Skip to Content

Likelihood of Return Without Full Remediation

Restore-Only vs. Full Incident Response: Why Backups Don’t Restore Trust
November 24, 2025 by
Likelihood of Return Without Full Remediation
Lighthouse IT Solutions, Griffin Ball

When ransomware hits, “we have good backups” feels like a lifeline. And it is. Backups shorten downtime and preserve data. But they don’t remove the intruder, repair trust in your identity systems, or close the hole they used to get in. If you stop at restore-only, you’re rebuilding on the same compromised foundations. Modern crews know this, and they monetize the second bite: re-encryption, re-extortion, or resale of your access.

Why Restore-Only Fails

Restoring from backup puts files back where they were, not your security posture. Attackers don’t just drop ransomware and leave. They map your network, steal credentials, plant backdoors, and create cloud-tenant persistence so they can come back on their schedule. If those artifacts survive the restore, the outcome is predictable: the attacker returns.

Where Attackers Linger

Even small campaigns leave a long tail. Persistence commonly hides in:

  • Endpoints and servers: scheduled tasks, services, WMI subscriptions, web shells, abused remote tools.
  • Identity and directory services: privileged accounts, delegated rights, precursors to forged tickets, risky GPO scripts.
  • Cloud and email: OAuth app grants, stale refresh tokens, malicious inbox rules, legacy auth.
  • Keys and infrastructure: API/SSH keys, VPN and MDM consoles, backup platforms, hypervisors, and network gear.

The Likelihood They Return

Opportunistic affiliates often cast a wide net and move on when blocked, but if any foothold remains, there’s still a meaningful chance, think one-in-three, that they’ll try again.

Targeted operators behave differently. They invest time to steal data, establish multiple persistence layers, and treat your environment like an ongoing revenue stream. If you only restore from backups, expect them to return. In practice, follow-on attempts are the default, not the exception.

What Full IR Looks Like

A complete incident response doesn’t just clean up malware; it resets trust.

  1. Scope and contain
    Quickly isolate affected systems, cut command-and-control egress, and tighten remote access. Geofence or temporarily disable VPN, and turn up logging so you can see what’s happening while you contain.
  2. Reset identity
    Identity is the attacker’s accelerator. Rotate privileged and service accounts, revoke refresh tokens, and force reauthentication with MFA. In Active Directory, double‑rotate the domain ticket‑signing account to invalidate forged tickets. In cloud IdPs, remove risky OAuth apps and rotate API keys and secrets.
  3. Eradicate persistence
    Hunt methodically: web server directories, autoruns, scheduled tasks, WMI events, new services or drivers, RMM tools abused for remote control, and scripts embedded in GPOs. For critical systems, rebuild from known-good images rather than “cleaning in place.”
  4. Patch and harden
    Close the original entry point, edge device, email gateway, web app, or vulnerable server, then raise the floor. Enforce MFA everywhere, disable legacy protocols, apply least privilege, enable EDR tamper protection, and segment the network to limit blast radius.
  5. Validate and monitor
    Bring systems back in a controlled way: deploy EDR first, then restore data, then baseline and monitor. Maintain heightened detection for 2–4 weeks, watching for token anomalies, unusual OAuth grants, new admin accounts, lateral movement tooling, and atypical data egress.

A Practical Timeline

  • Day 0–1: Contain. Quarantine hosts, block C2, revoke tokens, disable suspect accounts, and preserve evidence.
  • Day 1–3: Rebuild the crown jewels. Patch edge, rotate keys and secrets, reimage Tier‑0/Tier‑1 systems (domain controllers, identity providers, management servers).
  • Day 3–7: Controlled restore. Reintroduce systems into segmented networks, validate with EDR, and continue hunting.

How to Prove You’re Safe

Leaders will ask, “Are we clear?” Track and report:

  • Time to contain, time to rotate credentials, and time to rebuild Tier‑0.
  • Percentage of privileged identities rotated.
  • Number of persistence mechanisms found and removed.
  • EDR coverage and logging completeness across critical assets.
  • Any recurrence attempts detected and blocked during heightened monitoring.

Common Pitfalls

  • Resetting user passwords but not the domain ticket‑signing account or service accounts.
  • Leaving legacy auth enabled or failing to revoke refresh tokens.
  • Cleaning endpoints in place rather than rebuilding from trusted images.
  • Overlooking backup, MDM/EDR consoles, hypervisors, and third‑party RMM tools.

The Bottom Line

Backups restore data, not trust. Until you reset identity, eradicate persistence, close the entry vector, and validate with telemetry, assume the adversary can return. For targeted crews, a follow-on attempt is likely. A full IR isn’t overhead; it’s the difference between a one-time outage and an ongoing revenue stream for your attacker.

Prebuild the runbook. Practice token revocation at scale. Rehearse the double rotation of the domain ticket‑signing account. Validate that your backups are immutable and restorable into a quarantined segment. The cheapest time to do these things is before you need them.

Lighthouse can help stay secure!

Read Next
Staying Safe After a Partner's Data Breach