Listen to this article
Veeam released its 2025 Ransomware Trends report at VeeamON in late April, built on a survey of 1,300 organizations - 900 of which had suffered at least one ransomware attack in the prior twelve months. What makes this edition worth your time is that it measures preparedness twice: once before the attack, in what organizations believed and documented, and once after, in what they actually got back.
The attack rate is not the uncomfortable part. The uncomfortable part is what the attacked organizations believed the day before.
The paper looked immaculate
Going in, 98 percent of organizations had a ransomware playbook, and 69 percent of the victims believed they were prepared before they were hit. Then Veeam asked what was actually inside those playbooks, and fewer than half contained the technical elements that decide whether a recovery works:
98 percent had a playbook. 69 percent felt prepared. Then the attack graded the paper.
Then the attack graded the paper
Among the 900 organizations that were actually attacked, the recovery numbers bear almost no resemblance to the confidence numbers. Only one in ten got most of their data back:
The negotiation went better than the recovery: of the victims who paid a ransom, 82% paid less than the initial demand, and 60% paid less than half.
Sit with that pairing for a second. Sixty-nine percent believed they were prepared. Ten percent recovered more than 90 percent of their data. Those are different questions with different denominators, so resist the urge to subtract one from the other - but they are two measurements of the same organizations, taken on either side of the same event, and the distance between them is the story of the whole report.
Documented is not enforced
The gap between the paper and the outcome has a simple mechanism. A document describes what should happen; it has no way to make it happen. A playbook that lists backup verification does not verify a single backup - and 56 percent of playbooks did not even list it. A chain of command written into 30 percent of binders does not route the 2 AM decision in the other 70 percent. The organizations that felt prepared were not lying to the surveyors. They were measuring the existence of process, when the attack would grade the enforcement of it.
Enforced process is different in kind, not degree. It runs whether or not anyone remembers it, because it sits in the path of the work itself: a backup that is verified every time it is written, a change that cannot reach production without passing validation gates, a continuity posture that is checked continuously instead of asserted annually. The binder asks people to do the right thing. The gate makes the wrong thing impossible to do quietly.
The AuthorityGate take
Veeam sells backup, and its report naturally concludes that you should buy better backup - read it with the catalog in mind, as always. But the diagnosis survives the sales pitch: organizations graded their own preparedness by what they had documented, and the attack graded them by what they had enforced. The 98 percent playbook number and the 10 percent full-recovery number are both true. Only one of them was a control.
This is exactly why AuthorityGate Keystone treats validation as a gate rather than a guideline. Every change - human, pipeline, or AI agent - passes through a configurable eight-gate pipeline before production, with the consequential ones routed to a named human for approval. Nobody has to remember the playbook, because the playbook is the path. You can skip a binder on a bad day. You cannot skip a gate.
Next year's survey will almost certainly show a similar attack rate; 69 percent is not a number that improves because defenders feel more confident. What can change is which side of the recovery chart your organization lands on - and that gets decided long before the attack, by whether your process lives on paper or in the path.
Sources
Go deeper
Every agent action, validated before it takes effect
AuthorityGate's newsletter breaks down real AI incidents and the governance failures behind them. Our configurable 8-gate validation model is how organizations keep a named human accountable for what their AI actually does.