That would be my question to all those mentioning back ups. How do you recover if a hacker locks you out and has control of your system?
It's very difficult to answer that one without getting too deep into nerd-speak; but here is what I do in layman's terms:
I have my backup server, which is darn-near impossible to access by any means (firewall is closed to everything, I use a reverse SSH tunnel to a SSH bastion server, use 2FA/MFA, etc.), log into my production servers and retrieve data at intervals. That way, if anyone gains access to my production servers they cannot access the backup server. The backup server keeps several hours, and discreetly several days, weeks, months and even a year back, separate from each other. So even if a hacker compromises, but did not encrypt, my data, as a last resort I still have data present from before the breach.
Even more importantly, I grab the data from my backup servers and download it locally to my home office, where they are placed on storage media disconnected from my workstation ("air-gapped") and from power.
Not only that, but at my cloud provider (Google Cloud Platform in my case, Amazon for others, Microsoft for others, Oracle, etc.) I make "images" of the entire system - OS and all - daily. In the event of a lesser breach, like a bad actor compromising one of my clients' Wordpress sites, for example, I can very, very quickly and easily simply make a new server with a day-old stored image, find and fix the breach and carry on. And this is essentially what I'd do in the event of a larger breach: Spin up some new virtual machine with my cloud provider, find and fix the vulnerability, restore the data and get back to work.
I've been making web sites since the internet was still called "The Information Superhighway" and I have never had a breach of any sort, thankfully. I am a very small-time developer but most of my clients are regional-scale non-profits who are subject to phishing and social engineering attempts. The thought of letting one of these clients down sits deep enough in my mind that I take security pathologically.
I get the sense that sometimes these larger organizations leave security to people who don't care enough to be pathological, outsource it to people who may not understand their operations properly, or their security operations are the victims of budget shrinkage; like the utilities department I'd read about in Florida a couple of years back who had a bunch of servers connected to one TeamViewer account, administered by someone obviously not pathological about security, with a weak password. Duh.
Heck, my brother-in-law works for a software development firm whose infrastructure is hosted by IBM. At some point the IBM cloud suffered a brief outage. My brother-in-law went to check the IBM cloud status server, which was also down because the status server was at the same @#$% data centre that had gone down!!! Multi-level bureaucracies can be much, much dumber than individuals in the right circumstances.