It's not quite expert hackers, but Coveware have been tallying the stats on method of crypto infection for a while, and RDP compromise has been well up there for a while - Q4 2019 their stats show that 57.4% of ransomware was via RDP compromise vs 26.3% via email phishing. I'm not in an IT business but occasionally have customers (or our sales guys, on behalf of the customers) reach out when they have a huge issue, and I've spoken with multiple who after a review found that the infection came in via RDP open to the web, crap passwords etc - of the 3 most recent only 1 had viable backups (unsure on the specifics, but untouched by the crypto so likely offline), one had their backups directly connected to their server so they were also crypto'd, the last one had no backups. I'd be very surprised if there's not a similar weakness in a large number of small/mid sized business all over the place. Personally I don't trust anyone outside of my place of work to really care about my place of work - even vendors we pay to care about it. Relying on an external vendor/DC provider/whatever to do backups correctly (especially when you can't verify them) is unwise, and not having a contracted RTO with them is equally unwise because they can just say "we'll fit it in whenever". I've had a case personally where I requested a web host who kept backups (as an additional paid service) of our VPS/Web server to restore some files and only then did they claim that not just the latest backup, but *all* backups they had were corrupted (I had my own, so while it took longer it was restored - and we moved our services elsewhere), and had a customer (as above, non IT customer) contact me regarding similar when their cloud host performed an unannounced upgrade to an incompatible DB server on a Saturday, then on monday claim that backups are only kept for 24hrs so they had no backup of their DB prior to the upgrade, preventing them from restoring to a compatible DB server (from memory the customer had a backup from prior to their move to cloud, but it was a few months old so lost a lot of data).