Often the attackers wait until the retention policy for backups has been hit before unleashing the payload of ransomware.

This way, even if you have a snapshot from 7 days ago, it's also infected.

Or even worse they have physical access to the backup server/storage and just delete backups infect them as well.