The problem is threefold once a machine is compromised:
- You may have backed up nothing
- the attacker can compromise backups to make it look like they’re being done when they’re not.
- You may have backed up malware
- Depending on how long it’s taken to discover the compromise, the data may have backed up the malware that you will then reinstall onto the machines
- The back up may not be correct
- The backups may have been degraded. This can be checked with test restores.