The whole promise of backup as ransomware insurance rests on one assumption: that the backup is clean. Attackers learned to break that assumption — dwelling in a network long enough to corrupt or encrypt the backups too, so that when the victim tries to restore, they restore the infection. Detecting ransomware in the secondary copies closes that trap.
Commvault Systems, Inc.'s US12026252B2, “Detecting ransomware in secondary copies of client computing devices” (issued July 2, 2024; CPC G06F 21/566 — runtime malware detection, and G06F 21/568 — detecting malicious data modification), describes scanning backup copies for ransomware. Read it at US12026252B2.
Mechanically, the system analyzes the secondary copies — the backups themselves — for the fingerprints of ransomware encryption and tampering, so the organization can identify a clean restore point rather than discovering corruption mid-recovery. The CPC pairing of malware detection with malicious-data-modification detection is the exact problem: is this backup still trustworthy?
Why this is a business story: “cyber resilience” — the convergence of data protection and security — is the strategic repositioning of the entire backup industry. Commvault, Rubrik, Cohesity, and Veeam have all reframed backup as a security product, and Rubrik's 2024 IPO was priced on exactly that data-security narrative. Detecting ransomware inside backups is the feature that justifies the rebrand and the premium: a backup vendor that can guarantee a clean restore is selling security, not just storage.
The grounded read: ransomware detection in backups protects the last line of defense by verifying the secondary copies are clean before restore. Commvault's 2024 grant names that capability — central to the cyber-resilience repositioning that repriced the backup industry.