Why Immutable Storage Can't Be Ransomed

This past New Year's Eve, while I was on my couch watching the Stranger Things finale and eating cocktail weenies, the TridentLocker ransomware group hit Sedgwick Government Solutions and claimed 3.4 gigabytes of stolen data.

Sedgwick isn't some random target. They handle claims and risk management for DHS, ICE, CBP, USCIS, the Department of Labor, and CISA. Federal agencies. Sensitive data. And a ransomware group that emerged two months ago walked in and locked them out.

This is the reality now.

Ransomware attacks increased 58% in 2025. Recorded Future tracked over 7,200 publicly reported attacks last year and identified 134 distinct ransomware groups, a 30% increase from 2024. The prediction for 2026 is over 12,000 incidents, led by groups like Qilin hitting 1,066 targets in 2025, up 408% from the previous year.

As the ransomware economy continues to professionalize, it's time to consider storage it can't ransom.

The backup myth

A common belief at organizations: if you have good backups, you can recover from ransomware. The attackers encrypt your files, you restore from backup, and you're back in business. The attackers know this too.

According to Sophos, 94% of organizations hit by ransomware in the past year said attackers attempted to compromise their backups during the attack. In state and local government, that number hits 99%.

And these attempts work. 57% of backup compromise attempts succeed. Veeam found that 93% of ransomware incidents target backup repositories specifically, and 75% of victims lose at least some of their backups. More than a third lose their backup repositories completely.

The math gets worse. Organizations whose backups were compromised received ransom demands that averaged more than double: 2.3 million versus 1 million for those with intact backups. They were almost twice as likely to pay. And even when organizations paid, 84% failed to fully recover their data.

Backups have become just another target on the list.

How ransomware actually works

Here's how modern ransomware operates.

The encryption is straightforward. Ransomware uses a hybrid approach: symmetric encryption (AES, ChaCha20) to encrypt your files quickly, and asymmetric encryption (RSA) to protect the keys. The attacker generates a unique key pair for each victim. The public key gets embedded in the malware. When it runs on your system, it generates a random symmetric key for each file, encrypts the file content, then encrypts that symmetric key with the public key.

Only the attacker has the private key. Without it, your files are gone.

Before the encryption even starts, modern ransomware actively terminates backup services, databases, and endpoint protection. It scans for backup files and backup repositories. It looks for network-attached storage. It finds your safety net and burns it first.

Some strains use intermittent encryption, encrypting every 16 bytes of a file to avoid detection. Others use multithreading to encrypt as fast as possible across all CPU cores. The goal is speed and coverage. Encrypt everything, including the backups, before anyone notices.

This is why the "just restore from backup" advice keeps failing. The attackers read the same security blogs you do. They adapted.

Why traditional storage is vulnerable

Ransomware works because traditional storage is mutable.

Every file on a standard system can be read, written, modified, or deleted. That's the design. It's how storage has always worked. You create a file, you edit it, you save it, the old version is gone.

Ransomware exploits this. It reads your file, encrypts the contents, writes the encrypted version back, and deletes or overwrites the original. The operation is indistinguishable from normal file activity at the system level. You're just writing data.

Backups sitting on mutable storage have the same vulnerability. They're files. They can be modified. They can be encrypted. They can be deleted.

Air-gapped backups help, in theory. In practice, you've got a backup from last Tuesday and everything since then is gone. And air-gapped systems still need to be connected at some point to receive the backup data, creating windows of vulnerability.

The core problem remains: if your storage layer allows modification, ransomware can exploit it.

Why immutable storage breaks the model

Permanent, immutable storage works differently.

On Arweave, the protocol that powers ar.io, data is written once and can never be modified or deleted. There is no "overwrite" operation. There is no "encrypt in place." Once data is stored, it exists in that exact form permanently, replicated across a distributed network of nodes.

Ransomware's entire attack model depends on being able to modify your files. Take away modification, and there's nothing to encrypt. The attack vector doesn't exist.

We're talking about a fundamentally different storage architecture.

When you store critical data on permanent storage, you're storing data in a location-independent form that can't be altered by anyone, including attackers who've compromised your network. The data isn't protected by access controls that can be bypassed. It's protected by the architecture itself.

The ar.io network adds distributed access on top of this. Hundreds of independent gateways operated by different parties in different locations. Even if an attacker compromised one access point, the data remains available through hundreds of others. No single point of failure or attack.

The bottom line

When ransomware works, the average demand hits $2.3 million. Over 7,200 victims in 2025, with 12,000+ predicted for 2026.

The attackers aren't idiots. For the 94% that had their backups targeted, the strategy didn't fail because of bad execution. It failed because the architecture was exploitable.

Can your critical data be modified? Can access be cut off?

If it's immutable and your access is distributed across independent locations, ransomware has nothing to work with.

If you're evaluating this for your organization, I'm happy to talk. Reach out on LinkedIn or check out what we're building at ar.io.