The Night Everything Burned

It was just after midnight on March 10, 2021, in Strasbourg, France. A fire broke out at a facility operated by OVHcloud—Europe’s largest cloud hosting provider and the third-largest in the world. Thousands of businesses trusted OVHcloud to keep their websites running, their applications online, and their data safe.

Within hours, one building was completely destroyed and several others were damaged. Hundreds of businesses across Europe woke up to discover their websites were down. Their applications weren’t working. Their data was gone.

The shocking part wasn’t that a fire happened. Fires happen. The shocking part was how many businesses lost everything—not because they didn’t have backups, but because their backups burned alongside their primary data.

Same building. Same fire. Same outcome.

Take Our 2-Minute Security Assessment

The Backup That Wasn’t Really a Backup

Bati Courtage, a French insurance brokerage company, had been paying OVHcloud for backup services. They believed their data was protected. Their contract stated that backups were “physically isolated from the infrastructure.”

They weren’t.

When the fire destroyed the data center, Bati Courtage discovered that their backup servers were in the same building as their production servers. A decade of business data—client records, transaction histories, the SEO rankings they’d built over years—was gone.

They weren’t alone. Another company, BluePad, a project management software provider, had been told their production server was in one building and their backup server was in another. After the fire, they learned both were actually in the same building that burned.

Both companies sued OVHcloud. Both won. The French court awarded over €400,000 in combined damages, finding that the hosting provider had failed to deliver on its promise of physically isolated backups.

A Major Provider, A Major Failure

This wasn’t some small, obscure hosting company. OVHcloud serves tens of thousands of businesses across Europe and beyond. Their customers included the French government, the UK’s Vehicle Licensing Agency, and the European Space Agency.

The company had been praised as an innovator, using advanced cooling designs and offering competitive cloud services. But when the fire struck, many customers discovered that their “backup” services weren’t what they assumed.

Some customers had been paying for backup servers that were housed in the same facility as their primary servers—sometimes even in the same building. When investigators later examined the situation, they found that OVHcloud’s backup architecture varied by service tier, and many customers simply didn’t realize their backups weren’t geographically separated.

After the fire, OVHcloud’s founder announced that all customers would receive backups by default in the future, acknowledging that the incident “will change the standard of the industry.” But for businesses that had already lost everything, that promise came too late.

The Statistics Nobody Wants to Think About

The OVHcloud fire was dramatic, but it illustrated a problem that affects businesses of all sizes, everywhere.

According to FEMA, 40% of businesses never reopen after a major disaster. Another 25% fail within one year. The Small Business Administration estimates that closer to 90% of businesses fail within two years of being struck by a disaster they can’t recover from quickly.

The key phrase there is “can’t recover from quickly.” FEMA data shows that 90% of businesses that can’t resume operations within five days of a disaster will fail within a year.

The difference between surviving a disaster and closing your doors often comes down to one question: Can you actually recover your data?

The Backup Proximity Problem

The OVHcloud victims made the same mistake countless organizations make: they assumed “backup” meant “protected.”

But backup frequency doesn’t matter if your backup is destroyed by the same event that destroys your primary data.

This mistake takes many forms:

• Primary server and backup server in the same building
• Backup drives stored in a desk drawer near the computers they back up
• “Cloud backup” that’s actually a NAS in the office closet
• “Offsite backup” that’s in a different room of the same building

When disaster hits a location, everything in that location is at risk. Fire doesn’t respect which server is primary and which is backup. Floodwater doesn’t avoid the shelf where you keep the backup drives. A burst pipe doesn’t care about your disaster recovery plan.

The 3-2-1 Rule Exists for a Reason

The 3-2-1 backup rule has been around for decades because it works:

• 3 copies of your data. Your primary copy plus two backups. One copy isn’t backup—it’s just the only copy with a different label.
• 2 different types of media. Not everything on the same type of hard drive. If that drive type has a flaw, all your copies fail together.
• 1 copy offsite. Genuinely offsite. Different building. Different city, ideally. Geographically separated from the threats that could affect your primary location.

 

For modern organizations, “offsite” usually means cloud backup—real cloud backup, with data stored in professionally managed data centers with their own redundancy, security, and geographic separation from your primary location.

What Effective Disaster Protection Looks Like

The companies that survived the OVHcloud fire weren’t lucky. They were prepared. They had their data replicated to geographically distant locations. When the fire destroyed the Strasbourg facility, they switched to their backup infrastructure and kept operating.

Effective disaster protection includes:

• Geographic redundancy. Data stored in multiple locations, far enough apart that a single event can’t destroy them all.
• Automatic, continuous backup. Not something someone has to remember to do. Systems that back up constantly without human intervention.
• Encryption in transit and at rest. Your data should be encrypted before it leaves your systems and remain encrypted in the cloud.
• Tested recovery. Backups that can’t be restored aren’t backups—they’re false confidence. Regular testing confirms your backups actually work.
• Reasonable recovery time. How long would it take to get back to operational? An hour? A day? A week? Know the answer before you need it.

 

Physical Threats Beyond Fire

We spend so much time worrying about cyber threats that we forget data has to exist somewhere physical. Servers are machines. Hard drives are objects. They can be destroyed by the same things that destroy any physical object:

• Burst pipes, roof leaks, flooding, sprinkler malfunctions, HVAC condensation.
• Electrical fires, building fires, fires in adjacent spaces.
• Environmental failures. Air conditioning breaks down, equipment overheats, temperature extremes destroy storage media.
• Power events. Surges, outages, inconsistent power can damage equipment instantly or degrade it over time.
• Human accidents. Someone trips over a power cable. A contractor drills through wiring. A cleaning crew unplugs something they shouldn’t.
• Natural disasters. Earthquakes, hurricanes, tornadoes. San Diego doesn’t get hurricanes, but earthquakes are very real.

 

Questions For Your Organization

Think about where your data physically exists and ask:

• If something destroyed our office tonight, where would our backup be?
• Is our backup actually offsite, or just in a different room?
• When was the last time someone tested whether we could restore from backup?
• What physical threats exist to our data that we haven’t thought about?
• How long would it take us to be operational again if we lost everything on-site?

 

The answers reveal whether you’re protected from physical disasters or just hoping they won’t happen.

The Lesson from Strasbourg

The companies that lost everything in the OVHcloud fire weren’t careless. Many of them were paying for backup services. They believed they were protected.

They learned the hard way that backup frequency doesn’t matter if backup location is wrong.

The court cases that followed established an important principle: if a service provider promises isolated backups, they need to actually be isolated. But the legal victory was cold comfort for businesses that lost years of data.

The better approach is making sure you never need that legal victory in the first place.

Take Our 2-Minute Security Assessment

centrexIT has helped San Diego organizations build disaster-resilient backup systems since 2002. If you’re not sure whether your backups would survive a disaster at your location, let’s find out together.

Sources

• Data Center Dynamics: “The OVHcloud fire still smolders” (March 2024)
• Blocks and Files: “OVHcloud must pay damages for lost backup data” (March 2023)
• Uptime Institute: “Learning from the OVHcloud data center fire” (March 2021)
• FEMA: Business disaster statistics (2018)
• Milken Institute: “Improving Small Business Disaster Response and Recovery”
• Invenio IT: “Disaster Recovery Statistics” (September 2025)

 

Three Out of Four Are Saying No

For years, the ransomware story has been relentlessly grim. Hospitals paralyzed. Schools shuttered. Businesses bankrupted. Every headline reinforced the same terrifying message: the criminals are winning, and there’s nothing you can do about it.

That story is no longer true.  Things are getting better.

In the third quarter of 2025, incident response firm Coveware reported that only 23 percent of ransomware victims paid—the lowest rate ever recorded. That means more than three out of four organizations were able to restore operations and manage the crisis without funding the criminals.

This isn’t luck. It’s the result of organizations partnering with managed IT providers who implemented the fundamentals: tested backups, 24/7 monitoring, and incident response plans that actually work.

Take Our 2-Minute Security Assessment

The Numbers Tell the Story

The ransomware economy is in serious trouble—and not because criminals stopped trying.

In Q3 2025, the average ransom payment dropped 66 percent from the previous quarter to $376,941. The median payment fell 65 percent to $140,000. For attacks involving only data theft—no encryption—the payment rate dropped to just 19 percent.

Blockchain analysis firm Chainalysis reported that total ransomware payments fell from $1.1 billion in 2023 to $813.6 million in 2024—a 35 percent drop. This happened even as the number of attacks increased. More victims, less money. The criminals’ business model is breaking.

Meanwhile, Sophos found that 97 percent of organizations whose data was encrypted were able to recover it. The days when encryption meant certain doom are ending—for organizations that prepared.

What Changed: The Rise of Managed Security

Three forces have converged to shift the balance of power—and all three point to the value of professional IT management.

Managed Backup and Disaster Recovery

• For years, “we have backups” was the answer organizations gave when asked about ransomware resilience. The problem was that many of those backups didn’t actually work when needed. They were connected to the same network the ransomware encrypted. They hadn’t been tested. They couldn’t be restored quickly enough to matter.
• Organizations working with managed IT providers changed that equation. Professional backup solutions include air-gapped storage, immutable backups that can’t be encrypted, and—crucially—regular restoration testing. When ransomware hits, these organizations can actually recover. The criminals’ leverage disappears.
• This is exactly the kind of backup infrastructure that managed service providers have been building for clients for years. The organizations that listened are the ones refusing to pay today.

24/7 Monitoring and Early Detection

The average ransomware attack doesn’t announce itself. It starts with a quiet intrusion—a compromised credential, a phishing email that worked, an unpatched vulnerability. What happens next depends entirely on whether anyone is watching.

Organizations with 24/7 security monitoring—the kind provided by managed IT and security operations centers—catch attacks in hours instead of weeks. That’s the difference between a contained incident and a full-blown catastrophe. When you detect the intrusion before the ransomware deploys, you’ve already won.

Small and mid-sized businesses can’t staff a security operations center themselves. But they can partner with providers who do it for them.

Incident Response Planning That’s Actually Been Tested

When ransomware hits, the first 60 minutes determine everything. Who gets called? What gets shut down? Where are the backups? Who has authority to make decisions?

Organizations that work with managed IT providers have answers to these questions before they need them. They’ve documented their response plans. They’ve tested them. They know exactly what to do when the call comes at 3 AM—and they have a partner who answers that call.

There’s also growing awareness that paying rarely delivers what victims hope for. According to Halcyon’s Q4 2024 research, 84 percent of organizations that paid ransoms still failed to fully recover their data. The promise of “pay and get your data back” has proven to be largely false.

A State That Refused to Pay

In late 2024, the state of Nevada discovered that ransomware had infiltrated its systems. The attack had actually begun months earlier, when an employee accidentally downloaded malicious software. By the time it was discovered, the attackers had established a significant presence.

Nevada didn’t pay.

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly—without paying criminals,” Governor Joe Lombardo said. “This is what disciplined planning, talented public servants, and strong partnerships deliver.”

The state spent approximately $1.5 million on recovery—real money, but a fraction of what ransom payments typically cost. More importantly, they didn’t fund the criminals who attacked them or paint a target on their back for future attacks.

This is what preparation looks like in practice. Not immunity from attack—that doesn’t exist—but the ability to survive without surrendering.

The Real Lesson

The organizations refusing to pay aren’t the ones with unlimited budgets or armies of in-house security staff. They’re the ones who partnered with the right IT providers and took the fundamentals seriously before the attack happened.

They implemented managed backup solutions that actually work—and tested them regularly. They invested in monitoring that catches threats around the clock. They built incident response plans with their IT partners and practiced them. They made the hard decisions about what systems were critical and how to protect them.

None of this is glamorous. It doesn’t make headlines until it saves an organization from disaster. But it’s the difference between being a victim who pays and a victim who recovers.

What This Means for Your Organization

The data is clear: preparation works. Organizations that invested in professional IT management and resilience are successfully refusing to pay ransoms. The criminals know this—which is why they’re increasingly targeting the organizations that haven’t prepared.

Ask yourself: If ransomware hit your systems tonight, would you have a choice? Or would paying be the only option?

If you’re not sure, that’s your answer.

The good news is that it’s not too late. The same investments that are helping organizations refuse to pay are available to you: managed backup with tested restoration, 24/7 monitoring, incident response planning. None of it requires building an in-house security team—just a decision to work with partners who take this seriously.

The tide is turning. The question is whether you’ll be ready to swim with it.

Take Our 2-Minute Security Assessment

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

centrexIT has helped organizations build ransomware resilience since 2002. If you want to be among the organizations that can refuse to pay, let’s find out where you stand.

 

Sources

Coveware: Q3 2025 Ransomware Report – Payment rate and payment amount statistics (October 2025)

Chainalysis: 2025 Crypto Crime Report – Annual ransomware payment totals (February 2025)

Sophos: The State of Ransomware 2025 – Recovery and encryption statistics

Halcyon: Q4 2024 Ransomware Report – Post-payment recovery statistics

SecurityWeek: “Ransomware Payments Dropped in Q3 2025: Analysis” (October 27, 2025)

Carrier Management: “Nevada Ransomware Attack” (November 2025)