Soft ComputersBook a free IT assessmentBook assessment

Ransomware Recovery: Why Your 3-2-1 Backup Strategy Isn't Enough Anymore

Backup & Recovery11 min readBy the Soft Computers Team

Your Backups Are Under Attack

Ransomware operators know that backups are your last line of defense. So they've evolved. Modern ransomware:

  • Searches for backup software and disables it
  • Encrypts backup files alongside production data
  • Dwells for weeks before activating (corrupting all backup copies)
  • Exfiltrates data before encryption for double extortion

The traditional 3-2-1 backup rule is no longer sufficient.

The Classic 3-2-1 Rule

For decades, the 3-2-1 backup strategy was the gold standard:

  • 3 copies of your data
  • 2 different storage media
  • 1 copy offsite

This worked when threats were simpler. Today, it's just the starting point.

Introducing 3-2-1-1-0

The enhanced backup strategy adds two critical elements:

3 - Three Copies

Keep at least three copies of your data:

  • Production data
  • Primary backup
  • Secondary backup

2 - Two Different Media Types

Use different storage technologies:

  • On-premises storage (NAS, SAN)
  • Cloud storage
  • Tape (yes, it's still relevant for air gaps)

1 - One Copy Offsite

Essential for disaster recovery:

  • Cloud backup to a different region
  • Physical tapes stored off-site
  • Replicated data center

1 - One Copy Immutable/Air-Gapped

This is the game-changer:

  • Immutable storage that cannot be modified or deleted
  • Air-gapped backups disconnected from your network
  • WORM (Write Once, Read Many) storage

0 - Zero Errors

Verified, recoverable backups:

  • Automated backup verification
  • Regular restore testing
  • Integrity checking

Implementing Immutable Backups

Option 1: Cloud Immutability

AWS S3 Object Lock, Azure Immutable Blob Storage:

  • Set retention periods (30, 60, 90 days)
  • Legal holds for compliance
  • Cannot be deleted, even by admins

Option 2: Air-Gapped Backups

Physical separation from your network:

  • Tape libraries with offline storage
  • Removable drives stored securely
  • Network-disconnected backup servers

Option 3: Hybrid Approach

What we recommend for most clients:

  • Daily cloud backups with 30-day immutability
  • Weekly immutable snapshots with 90-day retention
  • Monthly air-gapped backups stored offsite

The Cost of Not Having Immutable Backups

When ransomware reaches your backups, the damage compounds:

  • Victims who assumed they were covered often find their backups were encrypted too
  • Recovery without a clean copy stretches from hours into weeks
  • Ransom demands climb into a range that can sink a small business

How Immutable Backups Change the Outcome

Picture an environment hit with Lockbit ransomware:

  • All production systems encrypted
  • On-premises backups encrypted
  • Immutable cloud backups untouched

Because the immutable copies cannot be altered or deleted, recovery becomes a restore to a clean environment rather than a negotiation with attackers. You move on your own timeline instead of theirs.

Backup Health Check

When did you last:

  • Verify your backups are actually running?
  • Test a full system restore?
  • Review your retention policies?
  • Check for backup gaps?

If you're unsure, a backup assessment will audit your current strategy and identify the gaps.

Get a free IT assessment

Want this level of attention on your IT?

We publish what we practice. Book a free assessment and see where your environment stands: what is solid, what is aging, and what is at risk.