Not really. A sister company of my previous company had ransomware incident, and as far as I've heard this was not the case. They had just purged local backups. The attack was stopped quite early by an engineer noticing abnormally high IO activity and shutting the whole infrastructure down as soon as they realized what's going on - while a lot of data was lost and had to be restored from backups, most of the files were untouched. Still, the recovery took really long while to audit every machine before they could be even powered on again.
Poisoning backups requires backup systems receiving encrypted data for a while. Which means live systems running off the encrypted data (and most ransomware encrypts at the file level, which is much harder to do transparently, compared to the block device level). Which requires effort to make sure this is extremely transparent and goes unnoticed. Doubt that attackers do expend their resources unless they see a necessity.
Not really. A sister company of my previous company had ransomware incident, and as far as I've heard this was not the case. They had just purged local backups. The attack was stopped quite early by an engineer noticing abnormally high IO activity and shutting the whole infrastructure down as soon as they realized what's going on - while a lot of data was lost and had to be restored from backups, most of the files were untouched. Still, the recovery took really long while to audit every machine before they could be even powered on again.
Poisoning backups requires backup systems receiving encrypted data for a while. Which means live systems running off the encrypted data (and most ransomware encrypts at the file level, which is much harder to do transparently, compared to the block device level). Which requires effort to make sure this is extremely transparent and goes unnoticed. Doubt that attackers do expend their resources unless they see a necessity.