Encrypted backups have long been considered the ultimate safeguard against ransomware. However, in the AI-driven ransomware era, that assumption is increasingly fragile. Attackers are no longer focused solely on encrypting production systems. Instead, they infiltrate networks, study recovery architectures, and quietly compromise backup systems before launching visible attacks.
For years, the 3-2-1 backup strategy (three copies of data, two devices, one off-site) has defined best practice. Yet Veeam’s 2025 Ransomware Trends report found that 93% of ransomware attacks now target backups, and 34% of organizations reported backups being modified or deleted. The recovery layer is no longer off-limits.
AI accelerates this shift. Modern malware can remain undetected inside networks for 11 to 24 days, according to BlackFog. During this dwell time, AI-powered reconnaissance tools map storage systems, analyze backup schedules, identify snapshot repositories, and harvest credentials. By the time encryption begins, restore points may already be corrupted.
The situation is further complicated by AI-generated “vibe-coded” ransomware. In 2026, the Halcyon Ransomware Research Center identified a strain called Sicarii that generated encryption keys but deleted them due to a software flaw. Even if victims paid, recovery was impossible. Poorly tested AI-generated malware adds unpredictability to an already volatile threat landscape.
AI-driven ransomware breaks traditional backup assumptions by corrupting snapshots before they are written, targeting backup management consoles, exploiting misconfigured immutable storage, and persisting across restore cycles. A “clean” backup may no longer be clean.
To respond, organizations must harden recovery strategies. Recommended measures include network segmentation, frequent restore testing, malware scanning of backup repositories, offline or air-gapped storage, behavior-based detection systems, and well-defined incident response playbooks.
Encryption alone is no longer sufficient. In the AI ransomware era, backup integrity must be continuously verified, not assumed.
ソース:
https://www.zdnet.com/article/encrypted-backups-fail-ai-driven-ransomware/
