By NHI Mgmt Group Editorial TeamPublished 2025-09-29Domain: Governance & RiskSource: Commvault

TL;DR: Ransomware incidents rose 49% in the first half of 2025 versus the same period in 2024, and Commvault argues that immutable storage, real-time threat scanning, validated recovery, and automated restore workflows are now necessary to preserve recovery confidence. Backup existence alone no longer answers the governance problem when recovery paths themselves can be compromised.


At a glance

What this is: This is a ransomware resilience analysis that argues backup immutability, threat scanning, and validated recovery must work together to make restores trustworthy.

Why it matters: It matters because IAM, PAM, and recovery governance now intersect in backup systems, where privileged access, immutable controls, and recovery validation determine whether ransomware becomes an outage or a full compromise.

By the numbers:

👉 Read Commvault's ransomware defence analysis for immutable backup and clean recovery details


Context

Ransomware resilience is no longer just a backup question. The governance gap is whether recovery data can be trusted after an attacker has already moved through production, backup software, or privileged admin paths, because recovery without cleanliness simply reintroduces compromise.

For identity and access teams, the key issue is that backup platforms sit inside the same control plane as privileged access, authorization, and offboarding. When attackers can alter retention, suppress alerts, or poison restore points, the recovery process becomes part of the attack surface rather than the exit path.


Key questions

Q: How should organisations make sure ransomware backups are actually safe to restore?

A: They should validate backup integrity before production restore, not after the fact. That means scanning backup sets for malware, restoring into isolated environments, confirming identity dependencies such as directory services, and only then allowing cutback. A restore process that skips validation can turn backup data into a reinfection path rather than a resilience asset.

Q: Why do immutable backups matter if attackers already have privileged access?

A: Immutable backups matter because they narrow the attacker’s ability to erase recovery evidence or destroy clean restore points, even when some privileged access has been compromised. They do not stop every attack, but they make it harder to turn backup infrastructure into a second victim and easier to preserve a trusted recovery path.

Q: What breaks when backup recovery is automated without clean-point validation?

A: Automation can accelerate the restoration of compromised data if the platform selects the wrong recovery point or trusts tainted files. The failure is not speed itself, but speed without evidence. Recovery automation must be bound to malware scanning, anomaly checks, and clean-point selection before workloads re-enter production.

Q: Who is accountable when ransomware reaches the recovery platform itself?

A: Accountability should sit with the owners of backup administration, privileged access, and incident recovery, because the recovery platform is part of the control plane. If a single administrator can change retention or restore policy, the organisation has a separation-of-duties problem as much as a ransomware problem.


Technical breakdown

Why immutable storage changes the recovery trust model

Immutable storage uses write-once controls, retention locks, and object lock semantics so backup data cannot be altered or deleted before a retention boundary expires. That matters because ransomware operators increasingly target backup infrastructure, not just production endpoints. Hardware-enforced WORM, cloud object lock, and software retention policies each provide a different layer of resistance, but they only work if administrative paths cannot silently bypass them. The key mechanism is not simply data preservation, but preventing privileged actors from rewriting the recovery evidence trail.

Practical implication: treat backup retention controls as privileged identity controls, not storage convenience settings.

How threat scanning and deception detect poisoned backups

Threat scanning extends into inline, pre-backup, post-backup, and pre-restore phases to catch malware before it is restored. Behavioral indicators such as entropy spikes, MIME mismatches, file growth anomalies, and known signatures help detect encrypted or disguised payloads, while deception artifacts such as canary files can reveal reconnaissance activity before impact. This is a different control objective from perimeter detection because the question is not only whether malware entered the environment, but whether it persisted inside the recovery set.

Practical implication: verify that scanning is part of the restore path, not only the ingress path.

Why validated recovery matters as much as clean backup

Validated recovery means testing restore points in an isolated environment before production reintroduction. Cleanroom recovery, bad file indexing, and pave-and-repave workflows reduce the chance of restoring a compromised operating system or reintroducing dormant malware. Operationally, this shifts recovery from a blind trust exercise to an evidence-based decision process. For identity teams, that matters because recovery often touches Active Directory, privileged accounts, and access dependencies that can rehydrate old authorization states if they are not explicitly checked.

Practical implication: require restore validation for identity-dependent workloads before any production cutback.


Threat narrative

Attacker objective: The attacker wants to turn backup and recovery into a second compromise vector so the organisation cannot restore cleanly or quickly.

  1. Entry begins when ransomware actors obtain a foothold through compromised credentials, exposed access paths, or malicious software that can interact with backup and recovery systems.
  2. Escalation follows when attackers tamper with backup settings, suppress recovery integrity, or place malicious files into backup sets so restored data remains compromised.
  3. Impact occurs when organisations restore the wrong recovery point, reintroduce malware into production, and lose both service continuity and confidence in recovery data.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Backup immutability is a privileged access control, not a storage feature. Once ransomware actors can influence deletion, retention, or recovery policy, the backup platform stops being passive infrastructure and becomes part of the identity attack surface. That means the real control question is who can change recovery state, not just who can read the data. Practitioners should govern immutable storage through the same lens they apply to PAM and recovery authority.

Clean recovery is now the deciding control, not raw backup coverage. The article correctly frames the problem: a backup that restores malware is operationally harmful. The named concept here is recovery trust debt: every unvalidated restore point increases the probability that the organisation will reintroduce compromise during incident recovery. That debt accumulates across identity-dependent systems such as Active Directory, admin tooling, and service accounts, so recovery governance must prove cleanliness before reactivation.

Threat scanning only works when it is tied to the restore decision. Inline, pre-backup, post-backup, and pre-restore checks matter because ransomware now lives across the full data lifecycle. This is where identity governance and cyber recovery overlap: a privileged attacker can evade endpoint detection yet still poison the recovery set. Practitioners should treat restore-time inspection as a mandatory control boundary, not an optional assurance step.

Quorum-based approvals expose a deeper governance truth about recovery authority. If a single administrator can disable protective policy, the organisation has a single-point failure in recovery governance even when storage is technically immutable. Multi-person authorization does not solve ransomware on its own, but it does surface how much recovery trust depends on separations of duty. Teams should reassess whether their backup administration model still assumes benign privileged behaviour.

Automated recovery is only safe when it is policy-constrained and evidence-backed. Auto-recovery accelerates response, but automation without validation can scale the wrong decision faster. The discipline here is not speed for its own sake, but bounded restoration that selects known-clean points and documents why they were chosen. Practitioners should align orchestration with clean-point verification, not just elapsed recovery time.

From our research:

  • 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to the 2025 State of NHIs and Secrets in Cybersecurity.
  • A separate finding shows that 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits, according to the same report.
  • That pattern is why the 52 NHI breaches Report remains a useful next stop for understanding how token exposure becomes operational compromise.

What this signals

Recovery governance now sits inside the identity plane. Backup systems are not only storage endpoints but privileged control environments, so organisations need to review who can change retention, restore policy, and cleanroom access with the same seriousness they apply to PAM. When privileged recovery rights remain broad, ransomware can still attack the exit path even if primary systems are protected.

Recovery trust debt is the new hidden risk in resilience programmes. Every unvalidated restore point increases the chance that a team will reintroduce malicious content during an incident. That means resilience metrics need to move beyond backup success rates and measure restore cleanliness, identity dependency checks, and privileged change provenance.

The practical question for security leaders is whether recovery workflows are evidence-driven or assumption-driven. If your programme cannot prove which restore point is clean, who approved its use, and whether identity services were validated before cutback, ransomware can still win after the backup completes.


For practitioners

  • Separate recovery authority from routine administration Restrict who can change retention, deletion, and restore-policy settings in backup platforms. Make those entitlements reviewable as privileged access, because ransomware often succeeds by attacking the recovery control plane rather than the primary workload.
  • Require pre-restore validation in isolated environments Test recovery points in a cleanroom or similarly isolated environment before returning them to production. Scan restored workloads, check for dormant malware, and confirm that identity-dependent services such as directory infrastructure are still trustworthy.
  • Treat immutability as a governance control, not a storage checkbox Map retention lock, object lock, and WORM protections to named owners, approval paths, and exception handling. If administrators can remove or shorten protection without oversight, the control is weaker than the label suggests.
  • Connect threat intelligence to recovery operations Feed endpoint detections and threat indicators into backup scanning and restore decisions so compromised data is not rehydrated. Use those signals to block, reroute, or delay recovery until clean points are confirmed.

Key takeaways

  • Ransomware resilience fails when recovery controls are treated as infrastructure details instead of privileged governance controls.
  • The scale of the problem is rising fast, and restore trust now matters as much as backup coverage.
  • Organisations need validated recovery, immutable retention, and tightly governed recovery authority to avoid restoring compromise.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and CIS Controls v8 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.IP-4Validated backups and recovery tests map directly to recovery processes.
NIST SP 800-53 Rev 5CP-9Backup protection and immutability align with contingency planning controls.
NIST Zero Trust (SP 800-207)Zero trust principles apply to backup admin access and restore paths.
CIS Controls v8CIS-11 , Data RecoveryThe article is fundamentally about recoverability under attack.

Use recovery testing and immutable backups to ensure restoration remains possible after ransomware.


Key terms

  • Immutable Backup: A backup copy that cannot be changed or deleted before a defined retention period ends. In ransomware defence, immutability is a governance control as much as a storage feature because it preserves recovery evidence and reduces the chance that an attacker can destroy clean restore points.
  • Cleanroom Recovery: An isolated recovery environment used to restore and inspect data before it returns to production. It lets teams test for malware, verify workload behaviour, and confirm that identity-dependent services are safe to reintroduce without contaminating the live environment.
  • Recovery Trust Debt: The accumulated risk created when organisations keep restore points, backup policies, or recovery paths unvalidated. The more recovery is assumed rather than proven, the more likely a team is to reintroduce compromise during incident response, especially where privileged access is involved.
  • Pave And Repave: A restoration method that rebuilds a compromised system from a clean operating system image and then layers trusted data back on top. It is especially useful when malware may have embedded itself below the application layer or inside the original OS state.

What's in the full article

Commvault's full article covers the operational detail this post intentionally leaves for the source:

  • Immutable storage implementation details across software retention, object lock, and appliance-based protection.
  • Threat scanning mechanics for inline, pre-backup, post-backup, and pre-restore inspection.
  • Cleanroom recovery, bad file indexing, and pave-and-repave workflow specifics for validated restoration.
  • Operational intelligence features such as auto-recovery orchestration and recovery validation reports.

👉 The full Commvault article covers the storage controls, scanning stages, and recovery workflow mechanics behind its approach.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-09-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org