Skip to content
BACKUP · 2026-07-11

Backups that survive ransomware

Modern ransomware encrypts your backups before it announces itself. The design question is what survives that.

The ransom note is the last step of a ransomware attack, not the first. By the time it appears, the attacker has typically been inside for a while, and one of the first things they looked for is your backups. A backup the malware can reach is a backup you should assume will be encrypted alongside everything else. That single fact should drive the whole design.

Why the backup drive next to the server does not count

A USB drive plugged into the server, or a network share the server can write to, is not protection against ransomware. It is on the same network, reachable with the same credentials, and it gets encrypted in the same pass. It still protects you from a dead hard drive. That was the threat model in 2010. It is not the one that empties companies now.

The 3-2-1 rule in plain terms

The old rule still holds because it is about failure independence: three copies of your data, on two different kinds of storage, with one copy somewhere else. The point is that no single event, whether a fire, a theft, a bad update, or an attacker with admin credentials, can take all three copies at once. Every part of the rule exists to break a shared point of failure.

What immutable means, and why it matters most

An immutable backup is a copy that cannot be altered or deleted for a set period, by anyone, including an administrator whose credentials have been stolen. That last clause is the whole value. Ransomware operators routinely obtain admin access, and an attacker with admin access can delete ordinary backups. Immutability is the property that holds even then.

In practice this looks like object storage with a retention lock, or a backup appliance that enforces write-once windows. The label on the product matters less than the test: if a domain admin cannot delete last week's copy on purpose, an attacker cannot either.

Restore drills, RPO, and RTO without the fog

Two acronyms carry most of the weight in backup planning, and both are simpler than they sound. RPO, recovery point objective, is how much recent work you are willing to lose, which is set by how often backups run. RTO, recovery time objective, is how long you can afford to be down, which is set by how fast you can restore. A nightly backup means an RPO measured in hours of lost work. A restore nobody has ever rehearsed means an RTO measured in guesses.

A restore drill replaces the guesses. Pick a real system, restore it somewhere safe, time the process, and verify the restored copy works. The drill tells you three things the backup dashboard cannot: whether the backups are usable, how long a real recovery takes, and where the gaps are while they are still cheap to fix.

What to ask whoever runs your backups

  • Which copy survives if an attacker gets admin credentials, and what makes it survive?
  • When did we last restore something, and how long did it take?
  • How much work would we lose if we restored right now?
  • Is at least one copy off-site, and is it isolated from the office network?
  • What is NOT covered: which laptops, mailboxes, or cloud data sit outside the backup?

None of this requires enterprise budgets. Immutable storage and off-site copies are commodity services now, and a restore drill costs an afternoon. What it requires is treating the backup system as something an intelligent adversary will target, because that is now the accurate description.

NEXT STEP

Talk it through first.

Bring the date of your last successful restore to the call. If nobody knows it, that is exactly what the call is for.

Free, no obligation · we reply within one business day.

Book a free consult →