Maybe go two weeks' back and you'll get a clean instance, but that's two weeks' data loss, I've seen (non-tech) institutions hit where an hour of data loss is worth paying a ransom for.

https://en.wikipedia.org/wiki/Infrastructure_as_code

https://en.wikipedia.org/wiki/Virtual_machine

https://en.wikipedia.org/wiki/Disk_image

https://en.wikipedia.org/wiki/Shadow_IT

https://en.wikipedia.org/wiki/Von_Neumann_architecture

Separation of code and executables is a nice idea that approximately 0% of organisations fully adhere to.

> "definition files"

Not executable. Text. Readable by humans. Inspectable by humans so you can root out rootkits. Not even the valuable data that cyber criminals go for anyway - they go for personal and financial data, not k8s config files.

> https://en.wikipedia.org/wiki/Virtual_machine

> https://en.wikipedia.org/wiki/Disk_image

Neither of those are relevant. You don't back up virtual machines or image disks - you take afore-mentioned plain-text, audited config files and spin up new instance from scratch.

> https://en.wikipedia.org/wiki/Shadow_IT

If those are actually shadow IT, they won't be in the backups anyway.

> https://en.wikipedia.org/wiki/Von_Neumann_architecture

This is irrelevant snark. If you back up a data file, it doesn't matter that it's stored in the memory of a Von Neumann architecture - it's only going to be used as a data file.

> Separation of code and executables is a nice idea that approximately 0% of organisations fully adhere to.

Citation needed. Also, you just said:

> If the ransomware operators follow best practices

...so are we considering the ideal case, or not?

> I'm really not sure that has a serious answer.

Being snide is bad by itself, but it's even worse when you're wrong on top of it.

> If those are actually shadow IT, they won't be in the backups anyway.

Okay whatever then. I really don't have the energy. I'm just depressed people might believe you.