A number of vendors have recently started touting an “airgap” storage capability in backup storage, typically using AWS S3 WORM or immutable object storage classes. The immutable setting in S3 means that the stored backups cannot be corrupted by the malware implementing the attack. Has this scenario actually occurred in any of the known ransomware attacks? It has been my impression that organizations which have been impacted the worst have had the issue because they were not running backups properly; or, in other cases, they ran backups, but had limited retention periods. In the latter case, the malware infected systems and then lay dormant, waiting out the backup retention before enc rypting systems storage. In this case, any system recovered from backup still has the malware in the restored image and immediately attacks on recovery. In any event, the airgap solutions seem to be based on the assumption that malware is infiltrating the backup systems themselves and modifying or deleting the good backups. Are there any documented cases where this has happened? Are these “airgap” solutions marketing to a problem that has actually occurred? Or is it merely speculative, marketing for a problem or attack vector that might happen in the future if you don’t protect against it?