It’s not black/white as having backups solves ransomware attacks. All that the ransomware must do is lay low long enough that the oldest backup is likely to have occurred after the infection, hence containing it.
Backup systems should not be executing the data they are backing up. It would be easy for the ransomware to get the backup system to make a backup of the ransomware. It's much harder for it to then execute itself on the backup machine/wherever that data ends up.
For a ransomware to propagate that way it would have to employ multiple exploits against unknown operating systems, and against computers managed by people who should have some idea about security rather than just the desktop of a random employee. In many cases you'll be backing up to storage provided by a 3rd party who simply don't even offer the capability to run code, or permanently delete data programatically.
Running "low and slow" isn't a tremendously good strategy for ransomware. Slowly encrypting data over time is more likely to get caught and stopped, versus "shock and awe".
I'm waiting until ransomware starts leveraging the encryption functionality in common backup systems. Not many sysadmins would notice if their backup encryption keys were changed-out for 6 months and deleted at the same time that the "encrypt all the data" event happened. (The only Customers I've ever worked with who were already doing air-gapped backup verification were regulated businesses in the financial sector.)
I wonder if it might be worth it for the compromise to lie dormant for a while though - if the compromise was injected nine months ago and a ticking clock was started then full image backups will essentially be useless - as soon as the image is restored then the attack will re-trigger. This probably lowers the domain that can be effected because many potential targets won't have vectors that could be compromised in a compatible manner.
They wouldn't be useable as full image backups, but if the data had not been encrypted yet, then that data is stored somewhere in the image and can be recovered, albeit perhaps with a lot of work.
If you use thin clients or at least require all files to be stored on a centralized server, then no matter how many hundreds of PCs were affected, you'd only have to go through on set of images.
Yeah, I was going to say: the last company I worked for sent their backups off-site on a nightly basis. They were also often requesting old tapes to be pulled in for the next night's delivery/pickup so that they could test against old data.
It would be pretty hard to get your ransomware to encrypt all those offsite backups sitting in a vault somewhere.
For whole system backups only. If you just backup the data then it doesn't matter if the ransomware is there as data - data can't execute without some actor who runs it, be that the system or a person.
