Executive Summary: The Management-Plane Crisis
Problem: Storage-layer immutability is no longer a recovery guarantee. Ransomware operators now prioritize compromising backup management planes, including console, API, and CLI access, to neutralize recovery before detonating ransomware. Organizations must pivot from static data protection to Ephemeral Ransomware Resilience (ERR). This architectural standard assumes administrative compromise and mandates management-plane isolation and continuous, automated validation. ERR reduces the ransomware blast radius to near-zero by decoupling business continuity from primary infrastructure and ensuring environment rebuildability on demand.

Key Insights: The New Adversarial Reality
- Management-Plane Vulnerability: The $4.44M average breach cost is driven by 24-day attacker dwell times, allowing total compromise of reachable backup infrastructure before detection.
- Industrialized Handoff: The window from initial access to ransomware deployment has collapsed from 8 hours to 22 seconds, making human-led response obsolete.
- Structural Gaps: Current backup vendors protect storage while leaving control paths exposed
Implication: CISOs should treat management-plane isolation, ephemeral compute continuity, and on-demand rebuildability as architectural requirements rather than product features. Modern attacker timelines and AI agent-based attacks can routinely outrun human response. ERR assumes compromise is inevitable. Its objective is to make environments rebuildable on demand from trusted, automated sources while continuously proving restore readiness. This is the true promise and underpinning of becoming a resilient enterprise.
Strategic Mandates for CISOs
- Enforce Isolation: Mandate management-plane isolation, not just storage immutability, as a non-negotiable procurement baseline.
- Verify Continuity: Validate sub-hourly recovery points and ensure ephemeral compute exists to sustain a 30-day restoration window.
- Scrub Restore Points: Implement pre-restore threat scanning to eliminate attacker persistence and prevent reinfection loops.
The Ransomware Threat Landscape: From Encryption to Management-Plane Sovereignty
Recovery infrastructure is now a primary target. Attackers have pivoted from encrypting production data to dismantling the recovery control planes intended to safeguard it. Adversarial innovation has moved from volume-based encryption to industrialized, high-speed management-plane compromise, targeting the very consoles and APIs used for restoration. Effective defense requires architectural isolation that assumes administrative compromise, shifting the goal from preventing encryption to ensuring environment rebuildability.
- Phase 1: Encrypt-and-Ransom (2013–2018). Primary focus on availability via production data encryption. Organizations neutralized this model through basic offline backups, forcing an adversarial pivot.
- Phase 2: Backup-Targeting (2019–2023). Pre-detonation dwell time utilized to locate and delete repositories. Backup destruction became routine, steadily declining the efficacy of traditional recovery methods.
- Phase 3: Management-Plane Sovereignty (2024–Present). Attackers leverage compromised admin consoles to delete backups on demand. The handoff from initial access to detonation has collapsed to 22 seconds, making human-led response impossible.
Strategic Evolution: The Industrialization of Extortion

The Escalation of Extortion Models
Encryption is no longer the sole lever. Attackers now layer extortion models to bypass recovery defenses and maximize financial pressure through data suppression. The rise of data-theft-only variants (increasing from 2% in 2020 to >15% in 20254) and RaaS-driven industrialization has outpaced traditional perimeter and backup security. CISOs must adopt the Ephemeral Ransomware Resilience (ERR) standard to sustain operations via management-plane isolation and continuous, automated validation.
- Triple extortion (third-party pressure): Attackers contact the victim’s customers, partners, or regulators directly, threatening to release their data or notify authorities, amplifying pressure beyond the primary victim.
- Data-theft-only extortion (no encryption): A rapidly growing variant, rising from roughly 2% of financially motivated incidents in 2020 to more than 15% in 2025 (Google M-Trends 2026). Attackers skip encryption entirely, relying purely on data exposure threats. This model is faster, lower-risk for the attacker, and bypasses backup-based defenses completely.
- Ransomware-as-a-Service (RaaS): The criminal supply chain that made all of the above scalable. Developers lease ransomware toolkits to affiliates who execute attacks and split proceeds. LockBit, BlackCat/ALPHV, Clop, and Akira all operated this model. Even after law enforcement disrupted LockBit and BlackCat in 2024, new affiliate groups emerged rapidly, with Flashpoint tracking a 179% year-over-year surge in attacks from successor groups.
Typical Ransomware Attack on Backups

Full Ransomware Attack Phases in Detail
- Initial Access: This is the entry point into the target environment. Threat actors typically rely on the paths of least resistance to gain their initial foothold.
- Phishing: Sending malicious attachments or links to harvest credentials or deploy initial loaders.
- Exploitation of Public-Facing Applications: Targeting unpatched vulnerabilities in firewalls, VPNs, or web servers.
- Compromised Credentials: Utilizing credentials purchased from Initial Access Brokers (IABs) or obtained through brute-force attacks on exposed Remote Desktop Protocol (RDP) instances.
- Execution and Persistence: Once inside, the attacker needs to ensure they maintain access even if the initial entry point is discovered, patched, or rebooted.
- Command and Control (C2): Establishing communication channels between the compromised network and attacker-controlled servers (often using tools like Cobalt Strike or Sliver).
- Persistence Mechanisms: Creating scheduled tasks, modifying registry run keys, or creating new system accounts to ensure continuous access.
- Defense Evasion: Disabling endpoint detection and response (EDR) tools, clearing logs, or using Living off the Land (LotL) techniques, abusing legitimate administrative tools like PowerShell or WMI to blend in with normal traffic.
- Privilege Escalation: Initial access rarely grants the administrative rights needed to deploy ransomware network-wide. The attacker must elevate their privileges.
- Credential Dumping: Extracting passwords or hashes from system memory (e.g., using Mimikatz to dump LSASS).
- Active Directory Exploitation: Utilizing attacks like Kerberoasting or exploiting domain misconfigurations to gain Domain Admin privileges.
- Discovery and Lateral Movement: With elevated privileges, the attacker maps the network to identify high-value targets, critical data repositories, and the organization’s backup infrastructure.
- Network Reconnaissance: Scanning for open ports, shared drives, and active directory structures.
- Lateral Movement: Moving from the initial compromised endpoint to other systems within the network using protocols like SMB or RDP, utilizing the credentials harvested in the previous stage.
- Collection and Exfiltration: In modern double extortion campaigns, attackers steal sensitive data before locking the systems. This gives them leverage to demand payment even if the victim can restore from backups.
- Data Staging: Archiving and compressing sensitive files into hidden directories.
- Exfiltration: Transferring the staged data to external cloud storage providers (like MEGA or cloud sync tools) using protocols that mimic normal outbound web traffic.
- Impact (Encryption and Extortion): The final, visible stage of the attack.
- Backup Destruction: Locating and deleting shadow copies, neutralizing local backups, or poisoning cloud backup routines to prevent easy recovery.
- Mass Deployment: Pushing the ransomware payload simultaneously across the network using tools like Group Policy Objects (GPO) or deployment software (e.g., SCCM).
- Encryption: Executing the encryption routine, locking the files, and dropping the ransom notes detailing how the victim can contact the attackers to negotiate payment for the decryption key and the promise to delete the exfiltrated data.

With All These Critical Attacks, We Can See a Pattern Emerge
The pattern across all landmark incidents is that attackers did not simply encrypt files and wait. They spent dwell time understanding the victim’s backup and recovery posture, locating credentials for management consoles, and staging data exfiltration before triggering the final payload. Recovery architecture, not just perimeter defense, was a decisive factor in outcome severity and the strength of their breaches.
Modernizing Disaster Recovery: Architecture vs. Reactive Monitoring
Effective disaster recovery in the modern threat landscape requires moving beyond static, signature-based defenses. As ransomware operators weaponize shifting infrastructures, moving from encrypting data to dismantling recovery control planes, security teams must adopt proactive telemetry. By integrating anomaly detection with continuous configuration monitoring, defenders can surface architectural tampering before it manifests as a total recovery failure.
Anomaly Detection vs. Malware Scanning
These tools serve distinct, non-overlapping functions:
- Anomaly Detection: Uses machine learning to establish behavioral baselines. It flags symptomatic evidence of active compromise, such as brute-force attempts on backup consoles, changes to backup policies, or unexpected changes in backup volume, enabling response before data loss occurs.
- Malware Scanning: A foundational validation layer focused on identifying known threats and validating software integrity within production environments.
Operational Directive: Malware scanning validates the cleanliness of a binary; anomaly detection validates the integrity of the infrastructure.
Change Detection as a Fidelity Signal
In compromised environments, unauthorized infrastructure modifications are often the sole indicator of administrative takeover. Threat actors frequently compromise infrastructure to isolate administrators, modify backup permissions, or establish persistence. Because adjacent sensors are often blinded or bypassed, continuous change monitoring of the backup control plane is essential. This telemetry acts as a high-fidelity trigger for investigation, identifying when the ground truth of the environment deviates from policy.
The Adversarial Focus: Targeting the Backup Control Plane
Backup infrastructure is the primary target for modern extortion. Threat actors monetize breaches by neutralizing the recovery path before triggering ransomware, either by severing administrator access, poisoning recovery routines, or modifying permissions to facilitate silent data exfiltration. Defender priorities must shift from purely securing the storage layer to hardening the access architecture surrounding it. Any management-plane configuration, permission, API key, or administrative account that enables recovery must be treated as a potential attack vector for lateral movement or sabotage.
Comparison of Anomaly Detection vs Malware Scanning
While both tools are necessary for a layered security strategy, they serve distinct operational purposes:

Why Tape, Cloud Immutability, and Offsite Replication All Fail the Adversarial Recovery Test
Before the management-plane threat emerged, these approaches were considered adequate. Air-gapped tape offered physical separation. Cloud object lock offered write protection at the storage layer. Offsite replication offered geographic redundancy. Each was designed to protect against the operational failure modes that dominated the threat model through the 2010s: hardware failure, accidental deletion, and site-level outages. None were designed to survive a credential-holding attacker with console access and time to operate. When that threat model is applied, a structural gap appears in each approach, not in the storage medium, but in the access architecture surrounding it.
- Air-gapped tape and drive: Operationally infeasible for modern recovery SLAs; often unmaintained.
- Cloud immutability with console access: Storage write protection exists, but admin credentials can issue delete commands via the management API. If those credentials are compromised, the backup is reachable.
- Offsite replication: Duplicates the problem: if the primary management plane is compromised, the replication credential is too.
- Manual backup schedules: Introduces human failure points at exactly the moment, during incident response, when humans are most error-prone and distracted.
The gap is not in storage technology; it is in access architecture. Most backup platforms were designed for operational recovery (hardware failure, accidental deletion), not adversarial recovery (attacker with admin credentials attempting to eliminate recovery options before triggering ransomware).
The financial stakes are clear. IBM’s 2025 Cost of a Data Breach Report puts the global average breach cost at $4.44 million1. Verizon’s 2025 DBIR places median attacker dwell time at 24 days for non-actor-disclosed breaches², leaving a window wide enough for attackers to map, stage, and execute against backup infrastructure long before detonation. Chainalysis notes that while total ransomware payments stagnated in 2025, median payment sizes rose to $59,565 as gangs shifted focus to higher-value targets. ³
Designing for adversarial recovery requires a fundamentally different assumption: treat the management plane as compromised by default.
This distinction matters because:
- Software-layer immutability protects data from deletion within the management console, but the console itself remains reachable. A compromised admin account can still interact with the backup environment and infrastructure.
- Architectural isolation removes the management plane entirely; there is no console, API, or CLI path to the protected copies, regardless of what credentials the attacker holds. The former is a policy control. The latter is a design guarantee. Only the latter holds under full credential compromise.

Five Questions Every CISO Should Ask Before Trusting Their DR Architecture
Most DR architectures have never been stress-tested against the adversarial threat model, the scenario where the attacker already holds valid administrative credentials and is actively attempting to eliminate recovery options before triggering ransomware. Vendor documentation and sales briefings rarely address this scenario with architectural specificity. These five questions are designed to move that conversation from marketing claims to verifiable architecture. They apply equally in initial procurement, annual DR reviews, and post-incident retrospectives. A vendor that cannot answer them with specificity not policy language, but demonstrable design, fails the ERR standard.
When auditing a DR architecture against ERR principles, five questions expose the structural gaps:
- Can an attacker with full admin credentials delete or modify your backup copies?
Note: If yes or if the vendor cannot demonstrate otherwise, the architecture fails the ERR management-plane test.
- How often are isolated copies created, and is the process fully automated?
Manual processes introduce failure at exactly the wrong moment. Hourly automated copies are the baseline.
- What is your recovery compute strategy if primary infrastructure is completely unavailable?
Restoring to already destroyed infrastructure is not a recovery plan. Ephemeral VM continuity is required.
- Can you prove restore points are free of attacker persistence before restoration begins?
Restoring a reinfected image extends the incident. Pre-restore threat scanning is an emerging best practice. Alternatively, organizations can restore data into a separate standby environment and scan it before returning it to production.
- What SLA governs ephemeral continuity duration?
30 days is a baseline. Regulated industries may require longer windows and granular RTO guarantees.
Defining Ephemeral Ransomware Resilience (ERR): The Architectural Standard Immutability Forgot
Defining Ephemeral Ransomware Resilience (ERR)
SACR Definition: Ephemeral Ransomware Resilience (ERR) and the Three Pillars That Distinguish It from Storage Immutability
Ephemeral Ransomware Resilience (ERR) is the architectural standard for disaster recovery systems that remain operationally intact when an attacker holds valid administrative credentials. It addresses the gap between storage-layer and disaster recovery immutability, which protects data at rest, and management-plane isolation, which removes the attacker’s ability to locate, delete, or corrupt backup copies and recovery infrastructure through any available control path.
Best fit: Organizations with cloud and IaC momentum and leadership support for recovery engineering and control-plane hardening.
At a practical level, ERR requires three capabilities:
- Management-plane isolation that ensures backup copies cannot be accessed through a console, API, or CLI, even under full credential compromise.
- Automated continuous protection that creates copies every hour or less without human intervention.
- Ephemeral compute continuity that provisions temporary compute environments capable of sustaining business operations for 30 days or longer.

Note: Vendor-neutral ERR Framework (can apply to any platform). This section is vendor-agnostic. Any provider that can prove management-plane isolation, automated continuous protection, and ephemeral compute continuity can theoretically satisfy ERR. ERR complements detection and incident response; it is not a replacement. ERR is also not a synonym for storage-layer immutability: basic write-once/object-lock capabilities that still leave console/API/CLI control paths reachable do not meet the ERR standard. ERR assumes an attacker may already hold valid administrative credentials and focuses on ensuring recovery remains viable under that condition. Organizations that treat air-gapped backups as equivalent to ERR should verify whether their air-gap extends to the management plane, not only the storage medium.
ERR Key Outcome: Ephemeral Compute Continuity

What Is Ephemeral Compute Continuity?
Ephemeral Compute Continuity is a core requirement of the Ephemeral Ransomware Resilience (ERR) framework. It ensures that if your primary infrastructure is destroyed or compromised, you have a resilient, temporary, independent cloud environment ready to provision and sustain your business operations for a defined recovery window (30 days or more). Unlike traditional restoration, which often depends on the same infrastructure that may have been compromised, ephemeral compute provides a dedicated, standby environment to ensure your operations can continue without relying on the health of your primary systems.
Market Timing: ERR Is Early-Stage but Validated Before Becoming a Compliance Requirement
The window for establishing ERR as a recognized architectural standard is open, but it will not remain open indefinitely. Regulatory bodies are tightening DR requirements, cyber insurance underwriters are beginning to ask questions about management-plane access controls, and security leadership is increasingly aware that console-based backup deletion is a documented attacker tactic. The vendors and frameworks that define the category now will shape how buyers evaluate DR architecture for the next several years. ERR is still in its early adoption phase, giving early advocates disproportionate influence over the market narrative. As the concept matures, it will likely become a procurement checklist item, and enterprise pricing will play a larger role in buying decisions. N-able, the subject of this research report, offers flexibility and often dominates the conversation.
- Stage: Signal and Early Traction (language is forming faster than standardized requirements)
- Vendor signals: N-able Cove Data Protection represents an early MSP-accessible path toward full ERR alignment; in parallel, enterprise-tier platforms are increasingly emphasizing management-plane isolation and verified recovery (including pre-restore validation) as roadmap priorities
- Customer signals: Growing CISO interest in whether an attacker with compromised credentials could delete backups. This is a question that most incumbent platforms cannot answer with architectural certainty.
- Regulatory signals: DORA (EU financial sector DR requirements), NIST CSF 2.0 recovery function emphasis, and tightening cyber insurance requirements are creating compliance demand for demonstrable recovery architecture
- SACR verdict: Real problem, early but credible solutions, market language still forming but ideal timing for concept evangelism, and for MSP-delivered ERR to establish the category before enterprise pricing dominates
Common Misconceptions: Why Storage Immutability, Air-Gaps, and EDR Are Not Substitutes for ERR
Because ERR is a newly coined framework, buyers and vendors alike are still working out what it does mean, and what it does not. Several common misreadings create dangerous gaps in disaster recovery, or DR, posture. Organizations should not confuse ERR with storage immutability, traditional vault architectures, or detection technologies. They should verify that any claimed air gap extends to the management plane rather than only the storage layer. Each misconception leads organizations to believe they have adversarial recovery coverage that they do not, in fact, have.
- ERR is not storage immutability alone; write protection without management-plane isolation fails the adversarial test.
- ERR is not a product category; it is an architectural standard that multiple vendors may satisfy through different implementations.
- ERR is not a replacement for EDR/XDR/UEM/MDR; it is the recovery-layer complement to detection and response.
Solution Landscape: Mapping Recovery Architectures to ERR
This taxonomy categorizes recovery stacks by their resilience to administrative compromise, differentiating between marketing claims of immutability and the architectural reality of control-plane isolation.
- Immutable Storage Primitives (Hyperscalers): Write Once, Read Many (WORM) and object-lock policies harden the data layer but fail to mitigate console or API risk. Without management-plane severance, these remain reachable targets for credentialed attackers.
- Traditional Backup Platforms: Structurally vulnerable to credential-holding attackers. These are optimized for accidental deletion, not adversarial takeover, and fail if the management plane remains accessible via standard administrative paths.
- Enterprise Vault / Isolated Recovery Environments: Architecturally robust, providing hardened silos for data. However, they often impose prohibitive costs and operational overhead, limiting adoption to high-end enterprise deployments.
- DRaaS & Orchestration Platforms: Superior in recovery speed and automation, yet frequently lack default management-plane isolation. Resilience here is a matter of configuration rather than fundamental design.
- Verified Recovery / Clean-Room Testing: Represents the market pivot from simple immutability to provable recoverability. Pre-restore validation is now a baseline expectation for mature recovery stacks.
SACR Directive: ERR is an architectural standard, not a brand. Any platform satisfying the three pillars, management-plane isolation, continuous automated copies, and ephemeral compute continuity, meets the standard. The adversarial threat model renders legacy designs relying on reachable consoles obsolete.
Benchmarking Recovery Strategies

Modernizing DR Validation: Continuous Resilience vs. Manual Testing
Traditional disaster recovery testing relies on manual, point-in-time exercises that are often infrequent and prone to human error. Modern resilient architectures mandate a shift to continuous, automated validation, ensuring that recovery capabilities are not merely planned, but provably operational.
Automated Recovery Testing (ART): Proving Viability
ART replaces manual, infrequent testing cycles with software-driven validation, continuously verifying that backup data is not just present, but functional and ready for deployment.
- Orchestrated Sandboxing: Automated instantiation of isolated environments (sandboxes) enabling testing without disrupting production.
- Application-Level Validation: Testing extends beyond simple data existence; the system boots virtual machines or databases and executes validation scripts to confirm application-layer health.
- Compliance and Reporting: Automated teardown generates verifiable telemetry, which includes Recovery Time Objective (RTO) metrics, which are key to providing objective evidence of readiness for auditors and stakeholders.
Clean Room Recovery (CRR): Ensuring Integrity
Standard restores risk a catastrophic re-infection loop, where dormant malware, backdoors, or compromised credentials within backups trigger immediate re-compromise. Clean Room Recovery provides the sanitization layer necessary to decouple recovery from potential persistence.
- Isolated Sanitization: Systems are restored into a sterile, walled-off environment, completely segmented from the infected production network and external internet.
- Forensic Scrubbing: Within this environment, security teams leverage Endpoint Detection and Response (EDR) and forensic tools to identify and purge persistence mechanisms before reintroduction.
- Staged Reintroduction: Only after a system is cryptographically certified as clean and patched is it moved back into the production environment.
Strategic Synthesis: Validation vs. Sanitization
These disciplines form a sequential, interdependent workflow:
1. ART (Validation) verifies that the infrastructure is capable of restoration.
2. CRR (Sanitization) ensures the data being restored is safe to operate.
A modern recovery strategy fails without both: ART guarantees your engine starts, while CRR ensures the vehicle is not sabotaged before you begin the journey.
N-able Cove Data Protection: Architectural Assessment
N-able Cove Data Protection operates as an ERR-aligned platform. Unlike legacy backup tools retrofitted for security, Cove’s design prioritizes management-plane isolation as a foundational requirement.

ERR Pillar Mapping: A Technical Audit of Cove Data Protection
- Management-Plane Isolation (Fortified Copies): These backups are stored in a physically and logically isolated environment. Access is strictly severed from the standard management console, API, and CLI. There is no automated path for an attacker, even one with full domain admin credentials, to locate, alter, or prematurely expire these copies. Restoration requires a verified, out-of-band support process, effectively functioning as an air-gap by design.
- Automated Continuous Protection: TrueDelta technology enables granular, byte-level tracking, supporting recovery point objectives (RPOs) of one hour or less. This automation removes the human dependency that typically causes backup failure during the high-stress, fog of war phase of a ransomware incident.
- Ephemeral Compute Continuity (DRaaS): Cove’s Disaster Recovery as a Service (DRaaS) provides the ephemeral compute tier necessary to sustain operations. By pre-staging standby images in the cloud, the platform allows for rapid failover, decoupling business continuity from the availability of primary infrastructure.
Analyst Directive: The MSP delivery model acts as a distribution moat. While enterprise-tier platforms achieve ERR through complex, high-overhead vaulting, N-able delivers comparable isolation via a multi-tenant channel. This simplifies the procurement and deployment of architectural resilience for mid-market organizations that lack the capacity to architect it internally.
Market Outlook: ERR as a Procurement Standard
Ephemeral Ransomware Resilience (ERR) is rapidly transitioning from a visionary architectural concept to a non-negotiable market requirement. As cyber insurance underwriters and regulatory bodies, such as DORA in the EU financial sector and NIST 2.0, tighten recovery standards, simple immutability is no longer recognized as a sufficient defense against modern adversarial tactics.
Market Map: Ransomware Resilience Solutions & ERR

The Roadmap to Mainstream Adoption
- Procurement Shift (12–18 Months): Expect CISOs to move beyond generic ‘backup’ requirements, demanding specific documentation on management-plane isolation during RFP processes. Legacy platforms that rely on reachable administrative consoles will face immediate scrutiny as organizations prioritize designs where even full credential compromise cannot result in backup deletion.
- Validation as a Service: Automated Recovery Testing (ART) will become a default baseline. Proving that backups are functional and capable of booting virtual machines or databases, not just present on disk, will shift from a nice-to-have feature to an auditable necessity for business continuity.
- The Sanitization Layer: Clean Room Recovery (CRR) will define the next maturity curve. The industry is moving toward a standard where restored data must be cryptographically certified as clean within isolated environments before reintroduction into the production network to prevent reinfection loops from dormant malware.
- Channel-Led Scaling: Mid-market organizations, lacking the internal capacity for complex recovery engineering, will rely on Managed Service Providers (MSPs) to operationalize ERR. The providers that successfully abstract the complexity of management-plane isolation and ephemeral compute will capture the bulk of this emerging market by providing enterprise-grade resilience at a mid-market price point.
Strategic Cybersecurity and Disaster Recovery Industry Implications
The industrialization of extortion, where the median attacker dwell time remains around 24 days, allows threat actors significant time to dismantle recovery control planes. The shift toward ERR represents a fundamental change in the security contract: organizations are no longer just buying storage; they are procuring a guaranteed, isolated path to environment rebuildability that remains intact even when the primary infrastructure is totally compromised.
SACR Key Takeaway
Ephemeral Ransomware Resilience (ERR) corrects from potentially catastrophic outcomes by pivoting from reactive storage-level protection to proactive, architectural isolation. ERR is an essential implementation framework for modern adversarial resilience and recovery. ERR shifts the focus from simply preventing encryption to ensuring guaranteed environment rebuildability and data integrity, even in scenarios of full credential compromise.
Sources:
- IBM Cost of a Data Breach Report 2025
Global average cost of a data breach: $4.44 million. Organizations using AI-driven security cut breach lifecycle by 80 days and saved ~$1.9M on average.
https://www.ibm.com/reports/data-breach - Verizon 2025 Data Breach Investigations Report (DBIR)
Median attacker dwell time for non-actor-disclosed breaches: 24 days. 54% of ransomware victims had their domains present in infostealer logs. 64% of victims refused to pay ransom in 2024.
https://www.verizon.com/business/resources/T16f/reports/2025-dbir-data-breach-investigations-report.pdf - Chainalysis 2026 Crypto Crime Report: Ransomware
Total ransomware payments stagnated in 2025 even as attacks increased. Median ransom payment rose to $59,565 (up from $12,738 in 2024), reflecting a shift toward higher-value targets.
https://www.chainalysis.com/blog/crypto-ransomware-2026/ - Google / Mandiant M-Trends 2026
Median time between initial access and handoff to ransomware operators collapsed from more than 8 hours in 2022 to just 22 seconds in 2025, driven by pre-staged tooling and industrialized initial access broker collaboration. Attacks combining encryption and data theft rose to 77% of ransomware intrusions (up from 57% in 2024). Data-theft-only extortion grew from ~2% of financially motivated incidents in 2020 to more than 15% in 2025.
https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026
Disclosure: This report is commissioned and sponsored by N-able. SACR retains full editorial control, independence and objectivity. N-able’s role is limited to providing briefing access, customer contacts, and factual review. Sponsorship does not influence SACR’s findings, competitive analysis, or recommendations.

