Two developments in 2026 have rewritten the assumptions under every mid-market backup strategy. In March, Google Cloud’s Mandiant team published M-Trends 2026 and documented a systemic shift in ransomware operator behavior. In May, Veeam used VeeamON 2026 to detail Veeam Data Platform v13.1, the next iteration of a platform that already serves more than 550,000 customers. Both point to the same conclusion: backups are no longer the recovery path of last resort, they are the primary target of the attack itself. The defense has to change with the threat.
The opening scene: ransomware now targets the recovery plane first
Picture the standard mid-market environment circa 2022. The production estate runs on VMware. A backup server sits on the same Active Directory domain, with a deduplicated repository attached. A nightly job runs. If something goes wrong, IT restores from yesterday’s snapshot. That mental model still drives many backup architectures today. It is also exactly the architecture that operators behind REDBIKE (Akira) and AGENDA (Qilin) now exploit before they ever launch the encryptor.
Mandiant’s M-Trends 2026 report, published March 23, 2026, named these groups specifically and described what they do. Operators now target backup infrastructure, identity services, and the vSphere management plane in the early stages of an intrusion. They harvest long-lived OAuth tokens. They compromise third-party SaaS vendors to pivot into downstream customer environments. They disable multifactor authentication on the backup console. They delete encryption passwords. Only then do they trigger encryption on production data, at which point the victim discovers the recovery path is already gone.
The Mandiant guidance that follows is unambiguous. Backup environments should be decoupled from the corporate Active Directory domain and should use immutable storage. Anything less is a known-failed control in 2026.
The numbers behind the shift
Veeam’s 2025 Ransomware Trends Report surveyed 1,300 organizations across the Americas, Europe, and Australia, of which 900 had experienced a ransomware attack in the prior 12 months. The numbers are the operational baseline for any conversation a CIO or CISO is having with their board this year.
The gap between the first stat and the third stat is the whole story. Nine out of ten attacked organizations had their backups targeted. Roughly one in three had immutable storage in place to resist the attempt. That gap is what attackers monetize. It is also what the modern defense stack closes.
Veeam reports that 57% of attack victims recovered less than half their data. The simplistic reading is that backup is broken. The accurate reading is that the architectures most organizations call “backup” were never designed for an attacker who could authenticate to the backup console.
What 3-2-1-1-0 actually means in 2026
The classic 3-2-1 rule, originally published by photographer Peter Krogh in 2005, predates the modern ransomware threat by a decade. Veeam’s extension, 3-2-1-1-0, adds two requirements that exist specifically because the original rule assumes a benign threat model. The first added digit forces a copy of data to exist outside the writable production identity domain. The second added digit forces evidence that recovery actually works.
Two phrases in the table do most of the load-bearing work. “Outside the customer’s site and network” matters because a copy that lives where the attacker also lives is not a copy, it is a target. “Outside the customer’s Active Directory administrative boundary” matters because every credible 2025 attack chain involves AD compromise. A backup that an attacker can reach with privileged AD credentials is not a backup, it is a deletion candidate.
The inflection point: Veeam Data Platform v13 and v13.1
Veeam released Veeam Data Platform v13 on November 19, 2025, with cyber resilience and AI capabilities positioned at the center of the platform. The headline additions reflect the same threat model Mandiant later documented in M-Trends 2026.
Recon Scanner 3.0, powered by Coveware by Veeam, was built directly into the platform. It flags suspected adversary behavior across monitored endpoints, including brute force attacks, suspicious file activity, and unexpected network connections. A Consolidated Triage Inbox aggregates findings with severity ratings and behavioral context, so the backup console is no longer just a job-status dashboard, it is a threat-visibility layer.
The Veeam intelligence-driven Malware Analysis AI Agent, also added in v13, detects, classifies, and reports malware inside backups. The practical value is that a clean restore point is identified automatically, rather than discovered manually by an engineer scrubbing through snapshot histories during an active incident.
Veeam Data Platform v13.1, announced at VeeamON 2026 in May and scheduled for general availability in early Q3 2026, extends the security layer further:
This is the platform Veeam is shipping into a market where, in Veeam CEO Anand Eswaran’s framing from the April 2025 Ransomware Trends Report release, the imperative is to transition from reactive security measures to proactive data resilience. The v13 line is the engineering answer to that strategic position.
Sophos MDR and XDR as the surrounding layer
Veeam protects the data. Sophos protects everything around it. The IT Vortex implementation puts the two together so that the backup environment is not just hardened, it is also monitored by a 24/7 security operations function watching for exactly the behaviors M-Trends 2026 named.
Sophos MDR and Sophos XDR integrate with Veeam Backup and Replication v12.1 or later via the Backup and Recovery Integration Pack. The integration sends Veeam telemetry into the Sophos analytics platform, and the Sophos service monitors for specific backup-tampering signals:
Sophos CryptoGuard technology runs alongside, detecting and stopping ransomware including new variants and both local and remote encryption attempts. The integration is delivered as an add-on subscription pack, and Sophos updated the integration setup documentation as recently as February 23, 2026, confirming this is an actively developed control plane and not a brochure-ware partnership.
Mapping the attack to the defense
The Mandiant tactics list is not abstract. Each named behavior corresponds to a specific layer of the 3-2-1-1-0 model and a specific Sophos control. The table below shows the mapping IT Vortex uses to walk customers through their own gap analysis.
This mapping is also a self-audit. If a CIO cannot point at a specific control covering each row, the recovery plan has gaps that an opportunistic ransomware operator will find before any planned penetration test will.
What happens to a mid-market business that has not closed the gap
The Veeam report numbers reveal the after-attack picture in detail. Among organizations whose backups were targeted:
The financial impact of partial recovery is rarely linear. A finance system restored without its corresponding ERP integration tables is technically restored and operationally useless. A file share recovered without the access control list that governed it is technically restored and a compliance problem on day one. Mid-market organizations that take 24 days to recover, the 2025 industry median, do not just lose 24 days of revenue, they lose customer trust, contractual SLA standing, and in regulated verticals, the assumption that their data lifecycle is in compliance.
The cyber insurance underwriting angle
Cyber insurance underwriters in 2026 are asking sharper questions than they did in 2023. Renewal questionnaires now routinely include line items asking whether immutable backup copies exist, whether the backup environment is segmented from the production identity domain, and whether restore tests are documented on a defined cadence. A “no” on those questions does not always block coverage outright, but it increasingly drives premium uplifts, lower per-incident sublimits, or coinsurance carve-outs that shift more of the recovery cost back to the insured. For mid-market organizations, the underwriting conversation has effectively become a procurement signal: the controls insurers price for are the same controls the 3-2-1-1-0 rule prescribes. Closing the gap reduces both the operational risk of a ransomware incident and the cost of transferring that risk to an insurer.
How IT Vortex closes the gap
The IT Vortex platform implements all four layers of Figure 2 as a managed service. The role of the customer is to define the recovery point objective and the recovery time objective. The role of IT Vortex is to deliver them, with the supporting evidence that they actually work.
Backup as a Service (BaaS)
BaaS is Veeam-powered, with the immutability layer and the verified restore testing built in. The customer’s backup data lives in the IT Vortex managed environment, with Hardened Linux Repository storage paired with Object Lock object storage. SureBackup verification jobs run on a schedule and the reports are delivered as evidence of recoverability, not just job success. Microsoft 365 data (Exchange Online, SharePoint, Teams) is covered under the same 3-2-1-1-0 framework as on-premises workloads.
Disaster Recovery (DRaaS)
DRaaS goes beyond backup to deliver a working production environment in the IT Vortex data center, ready to take over when the primary site is unavailable. Continuous Data Protection options are available where the RPO target is measured in seconds rather than hours. The DRaaS environment runs on the same managed VMware platform IT Vortex operates as a Premier Broadcom VCSP Partner, which means failover targets the same virtualization platform the customer already runs in production.
Security as a Service (SECaaS)
SECaaS is the Sophos MDR and XDR layer, including the Veeam integration via the Backup and Recovery Integration Pack. The Sophos analysts watch the backup environment continuously and escalate the specific tampering behaviors named in M-Trends 2026 within minutes, not hours. CryptoGuard provides ransomware encryption protection across the broader endpoint and server estate, and the Sophos console correlates Veeam telemetry with the rest of the security event stream so that backup tampering is not analyzed in isolation.
The three services are designed to work together, not as separate line items. The customer benefit is one operational pane of glass, one vendor relationship for the recovery and security functions, and one SLA covering both protection and detection.
- Veeam 2025 Ransomware Trends and Proactive Strategies Report (released April 2025; n=1,300 organizations across the Americas, Europe, and Australia; 900 had been attacked in the prior 12 months).
- Google Cloud / Mandiant, M-Trends 2026 report, March 23, 2026.
- Veeam Software press release, “Veeam Data Platform v13 Launches and Redefines the Standard for Cyber Resilience,” November 19, 2025.
- Veeam blog, “Veeam Data Platform v13.1 Announcements from VeeamON 2026,” May 13, 2026.
- Sophos product documentation, “Integrate Veeam Backup & Replication” with Sophos Central, updated February 23, 2026.
- Veeam best practices documentation, “3-2-1-1-0 Rule” and “Protect the backups.”
- Rick Vanover (Veeam), “Ransomware Trends and the Future of Data Protection,” October 2025.
