pro, backup bricks are physically removed from the Controller X after the backup. The medium has no network presence at all. With Silent Brick Max Air, the air gap is implemented through galvanic separation: the storage is electrically disconnected without anyone having to remove media.
2. **Controlled write windows:** Backups are written during defined windows over a secured connection. Outside those windows, the data path does not exist.
3. **Verification:** Unlike removable media in a cabinet, the system can verify data integrity continuously, so you know the copy is restorable before you need it.

Even if ransomware has admin rights on every server in your network: it cannot reach, delete, or alter the air-gapped data.

---

### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions")

**Are object lock and compliance mode sufficient?** Compliance mode object lock is a strong control when configured correctly (retention set at write time, no governance fallback). But your last line of defence should not depend on a remote account and a network path. Use cloud as a supplement, not a replacement, for an on-premises offline copy.

**Are my local backups safe if I disconnect them after the backup?** Only if disconnection is enforced and verified. Manually unplugged USB disks get reconnected, forgotten, or rotated incorrectly. A hardware air gap automates the separation so it cannot be skipped by habit or human error.

**How often should I test backups?** At least quarterly for important systems, monthly for critical ones. Every test should be a full recovery test (not just restoring a folder), with time measurements against your RTO.

---

### Further Resources [\#](#further-resources "Further Resources")

→ Why Cloud Backups Do Not Provide Real Ransomware Protection (/en/blog/cloud-backup-ransomware-schutz/) → Logical vs. Physical Air Gap: The Difference (/en/blog/logischer-vs-physischer-air-gap/) → Ransomware Protection: Guide for IT Decision-Makers (/en/blog/ransomware-schutz-leitfaden/) → Silent Brick System: Hardware Air Gap (/en/produkte/silent-brick-system/) → Request a Demo (/​en/​kontakt/​demo/​)

### Ransomware

Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)

### Ransomware

Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### Immutable Storage

Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights).

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### Ransomware

Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)

### WORM

WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### Ransomware

Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)

### Ransomware

Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)

### Ransomware

Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)

### Air Gap

An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers.

[Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)