If I have backups, can I just ignore a ransomware demand?

Backups let you restore operations without paying for a decryption key, which is a huge advantage. However, if the attackers also stole data and threaten to leak it, backups do not remove that threat — you still need an incident response and disclosure plan.

Why do attackers delete backups?

Because reachable backups make ransom payment unnecessary. Destroying them first maximises pressure on the victim. This is why backups must be isolated from production credentials and made immutable.

Is cloud accounting data at risk from ransomware?

Yes. Compromised credentials can be used to delete or corrupt cloud records directly, and connected endpoints can spread an attack. An independent, isolated backup of cloud data protects against both.

Ransomware and your accounting data: how attackers target the books

Ransomware has evolved. Today’s operators do not just encrypt your files — they hunt down and destroy your backups first, then steal data to extort you twice. Your accounting records sit right in the crosshairs. Here is why, and what actually stops it.

Key takeaways

Attackers commonly target and delete backups before triggering encryption.
Financial records are prized for extortion, fraud and follow-on social engineering.
Double extortion means even good backups will not stop a data-leak threat — but they restore your operations.
An isolated, immutable, independent backup is the control that gets you running again without paying.

How a modern ransomware attack unfolds

The cinematic image of ransomware — files lock, a ransom note appears — is the last step, not the first. A typical intrusion runs: gain access (often a phished or reused credential), move laterally, escalate privileges, locate and destroy backups, exfiltrate valuable data, and only then detonate the encryption. By the time you see the note, the attacker has usually already neutralised your recovery options.

Why your backups are the first target

Attackers know that a business with good, reachable backups simply restores and ignores them. So backups are now a primary objective. If your backups live on the same network, under the same credentials, or in the same admin console as production, they can be found and deleted along with everything else. This is why the ACSC stresses that backups must be isolated and immutable.

Why accounting data is so valuable

Your books are a goldmine for an attacker:

Bank details and payment patterns enable payment-redirection fraud.
Contact and supplier lists fuel convincing follow-on phishing.
The threat to leak sensitive financials is powerful extortion leverage.
Losing the records themselves can halt invoicing, payroll and compliance overnight.

The double-extortion wrinkle

Many groups now steal data before encrypting, then threaten to publish it. Backups will not erase that threat — but they remove the operational hostage situation, letting you restore and keep trading while you manage the disclosure side. Backups change the question from "will we survive" to "how do we respond."

What actually protects you

Prevention controls — MFA, patching, application control — reduce the odds. But assume one attack eventually lands. Your recovery depends on a backup the attacker could not touch: independent of your production credentials, immutable for its retention period, and tested. For cloud accounting, that means an independent copy of your Xero data kept outside the systems an intruder would compromise.

How a modern ransomware attack unfolds

Why your backups are the first target

Why accounting data is so valuable

The double-extortion wrinkle

What actually protects you

Frequently asked questions

If I have backups, can I just ignore a ransomware demand?

Why do attackers delete backups?

Is cloud accounting data at risk from ransomware?

Immutable backups and WORM storage, explained

Business email compromise: the threat quietly draining Australian SMBs

How to build a disaster recovery plan for a cloud-first business