Is Your Storage Ready for a Ransomware Attack?

We hear about cyber attacks in the news almost every day. What doesn’t always make the headlines is just how routine ransomware has become, and how long it often takes organisations to realise they’ve been hit.

According to independent research from Omdia, 93% of organisations experienced an attempted ransomware attack in the last 12 months. That’s not a fringe problem; that’s almost everyone.

Even more concerning is how slowly many attacks are detected. Nearly nine in ten incidents went unnoticed for at least 24 hours, and almost half took more than a week to be discovered. By the time the alarm is raised, attackers may already have encrypted systems, corrupted backups, or quietly exfiltrated sensitive data.

For CIOs, CISOs, and IT leaders, the key question has shifted. It’s no longer if your organisation will face a ransomware attack, it’s when it happens, how quickly you’ll know, and how quickly you can recover.

These are exactly the questions Darren and Ben explore in their discussion on cyber resilience and IBM FlashSystem, inspired by the Omdia white paper.

Ransomware has evolved dramatically in recent years. What was once seen as an occasional disruption has become a persistent business risk.

Omdia’s research paints a stark picture: almost every organisation experienced an attempted ransomware attack last year, and many of those attacks remained undetected for significant periods of time. That delay is critical. The longer attackers remain inside an environment, the more damage they can do.

Given enough time, attackers can encrypt critical systems, destroy or tamper with backups, and move laterally across the infrastructure to reach more valuable data. They may also quietly exfiltrate information, creating both operational and regulatory risks.

For leadership teams, this changes the strategic conversation. Instead of asking whether defences are strong enough to prevent every attack, organisations increasingly need to ask three practical questions:

• How quickly can we detect suspicious activity?

• How fast can we contain it?

• How rapidly can we recover core services and data?

Surprisingly, the answers often come back to an area of the technology stack that has historically received far less security attention: storage.

One of the key insights from the Omdia research, and from Darren and Ben’s conversation, is that storage systems sit at the centre of modern ransomware attacks.

Attackers are not just targeting laptops or application servers. They are going directly after the systems that hold and protect the organisation’s most valuable asset: its data. In practice, that means the two most common targets are data protection infrastructure, backup and recovery platforms, and primary storage, where live business-critical data resides.

The logic for attackers is straightforward. If they can encrypt or destroy both your primary data and your backups, they dramatically increase the pressure to pay a ransom. Organisations are then forced to choose between paying attackers and hoping for a decryption key, or facing prolonged downtime, data loss, regulatory exposure, and reputational damage.

But storage is not only a target. It can also be the organisation’s strongest line of recovery.

Historically, storage systems were treated as passive infrastructure. They held data, while detection and response capabilities lived elsewhere in the technology stack, typically at the network or application level. That model is changing.

Increasingly, modern storage platforms are being designed as active participants in cyber defence, equipped with built-in intelligence that can detect abnormal behaviour and help protect data in real time. Rather than simply storing information, they can act as sensors and responders within a broader cyber-resilience strategy.

So what does that idea of “active defence” actually look like in practice?

Darren explains how IBM FlashSystem approaches the challenge by embedding AI directly into the storage hardware using technology known as FlashCore Modules. Instead of relying entirely on external monitoring tools, the storage system itself continuously analyses storage activity. Every read, write, and modification is evaluated in near real time to identify patterns that resemble ransomware behaviour, such as sudden spikes in file changes, unusually rapid encryption activity, or access patterns that deviate sharply from normal workloads.

These AI checks run approximately every two seconds across the system, constantly assessing whether activity appears to be legitimate business behaviour or something more suspicious. If the system detects activity that resembles ransomware, it doesn’t simply generate an alert and wait for a human response.

Instead, it immediately creates an immutable snapshot, a locked, point-in-time copy of the data that cannot be altered or deleted by ransomware, malicious insiders, or configuration errors. This snapshot effectively preserves a clean recovery point that can be used to restore systems if the attack progresses.

All of this happens automatically and rapidly. IBM offers a 60-second cyber threat detection and notification guarantee on FlashSystem, significantly reducing the amount of time attackers can operate before protective measures are triggered. The result is that the storage platform is not just holding data; it is actively protecting it.

Darren uses a helpful analogy to explain the concept.

Traditional smoke detectors detect smoke and sound an alarm. After that, the response relies on people waking up, assessing the situation, and taking action.

A modern smart fire protection system goes further. It detects smoke, raises the alarm, automatically seals off affected areas, activates sprinklers, and alerts emergency services.

IBM FlashSystem follows a similar model for data protection. It detects unusual behaviour, raises alerts, and automatically preserves a safe copy of the data before the damage spreads. That preserved snapshot becomes the clean state organisations can recover from if ransomware takes hold.

Importantly, IBM has tuned the system to minimise unnecessary alerts, with a reported false-positive rate of under 1%. That helps ensure teams receive meaningful signals rather than constant noise.

For industries such as financial services, retail, and healthcare, the implications are significant.

Financial institutions face strict operational resilience requirements and must maintain continuous trust with customers and regulators. Retailers depend on always-available transaction systems and supply chains. Healthcare organisations rely on digital systems that directly support patient care and safety.

Across these sectors, boards and executive teams are increasingly asking the same questions:

• How quickly would we know if we were under attack?
• How confident are we that our backups haven’t been compromised?
• Could we restore critical services within hours rather than days?
• Are we treating storage as a strategic control point, or simply as infrastructure plumbing?

The approach Darren and Ben discuss, combining AI-driven detection within the storage hardware with automated creation of immutable recovery points,  provides one practical way to address these concerns.

It transforms storage from a passive asset into an active component of an organisation’s cyber-resilience strategy, tightly connected to incident response, risk management, and business continuity planning.