The moment you receive a ransomware note feels like the beginning of the attack. The reality is very different. By the time the note appears, the attacker may have already mapped your network, harvested credentials, escalated to domain admin, and located your backup infrastructure.
If they can find and delete your backups, it’s game over.
Immutable backups are the last line of defense. When prevention and detection fail, backups enable you to you restore your data and resume operations, stripping the attacker of the leverage that locking your data was supposed to give them.
Cybercriminals know this Veeam’s 2025 Ransomware Trends Report found that attackers targeted backup repositories in 89% of organizations hit by ransomware. On average, they destroyed or altered 34% of the repositories they reached.
Immutable backups are the control that gives you the upper hand.
What Are Immutable Backups?
An immutable backup is a copy of your data that cannot be changed or deleted for a defined period, regardless of who issues the command. The model is write-once-read-many, meaning that once the data is stored, a retention lock holds it in place until the window expires. No level of privilege overrides that lock.
By removing that option, you reduce the impact a malicious actor can have on your organization.
When referring to backups, you will also see the terms air-gapped and offline. Air-gapped means the copy is isolated from the network, physically or logically. Offline means the media is disconnected entirely. Immutable backups can stay online, which keeps recovery fast, while remaining impossible to delete.
Why Are Immutable Backups Important?
Attackers are growing more sophisticated in how they operate, and they rarely act the moment they gain access. Instead, they dwell within your environment, gathering information and moving laterally to make the attack as damaging as possible. The average dwell time sits around five days before an attacker acts.
Before you detect their presence, the attacker identifies and neutralizes anything that would aid your recovery. That includes backup servers, cloud storage credentials, and snapshot schedules.
Immutable backups change this. They let you restore and recover data that attackers cannot affect. An attacker can wipe everything in production and still fail to touch the immutable copy.
Even so, the protection gap is wide. Veeam found that only 32% of organizations used immutable repositories.
Features of Immutability
When comparing a backup solution, here are some key features to look for to ensure backups are immutable:
Object lock: This builds on the S3 Object Lock model and splits into two modes. Compliance mode means no one can delete or overwrite the object before retention ends. Governance mode allows users with sufficient privileges to lift the lock. Governance mode protects against accidental deletion and most attacks. It does not protect against an attack where a privileged account is compromised. Whether you are deploying immutability yourself or assessing a vendor, confirm which mode is in use and who can change it.
Hardened repositories: This describes the controls put in place to support immutable backups. It typically includes preventing the backup server from gaining root and file-system access, and enforcing immutability flags.
Immutable snapshots: These give you fast, frequent recovery points. Retention windows tend to be shorter, and the lock lives on the same platform as the data it protects.
Tape: This remains the clearest air gap. Once a cartridge leaves the drive, no network attack reaches it. The trade-off is recovery speed.
What Immutability Does Not Solve
Immutability does not address everything. In order to use it effectively and safely, it’s important that you understand what it can and can’t do.
Configured incorrectly, immutability protects nothing. A retention window shorter than your detection time is useless, because an attacker can wait for the window to expire and then move. Governance mode needs the same scrutiny, since a compromised privileged account can lift the lock.
Data theft is the larger gap. BlackFog reported that 96% of ransomware attacks in the third quarter of 2025 involved data exfiltration, and Mandiant confirmed data theft in 77% of intrusions, up from 57% a year earlier.
Encryption itself is becoming optional: Sophos found the share of attacks involving encryption fell from 70% to 50% in a single year, while 97% of organizations whose data was encrypted recovered it. A backup you cannot delete is still a backup of data the attacker has already copied and now threatens to publish. Ransomware threats are widely understoodto be some of the most significant threats that organizations must face.
Immutability gives you reliable recovery, not immunity from extortion.
What To Look For When Evaluating A Solution
When you are choosing the right immutable backup solution for your organization, focus on these areas.
- Compliance mode versus governance mode – Use compliance mode for your most critical recovery points.
- Retention that exceeds dwell time – If your mean time to detect is two weeks, a retention window shorter than that protects nothing. Set retention to match your detection numbers rather than the defaults.
- MFA and RBAC – Because backup sits next to your most important data, apply access management and verification policies to the backup plane.
- Separation of duties – Ensure that no single compromised identity can both manage production and alter backup retention.
- Tested recovery – Confirm that your recovery processes work and cover every key area. An untested backup is a hope, not a plan.
Another useful anchor is 3-2-1-1-0: three copies of data, on two media types, one off-site, one offline or immutable, and zero errors on recovery verification.
The Bottom Line
With the range and severity of data risks facing organizations today, immutable backup has moved into the category of non-negotiable. It needs to be one of the tools in your arsenal to protect your data. Configured properly, it guarantees that you keep clean recovery points through a full compromise. That is the difference between restoring operations and negotiating with an attacker.
Remember what immutable backups can and cannot do. They protect your ability to recover. They do not protect your data from being stolen, and their value drops sharply if they are not configured correctly. Treat immutability as one strong layer in a tested recovery strategy, not as the strategy itself.
