Backup Strategies That Actually Survive a Ransomware Attack

Everyone knows backups are important. The question isn’t whether you have backups. It’s whether those backups would actually survive a sophisticated ransomware attack and allow you to recover your business without paying a ransom.

Modern ransomware operators specifically target backup infrastructure. They know that destroying backups increases the pressure to pay. If your backup strategy doesn’t account for this, you’re planning for a threat that no longer exists.

Why Traditional Backup Strategies Fail

Network-attached backup storage that’s accessible from the production environment gets encrypted alongside everything else. Backup accounts using the same Active Directory credentials that the attacker already compromised provide zero additional protection. And backup schedules that retain only 30 days of history get wiped before anyone notices the ransomware was deployed six weeks ago.

William Fieldhouse, Director of Aardwolf Security Ltd, comments: “During internal assessments, one of the first things we check is whether the backup infrastructure is accessible from the general network. In the majority of cases, the backup server sits on the same network segment as everything else, uses domain-joined credentials, and would be encrypted alongside the production data in a ransomware scenario.”

The attackers have adapted. Your backup strategy needs to adapt with them.

The 3-2-1-1-0 Rule

The traditional 3-2-1 backup rule, three copies on two different media with one offsite, needs updating. The modern version adds another 1 for an immutable or air-gapped copy, and a 0 for zero errors in backup verification testing.

Immutable backups cannot be modified or deleted, even administrators, for a defined retention period. Air-gapped backups are physically disconnected from the network. Either approach ensures that even an attacker with domain admin credentials cannot destroy your recovery capability.

Testing Recovery Before You Need It

Backup verification isn’t just checking that the backup job completed successfully. It means restoring data from those backups and confirming it’s usable. Conduct regular recovery drills that test your ability to restore critical systems within your defined recovery time objectives.

Regular internal network penetration testing should assess whether your backup infrastructure is properly isolated from your production network. If a tester can reach your backup servers from a compromised workstation, so can ransomware.

Practical Steps to Improve Backup Resilience

Isolate your backup infrastructure on a dedicated network segment. Use separate, non-domain credentials for backup administration. Implement immutable storage for critical backups. Test your restoration process quarterly. And extend your retention period to at least 90 days to account for attackers who dwell in your network before deploying ransomware.

If you haven’t assessed your backup resilience against modern ransomware tactics, getting a penetration test quote for a focused assessment will show you whether your recovery capability is real or theoretical.