Your disaster recovery plan exists to return to normality when everything goes wrong. Malicious actors are making this harder, by targeting your backups directly. This means that when you go to recover your data, you’re locked out of it. They do this knowing that if they manage to destroy your ability to recover, the pressure to pay the ransom increases dramatically. If you’re unable to restore a clean backup, what other options do you have?
This is supported by Veeam’s 2025 Ransomware Trends Report, in which 89% of organizations that experienced a ransomware attack reported that attackers specifically targeted their backup repositories. Having backups is no longer enough to recover your data. You need backups that will survive an attack designed to destroy them.
In this article, we’ll look into why modern ransomware targets backup infrastructure, explain the 3-2-1 backup rule and why it needs to be extended, and walk through the practical strategies (immutable storage, air-gapped backups, and recovery testing) that give your organization a realistic chance of recovering data without paying a significant ransom.
Why Ransomware Targets Backups First
Modern ransomware operations involve days or weeks of reconnaissance inside your network before encryption begins. During that time, attackers will map out your environment, escalate privileges, and identify your backup infrastructure, all with the goal of eliminating every possible recovery option before you even know you have been compromised.
In practice, this means attackers look for backup servers, admin credentials for backup management consoles, and accessible backup repositories on the network. They delete Windows Volume Shadow Copies, target backup agents running on production servers, and wipe any repository they can reach. If your backup infrastructure is on the same network and protected by the same credentials as everything else, it is a target.
The Sophos State of Ransomware 2025 report found that the use of backups for data recovery dropped to a four-year low of 53%, down from 73% the previous year. This does not mean that organizations stopped keeping backups, it means that more of those backups were compromised, corrupted, or inaccessible when they were needed most. A ransomware backup strategy that only accounts for hardware failure or accidental deletion will not survive an adversary that is actively hunting your recovery infrastructure.
The 3-2-1 Backup Rule And Why It Still Matters
What Is The 3-2-1 Backup Rule?
The 3-2-1 backup rule is one of the most widely recommended frameworks for data protection, with an easy way of remembering the best principals for backup:
- Three copies of your data, so no single failure can wipe out every version
- Two different media types (e.g., disk and cloud, or disk and tape), so a media-specific failure does not take out all copies at once
- One copy offsite, so a localized event like a fire or flood does not destroy everything in one location
For decades, this was a reliable baseline.
Why 3-2-1 Alone Is Not Enough Anymore
The 3-2-1 backup rule was designed for hardware failure and natural disaster, not for combatting the actions of an adversary who spends two weeks inside your network mapping every backup location before pulling the trigger. If all three copies are accessible from the same network, a ransomware operator with admin credentials can encrypt or delete all of them in a single operation. If your offsite copy is a cloud repository that your backup server connects to with stored credentials, it is just as vulnerable as your on-prem copies.
This is why many organizations now extend the framework to 3-2-1-1 or 3-2-1-1-0: the additional “1” represents at least one copy that is either immutable or air-gapped, and the “0” represents zero errors in recovery testing. The original rule remains a strong foundation, but it needs these additional layers to function as a credible ransomware backup strategy.
Immutable Storage: Backups That Cannot Be Altered
Immutable storage means that once data is written, it cannot be modified or deleted for a defined retention period, even by someone with administrative access. This is implemented through Write-Once-Read-Many (WORM) technology, object lock policies in cloud storage (such as AWS S3 Object Lock or Azure Immutable Blob Storage), or purpose-built backup appliances with built-in immutability.
Even if an attacker gains full admin access to your backup management console, they cannot encrypt, overwrite, or delete immutable backup copies.
There are two main deployment options: cloud-based immutability, which uses object lock features in public cloud storage and is relatively simple to configure but depends on bandwidth for recovery speed, and on-prem immutable storage, which uses hardened appliances or Linux-based repositories with immutable flags to keep data local for faster recovery but requires physical security and careful configuration.
One important caveat: immutability protects the integrity of your backup data, but it does not guarantee recoverability. A backup that is immutable but was taken from an already-compromised system, or that has never been tested for restoration, is still a risk. Immutability is the integrity layer, not the whole strategy.
Air-Gapped Backups: Taking Copies Offline
What Is an Air-Gapped Backup?
An air-gapped backup is a copy of your data that is physically or logically disconnected from your production network. Because ransomware can only encrypt what it can reach, an air-gapped copy sits outside the blast radius of a network-wide attack. This makes offline backups one of the best tools in your arsenal against ransomware.
Physical vs. Logical Air Gaps
A physical air gap means the backup media is completely disconnected from any network: tape libraries removed and stored offsite, removable disk arrays disconnected after backup windows, or any storage that requires manual intervention to connect. Physical air gaps offer the strongest protection, but they come with slower recovery times and higher operational overhead.
A logical air gap uses network segmentation and access controls to isolate a backup vault from the production environment, connecting briefly during scheduled backup windows and then disconnecting. Logical air gaps are more practical for organizations that need faster recovery, but they depend on the segmentation being properly configured and maintained.
Designing an Air-Gap Strategy That Is Practical
The trade-off is always between protection and recovery speed. The practical approach is to tier your strategy: mission-critical systems benefit from a logical air gap with an isolated recovery environment that can restore service within hours, while lower-tier systems can use physical air gaps with longer recovery windows where the business can tolerate the delay.
Recovery Testing: The Step Most Organizations Skip
According to Veeam’s 2025 report, 98% of organizations have a ransomware response playbook, but fewer than half (44%) include backup verification and testing in that playbook. If you haven’t tested your backups, you have no way of confirming if it will act as you hope.
A recovery test should validate four things:
- Data integrity: Is the backup complete and uncorrupted?
- Restoration time: Does the actual restore time match your RTO?
- Application functionality: Do systems work after restoration, including dependencies?
- Procedural readiness: Does the team know the steps under pressure?
You should test the most critical systems more frequently. For instance, you may decide to carry out quarterly full restoration tests for mission-critical systems, twice a year for business-critical, and annually for lower tiers.
There are two different types of testing that you may decide to carry out.
- Tabletop exercises walk through your response plan on paper and are useful for surfacing procedural gaps and communication breakdowns
- Full restoration drills go further by actively restoring systems from backup to a test environment
An effective testing strategy will include both types of testing to ensure that there are no loopholes or areas that are overlooked.
Putting It All Together
The best backup strategy will build upon tried and tested methods. This means starting with the 3-2-1 rule, then extending it to encompass the details of your organization. You should have multiple data copies across multiple media and offsite storage, immutable storage adds the integrity layer, air-gapped backups add the survivability layer, and recovery testing adds the confidence layer.
Not every system needs every layer. You should adapt the strategies available to you to ensure that you have security where you need it most.
Tier 1 systems should have immutable backups, a logically air-gapped recovery environment, and quarterly restoration testing, while Tier 3 and 4 systems can rely on immutable cloud backups with physical air-gapped copies and annual testing.
For more recommendations, check out our guides to the best Microsoft 365 Backup and Recovery Solutions for Business and Salesforce Backup and Recovery Solutions for Business.
