Not off-site (though that is a good idea too), but off-line backups. In the reported case the bad guys were able to spin up a VM in CWT's systems which means (should mean) highly privileged access. If CWT had off-line backups then perhaps the same privilege was used to bring them on-line and damage/delete them?
The above is speculation of course, but if bad guys have had highly privileged access to your systems then you can never be sure they really are your systems any more.
Biting the hand that feeds IT
