Skip to Content

Protecting Backups from Ransomware

Protecting Backups from Ransomware

cybersecurity protection shield firewall

Photo by Markus Winkler on Pexels

Since ransomware actively targets backups, your backup architecture must be designed to survive an attack. Here are the proven strategies that make backups ransomware-resistant — or ideally, ransomware-proof.

1. Air Gap Your Backups

An air gap is physical or logical isolation between your backup and your production network. If the backup system isn't connected, ransomware can't reach it.

  • Physical air gap: Rotate external USB drives. Plug in, backup, unplug. A drive sitting in a drawer is unreachable by ransomware.
  • Logical air gap: Use a separate VLAN or firewall zone for backup storage. The backup network should only accept connections from the backup server, not from production servers.
  • Cloud air gap: Cloud storage (B2, Wasabi, S3) is inherently air-gapped if credentials aren't stored on production servers. Use dedicated credentials with limited scope.

2. Immutable Backups

Immutable backups cannot be modified or deleted — not by ransomware, not by a rogue admin, not even by the backup software itself — until the retention period expires. This is the single most effective ransomware defense for backups.

  • WORM storage (Write Once, Read Many): Backblaze B2 offers Object Lock with immutability. Set a 30-day retention — even if an attacker gets your credentials, they can't delete the data.
  • AWS S3 Object Lock: Enable compliance mode with retention periods. Objects cannot be deleted or overwritten during the retention period.
  • BorgBackup: While not immutable in the traditional sense, Borg's append-only mode (borg init --append-only) prevents any existing archive from being deleted. Only new archives can be added.
  • Restic with read-only repository: Use a restricted SSH key that can only run the restic backup command, not delete or prune.

3. Separate Credentials for Backups

Never use the same credentials for production and backup systems. If ransomware steals production credentials, it shouldn't be able to reach the backup repository.

  • Create dedicated backup service accounts with minimal permissions.
  • Store backup credentials in a separate password manager or hardware key (YubiKey, $45).
  • For cloud backups, use API keys restricted to a single bucket, not the account root key.
  • Rotate backup credentials every 90 days.

4. Network Segmentation

Segment your network so production systems and backup systems live on different zones:

# Firewall rules for backup isolation
# Allow backup server → backup storage (port 22/445/443)
# Allow production → backup server (specific ports only)
# DENY all other traffic to backup zone
# DENY production → backup storage directly

5. 3-2-1-1-0 Rule (Enhanced 3-2-1)

The enhanced backup rule adds two critical elements for ransomware protection:

  • 3 copies, 2 media, 1 off-site (standard 3-2-1)
  • +1 immutable copy — at least one backup must be immutable/air-gapped.
  • +0 errors — verify every backup with zero errors before considering it complete.

6. Regular Restore Testing (Your Ultimate Safety Net)

If ransomware destroys everything except your immutable cloud backup, you need to know you can restore from it. A backup you can't restore is useless — and in a ransomware scenario, you'll be restoring under stress. Practice restores so they're muscle memory.

Free Implementation Checklist

  1. [ ] Set up BorgBackup with append-only mode on a remote server.
  2. [ ] Enable Object Lock on Backblaze B2 bucket (30-day retention).
  3. [ ] Create dedicated backup SSH key: ssh-keygen -t ed25519 -f ~/.ssh/backup_key.
  4. [ ] Restrict SSH key on backup server: command="borg serve --append-only" in authorized_keys.
  5. [ ] Store backup credentials on a YubiKey or separate password manager.
  6. [ ] Configure firewall to isolate backup network from production.
  7. [ ] Schedule weekly integrity checks: borg check --verify-data.
  8. [ ] Perform monthly restore tests and document results.

Key Takeaways

  • Air gap backups (physical, logical, or cloud) so ransomware can't reach them.
  • Immutability is the gold standard — use Object Lock on cloud storage or append-only mode on Borg.
  • Use dedicated, isolated credentials for backup systems — never reuse production credentials.
  • Segment your network to isolate backup infrastructure from production.
  • Follow the 3-2-1-1-0 rule: standard 3-2-1 + 1 immutable copy + 0 errors on verification.

Protecting Backups from Ransomware

cybersecurity protection shield firewall

Photo by Markus Winkler on Pexels

Since ransomware actively targets backups, your backup architecture must be designed to survive an attack. Here are the proven strategies that make backups ransomware-resistant — or ideally, ransomware-proof.

1. Air Gap Your Backups

An air gap is physical or logical isolation between your backup and your production network. If the backup system isn't connected, ransomware can't reach it.

  • Physical air gap: Rotate external USB drives. Plug in, backup, unplug. A drive sitting in a drawer is unreachable by ransomware.
  • Logical air gap: Use a separate VLAN or firewall zone for backup storage. The backup network should only accept connections from the backup server, not from production servers.
  • Cloud air gap: Cloud storage (B2, Wasabi, S3) is inherently air-gapped if credentials aren't stored on production servers. Use dedicated credentials with limited scope.

2. Immutable Backups

Immutable backups cannot be modified or deleted — not by ransomware, not by a rogue admin, not even by the backup software itself — until the retention period expires. This is the single most effective ransomware defense for backups.

  • WORM storage (Write Once, Read Many): Backblaze B2 offers Object Lock with immutability. Set a 30-day retention — even if an attacker gets your credentials, they can't delete the data.
  • AWS S3 Object Lock: Enable compliance mode with retention periods. Objects cannot be deleted or overwritten during the retention period.
  • BorgBackup: While not immutable in the traditional sense, Borg's append-only mode (borg init --append-only) prevents any existing archive from being deleted. Only new archives can be added.
  • Restic with read-only repository: Use a restricted SSH key that can only run the restic backup command, not delete or prune.

3. Separate Credentials for Backups

Never use the same credentials for production and backup systems. If ransomware steals production credentials, it shouldn't be able to reach the backup repository.

  • Create dedicated backup service accounts with minimal permissions.
  • Store backup credentials in a separate password manager or hardware key (YubiKey, $45).
  • For cloud backups, use API keys restricted to a single bucket, not the account root key.
  • Rotate backup credentials every 90 days.

4. Network Segmentation

Segment your network so production systems and backup systems live on different zones:

# Firewall rules for backup isolation
# Allow backup server → backup storage (port 22/445/443)
# Allow production → backup server (specific ports only)
# DENY all other traffic to backup zone
# DENY production → backup storage directly

5. 3-2-1-1-0 Rule (Enhanced 3-2-1)

The enhanced backup rule adds two critical elements for ransomware protection:

  • 3 copies, 2 media, 1 off-site (standard 3-2-1)
  • +1 immutable copy — at least one backup must be immutable/air-gapped.
  • +0 errors — verify every backup with zero errors before considering it complete.

6. Regular Restore Testing (Your Ultimate Safety Net)

If ransomware destroys everything except your immutable cloud backup, you need to know you can restore from it. A backup you can't restore is useless — and in a ransomware scenario, you'll be restoring under stress. Practice restores so they're muscle memory.

Free Implementation Checklist

  1. [ ] Set up BorgBackup with append-only mode on a remote server.
  2. [ ] Enable Object Lock on Backblaze B2 bucket (30-day retention).
  3. [ ] Create dedicated backup SSH key: ssh-keygen -t ed25519 -f ~/.ssh/backup_key.
  4. [ ] Restrict SSH key on backup server: command="borg serve --append-only" in authorized_keys.
  5. [ ] Store backup credentials on a YubiKey or separate password manager.
  6. [ ] Configure firewall to isolate backup network from production.
  7. [ ] Schedule weekly integrity checks: borg check --verify-data.
  8. [ ] Perform monthly restore tests and document results.

Key Takeaways

  • Air gap backups (physical, logical, or cloud) so ransomware can't reach them.
  • Immutability is the gold standard — use Object Lock on cloud storage or append-only mode on Borg.
  • Use dedicated, isolated credentials for backup systems — never reuse production credentials.
  • Segment your network to isolate backup infrastructure from production.
  • Follow the 3-2-1-1-0 rule: standard 3-2-1 + 1 immutable copy + 0 errors on verification.
Rating
0 0

There are no comments for now.

to be the first to leave a comment.