Question
At 04:00 a storage alert fires: your **backup repository** share's used-capacity is climbing fast and dedup ratio cratering. On inspection the backup files are being rewritten with high-entropy data and renamed — your *backups* are being encrypted. Production app servers look fine (no `.locked` files, normal load) and last night's restore-test passed. The backup service account had broad write access to the repo and was reused across jobs. EDR shows the activity originating from the backup orchestrator host. How do you triage, contain, and figure out whether you can still recover — given the thing being attacked is your recovery path?
Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.