In April 2025, British retail giant Marks & Spencer (M&S) fell victim to a sophisticated ransomware attack by the group Scattered Spider. The breach brought online operations to a standstill, crippled inventory systems, and left store shelves empty as the company resorted to manual workarounds. The impact was staggering: over £1 billion in market value was erased, and an estimated £300 million was hit to operating profit.
This wasn’t a failure of detection. It was a failure of recovery.
The M&S incident highlights a hard truth: ransomware resilience isn’t just about having the right tools — it’s about proving you can recover. In today’s enterprise environment, backups alone aren’t enough. You must be able to demonstrate—to your board, auditors, and insurers—that your data is intact, uncorrupted, and restorable in the event of a ransomware attack.
M&S had backups. But they couldn’t recover in time. The result? A prolonged, costly disruption that no organization can afford.
The New Threat Model: Ransomware Targets Recovery First
Ransomware has evolved. It’s no longer just about encrypting production systems and demanding payment.
Today’s attackers go after what gives you leverage: your backups. Sophos reports that 94% of ransomware incidents now include attempts to compromise backup systems, and more than half of those attempts succeed. These aren’t opportunistic strikes; they’re calculated, methodical campaigns aimed at one objective: preventing recovery.
The logic is straightforward. If your backups are gone or corrupted, you’re far more likely to pay. Victims with compromised backups are nearly twice as likely to succumb to ransom demands — yet even then, recovery remains uncertain. According to CyberEdge, only 54% of those who pay get all their data back.
Bottom line: having backups isn’t enough. The new standard is provable, tamper-proof, ransomware-aware data recovery. Anything less is a risk.
Marks & Spencer: A Cautionary Tale for Risk Committees
When M&S disclosed the breach in late April 2025, operations were already in chaos. Online orders were suspended. Contactless payments and Click-and-Collect were shut down. Employees reverted to pen-and-paper processes. Even by late May, full e-commerce service had not been restored. Even by late May, the company still hadn’t restored full e-commerce service.
The company reportedly refused to pay the ransom, a principled and government-aligned decision. But without fast and provable clean data recovery options, they had no choice but to rebuild from scratch. Systems were reimaged. Applications reinstalled. Data painstakingly recovered from partial sources.
What followed was a months-long outage, a media firestorm, and a significant setback in M&S’s turnaround strategy. The company described the attack as “unlucky.” In truth, this was not about luck. It was about missing controls.
Provable ransomware readiness is now a board-level mandate. When recovery isn’t fast, clean, and provable, the business pays the price.
The Backup Illusion: “We Had Backups” Isn’t Enough
Many organizations are lulled into a false sense of readiness. They assume that because backups exist, recovery is assured. But the data tells a different story:
- Thirty-one percent of organizations with recent backups were unable to recover after a ransomware attack fully
- On average, 43% of affected data is permanently lost after ransomware incidents (The Journal, date and article name required).
- Only 26% of companies whose backups were hit recovered operations within one week, compared to 46% when backups remained intact.
Even worse: 63% of organizations risk re-infecting themselves during recovery because they restore from backups that were never scanned for ransomware or encryption artifacts.
These numbers aren’t IT problems; they’re audit findings waiting to happen. Your ability to recover must not only exist, but also be demonstrable, provable, and regularly tested.
Treat Recovery as a Security Control
Here’s what a ransomware-resilient recovery posture looks like in 2025:
Immutable Storage
Backups that can’t be altered or deleted by ransomware, whether stored in the cloud (e.g., AWS S3 Object Lock) or on-premises with WORM or air-gapped infrastructure.
Continuous Integrity Scans
Every backup is scanned for ransomware, insider threat encryption, dormant malware, and file system corruption. Not just before recovery but continuously.
Access Separation
Backup systems are isolated from primary networks. Admin credentials not reused. MFA is enforced on all access points.
Restore Testing
Routine restore tests are conducted in safe environments to validate the completeness, performance, and time-to-recovery (RTO) of the restore process. Evidence is logged and reviewed.
Recovery Workbooks and Runbooks
Documented, rehearsed workflows for restoring critical applications in priority order. Maintained and versioned.
Real-Time Resilience Metrics
KPIs that measure how many assets have clean recovery points within SLA, time to last clean snapshot, and encryption trends across backup sets.
These are not optional enhancements; they are controls. Just as you can’t claim identity protection without MFA, you can’t claim ransomware resilience without a provable ability to recover from a known-clean backup.
A Word from the Front Lines
As M&S CIO Jeremy Pee noted after the attack:
“We’ve had to re-architect and accelerate parts of the digital transformation – what was a two-year program is now being done in six months.”
— CIO.com
In plain terms: when recovery fails, the business must pivot under duress. Systems are rushed. Budgets are scrambled. Priorities shift from innovation to reconstitution.
That’s not resilience, that’s survival mode. No organization should wait until after an attack to discover that its recovery was merely theoretical.
Provable Recovery is a Strategic Advantage
Resilient finance and retail institutions don’t just need cybersecurity. They also require effective risk management. They need cyber survivability. They need to be able to tell their boards, regulators, and shareholders:
- “We know how much data we’d lose in a worst-case event.”
- “We can prove how long recovery would take.”
- “We can show which systems are covered — and which aren’t.”
- “We scan for ransomware and insider threat encryption every day — not just after the fire.”
This is the language of operational resilience. And increasingly, it’s becoming the language of compliance, insurance underwriting, and investor due diligence.
Final Thought
Ransomware isn’t going away. But the catastrophic consequences can be prevented — not with wishful thinking, but with controls that make resilience provable.
When the next attack comes, and it will, your backups will either be your lifeline or your liability.
The difference lies in whether recovery is merely a checkbox or a proven security control.
Elastio is the Ransomware Recovery Assurance Platform. We continuously verify, score, and track your backups to ensure they are clean, recoverable, and ransomware-free — even in the face of insider threats or sophisticated encryption attacks. Our platform provides real-time integrity scanning, provable clean snapshots, and automation for fast recovery, so your last line of defense is your strongest.
