Acronis Cyber Protect H2 2025 telemetry shows that backup jobs can succeed while still finishing too late, with tail latency and queued runtimes eroding real recovery readiness. Deep MSP tenant nesting also drives a sharp rise in failures, making governance, restore testing, and success-in-window measurement critical for resilience. #AcronisCyberProtect #CISA #Microsoft #AzureArchitectureCenter #AWS
Keypoints
- Backup success does not always equal recovery readiness; jobs may complete successfully after the backup window, increasing effective RPO and operational risk.
- In the worst week of H2 2025, the slowest 1% of backups took up to 11,125 seconds, or about 185 minutes, including queue time.
- Across H2 2025, the p95-to-p50 tail ratio ranged from 26.5x to 30.5x, showing that averages and medians understate real scheduling needs.
- Very deep MSP tenant hierarchies were associated with a sharp failure increase at nesting level 12, where failures reached 39.78% across 1,076 tenants.
- Destination choice and dependency chains matter: network shares and cloud combinations affect both failure rates and duration, while encrypted configurations often correlate with better-managed environments.
- The report recommends measuring success-in-window, designing for tail behavior, adding stronger MSP governance, and performing regular restore tests and recovery documentation checks.
- Ransomware resilience depends on offline or logically isolated backups, validated recovery points, and the ability to restore quickly under pressure.
MITRE Techniques
- [T1485 ] Data Destruction – Ransomware actors may delete accessible backups to block recovery (‘ransomware actors often try to delete or encrypt accessible backups to block recovery’).
- [T1486 ] Data Encrypted for Impact – Attackers may encrypt backups and production data to prevent restoration (‘ransomware actors often try to delete or encrypt accessible backups to block recovery’).
- [T1490 ] Inhibit System Recovery – The article describes targeting backups and recovery documentation to hinder recovery (‘ransomware attacks target data, backups and the documentation needed for recovery’).
- [T1078 ] Valid Accounts – Backup jobs depend on credentials and authorization, and failures can occur when credentials drift or are invalid (‘credentials’, ‘authentication and credential hygiene’, ‘expired password’).
- [T1133 ] External Remote Services – Managed multitenant environments and cloud-based backup operations rely on remote service access and external dependencies (‘cloud-only backups’, ‘multitenancy improves operational efficiency’).
- [T1105 ] Ingress Tool Transfer – Not explicitly named, but recovery-oriented backup data is moved to destinations for storage and restoration (‘backup window’, ‘destination classes’, ‘recovery point becomes available’).
- [T1491 ] Defacement – Not directly described; excluded from strong mapping due to lack of evidence.
Indicators of Compromise
- [IP addresses ] No IP addresses were mentioned in the article.
- [Domains / URLs ] No domains were mentioned in the article.
- [File hashes ] No file hashes were mentioned in the article.
- [File names ] No file names were mentioned in the article.
- [Dates / time ranges ] H2 2025 telemetry period – 2025-07-01 to 2025-12-31, with the worst week of 2025-10-20 highlighted for backup duration tail behavior.
- [Metrics / operational values ] Backup tail performance – 11,125 seconds (185.4 minutes), p95/p50 tail ratios of 26.5x to 30.5x, and nesting level 12 failure rate of 39.78% across 1,076 tenants.
- [Configuration / destination types ] Backup environments and destinations – cloud-only, local_folder, network-share + cloud, AES-256 encrypted always_incremental cloud jobs, and custom + AES-256 + local_folder.