When Marks & Spencer was hit by a ransomware attack over Easter 2025 – with attackers deploying the DragonForce encryptor across its systems – the retailer fortunately had backups. It had a security team, incident response procedures, and decades of operational expertise. None of that stopped the attack from wiping an estimated £300 million from its operating profit, suspending online sales for 46 days, and forcing staff to track stock with pen and paper. The company’s pre-tax profits fell 55% in the following six months.
We’re not telling you a cautionary tale about a business that failed to invest in security. This is a clear demonstration of what happens when an organisation’s recovery capability doesn’t match the sophistication of the threat it faces. And it’s becoming too common for comfort.
Why Backups Alone Aren’t Enough
For years, advice was straightforward: make sure to maintain regular backups, keep them separate, and you’ll be able to recover. That advice isn’t wrong, but it’s dangerously misleading. The Sophos State of Ransomware 2025 report found that only 54% of organisations with encrypted data were able to restore from backups, which is the lowest rate in six years. Meanwhile, 49% paid the ransom to recover their data, and the average cost of recovery (excluding ransom payments) sat at $1.53 million.
The decline in backup effectiveness is a result of attackers becoming significantly better at finding and neutralising backups before they deploy encryption. Modern ransomware groups routinely spend weeks inside a network before making their move. In the M&S attack, the attackers had access to internal systems for roughly two months before deploying the ransomware payload. During that dwell time, they exfiltrated data, harvested credentials, and positioned themselves to cause maximum damage when they finally struck. If an attacker has been inside your environment for weeks, your most recent backups may already be compromised.
Encryption is No Longer the Main Event
The other shift that undermines the “just restore from backup” approach is the rise of extortion-only attacks. According to the same Sophos research, 6% of ransomware attacks in 2025 involved extortion without encryption, which is double the rate from the previous year. Attackers steal sensitive data and threaten to publish it, bypassing encryption entirely.
This trend has accelerated further in 2026. Threat intelligence analysis from Ransom-DB shows that groups like Nova (RALord) now treat data exfiltration as a core pressure tactic alongside encryption, not a secondary concern. DragonForce, the ransomware operation behind the M&S attack, operates a similar model. For these groups, even a perfect restore won’t undo the damage of having client records, financial data, or intellectual property leaked online.
The UK Government’s Cyber Security Breaches Survey 2025 found that ransomware incidents affecting UK businesses doubled year-on-year, from under 0.5% to 1%, totalling an estimated 19,000 organisations. Among large businesses, 74% reported some form of cyber breach or attack. These are organisations with IT teams and backup strategies already in place.
Most Businesses Aren’t as Prepared as They Think
Acceptance and preparedness are different things. The Sophos enterprise report revealed that enterprise backup usage dropped to a four-year low of 53%, down from 73% the year before. Organisations are discovering, in the middle of an incident, that their recovery plans don’t work as expected.
Many businesses treat backup and recovery as an IT operations task, left alone with the infrastructure team, reviewed annually, and rarely tested under realistic conditions. But ransomware recovery is a business continuity problem that touches legal, communications, operations, and leadership. When the M&S board discovered that their attackers had gained initial access through social engineering of a third-party contractor, the technical response was only one piece of a much larger puzzle.
The UK Breaches Survey also highlighted a concerning governance gap: only 27% of UK businesses now have a board member responsible for cyber security, down from 38% in 2021. At a time when a single breach can erase years of commercial progress, that decline in senior-level ownership is difficult to explain.
What a Strong Recovery Plan Actually Needs
First, backups need to be genuinely immutable. Not just stored separately but architecturally protected from tampering – immutable snapshots and air-gapped storage that can’t be reached even by an attacker with domain admin credentials. This is where solutions from vendors like IBM, with their cyber-resilient storage platforms, have become increasingly relevant. The ability to create tamper-proof recovery points that survive even a full network compromise is no longer a nice-to-have.
Second, detection and recovery need to be treated as two halves of the same capability. There’s little value in having clean backups if you can’t identify when the compromise began. Intelligent anomaly detection – systems that flag unusual data access patterns, unexpected encryption activity, or credential movements – gives organisations the visibility to pinpoint a clean recovery point rather than guessing.
Third, recovery plans need to be tested against realistic scenarios, not just verified on paper. The Sophos State of Ransomware 2025 report did contain one encouraging signal: 53% of organisations recovered within a week, up from 35% the previous year. But separate Sophos research into backup compromise found that organisations with intact backups recovered in a week or less 46% of the time, compared with just 26% of those whose backups had been compromised. The quality of the recovery infrastructure directly determines the speed of business resumption.
Finally, recovery readiness requires an integrated approach. The businesses that recover fastest are those where networking, security monitoring, and data protection work as a single ecosystem, with no gaps between them. When those elements sit with different providers who don’t communicate, the gaps between them become exactly the spaces that attackers exploit.
Where Recovery Breaks Down
We see this first-hand through our incident response work. Organisations that come to us after a breach often have backup solutions in place. What they lack is the integration between those backups, their network infrastructure, and their security monitoring that would make recovery trustworthy when it matters most. Filling those gaps, whether it’s between detection and response or between backup and verified recovery, is where the real work of resilience happens.
So ask yourself: could your organisation actually recover – quickly, cleanly, and confidently – if its backups were the last line of defence that hadn’t already been compromised?
See Modern Data Recovery in Action
On 27th April 2026, Syscomm and IBM are hosting an exclusive in-person event at IBM’s UK headquarters in London. Defending Your Data — Cyber Safe Experience brings together security specialists to explore how modern data protection works in practice: from cyber-resilient storage and immutable snapshots to live recovery orchestration demonstrations. The session includes a tour of IBM’s Innovation Centre, featuring their quantum computing capabilities, and a live Secure & Resiliency Assessment showing how recovery works in real-world scenarios.
Places are limited, and the event is free to attend. If the questions raised in this piece feel relevant to your organisation, this is a practical next step.
Reserve your place at the Syscomm x IBM Defending Your Data event →
