Veeam is a global leader in data protection and ransomware recovery, trusted by organizations of all sizes to keep their critical data safe, available, and resilient. Our solutions deliver modern backup, rapid recovery, and intelligent, AI-powered threat detection that integrates seamlessly with leading cloud providers like IBM Cloud.

“Everyone has a plan until they get punched in the mouth.” – Mike Tyson

This quote perfectly captures the reality of cyber resiliency, as highlighted in Veeam’s 2025 Ransomware Trends Report^[1].  One recurring theme is the need for a solid ransomware playbook. Yet, while 69% of ransomware victims believed they were ready before an attack, their confidence dropped by more than 20% after being “punched in the mouth” by a real incident.

As a kid in the 80s, I spent countless hours trying to beat Mike Tyson’s Punch-Out!! on the NES. Knowing the patterns was important, but it was the practice and real-time execution that eventually led you to beat the game. The same holds true in cybersecurity: having a plan is just the start—testing, refining, and executing under pressure make all the difference.

While 98% of organizations claimed to have a ransomware playbook, fewer than half included the critical technical elements necessary for effective recovery. Organizations with the most successful recoveries were far more likely to include these three elements in their playbooks:

Backup Verification and Frequency

Backing up data is something everyone does, but the toughest part is verifying that the data is clean—and that you can recover safely without restoring infected data into your environment. Veeam offers multiple ways to accomplish this:

• Inline Threat Detection: Veeam has used AI/ML models trained on large datasets of normal backup behavior and known ransomware behavior. These models create a baseline entropy score. During the backup process, the proxy or agent analyzes block-level data for encryption, sequential encryption blocks, and onion links. An index is created for each backup, which is compared to the previous backup at the end of each run. If the entropy score shifts significantly, Veeam flags a potential ransomware event for that restore point.
• Guest File Indexing Scan: Guest file indexing uses a similar entropy process but goes a step further by analyzing data at the file level. Entropy scoring is applied across various categories, such as the number of files deleted or renamed. By requiring multiple indicators to surpass defined thresholds, Veeam minimizes false positives and ensures only truly suspicious activity is flagged.
• Threat Hunter / Yara Scans: The first two processes detect active threats during backup. To address dormant threats, Veeam offers Threat Hunter and Yara Scans. Scheduling proactive scans using Veeam SureBackup can be configured to randomly choose workloads within a job to scan for malware.  SureBackup scans can be scheduled to run after backups complete or on a daily, weekly, or monthly basis. Threat Hunter is Veeam’s built-in, signature-based malware scanner, while Yara scans can be customized to detect emerging or targeted threats. As an example, a Yara rule below helps identify a ransomware note within files that match specific string:

rule RansomwareNote
{
meta:
		description = "Ransomware note"
strings:
		$clop ="Your network has been penetrated.\n\nAll files on each host in the network have been encrypted with a strong algorithm."
		$medusa ="$$\\ $$\\ $$$$$$$$\\ $$$$$$$\\ $$\\ $$\\ $$$$$$\\ $$$$$$\\"
		$onion_link = /\b([a-z2-7]{56}.onion)\b/i
condition:
$clop or $medusa or $onion_link
}

This rule helps identify ransomware notes by looking for specific phrases and indicators often used by threat actors.

Backup Copies and Assured Cleanliness
According to Veeam’s 2025 Ransomware Trends Report, 89% of organizations had their backup repositories targeted by threat actors. IBM Cloud Object Storage makes it easy to protect against such threats: object lock and versioning features enable immutable backups, providing robust protection and ensuring data cannot be altered or deleted by ransomware.

When configuring your bucket for the first time, object versioning must be enabled before immutability can be turned on.

Leverage Veeam technology to manage backup copies: use Backup Copy Jobs to manage copies by job or workload, or Scale-Out Backup Repository to manage copies by storage policy.

Alternative Infrastructure Arrangements
In the event of a ransomware attack, the ability to quickly restore workloads to IBM Cloud’s shared or dedicated environments is a significant advantage. This flexibility is vital, especially as ransomware becomes a tool for state-sponsored actors, with potential government investigations requiring on-premises hardware to be quarantined.

See it in-person—Like Little Mac in Mike Tyson’s Punch-Out!!

At IBM TechXchange, October 6-9, 2025, in Orlando, Veeam and IBM Cloud will demonstrate what a ransomware attack looks like—and show how zero trust principles can be used to design a cyber-resilient architecture. Together, IBM Cloud and Veeam help you move from planning to real-world resilience to take that first punch, like Little Mac, and keep moving forward. 

Be sure to attend our session: 

Smart Backup, Fast Recovery: AI-Powered Threat Detection with IBM Cloud & Veeam [1741]

Date / Time: Wednesday, Oct 8 @ 5:00 PM - 6:00 PM EDT

Register here and get 30% off your full conference pass along with access to Cloud Community Appreciation Day (Oct 6).

If you're a Cloud Champion or already have a free pass, go here to indicate your interest. 

#IBMCloudObjectStorage