Backup strategy 3-2-1: ransomware-resistant backups in practice

The classic 3-2-1 backup rule states: three copies of every dataset, on two different media types, with one offsite. The rule predates ransomware and is no longer sufficient. Modern ransomware operators routinely target backup infrastructure as their first action — Veeam VBR servers, Rubrik environments, the Backblaze API tokens stored in workstations. The 2024 attacks against several US healthcare networks succeeded because backups were online and compromised before encryption began. The 3-2-1-1-0 expansion adds: one immutable or air-gapped copy, zero errors verified by restore tests.

Immutability is the modern requirement. AWS S3 Object Lock in compliance mode, Azure Blob immutable storage, Wasabi Object Lock, Backblaze B2 Object Lock, and on-prem appliances like Veeam Hardened Repository Linux or Cohesity DataLock provide write-once-read-many storage where the retention cannot be deleted by anyone — including the storage admin — until expiry. Set retention to at least 30 days for production and 7 days for less critical, depending on RPO. Verify quarterly that the retention is actually enforced; misconfigured Object Lock has been the cause of multiple incidents.

Air gap remains the strongest control for crown jewels. Tape, optical, or offline disk that physically does not connect to any network during normal operations cannot be encrypted by ransomware. LTO-9 tape provides 18 TB native per cartridge with shelf life over 30 years. For high-value data — financial systems of record, code signing keys, customer database — keep at least one tape rotation. Major Azerbaijani banks maintain LTO operations precisely because the regulator and the threat model both demand it.

Restore testing is the unglamorous closer. A backup that cannot be restored in time to meet your RTO is not a backup. Schedule quarterly restore drills against random datasets. Measure time to recover, completeness, and data integrity. Document the runbook step by step including the database engine version, the OS, network dependencies. Rotate the on-call engineer through the drill so the knowledge does not concentrate in one person. The reason most ransomware victims pay is not the encryption itself but the realization at hour 48 that recovery would take weeks. A practiced team recovers in hours; that is what the budget buys.