Backup (Datensicherung)
Systematic data backup to a medium separate from the primary system—the last line of defense against ransomware, hardware failure, human error, and disasters. The 3-2-1 rule is the recognized minimum standard.
A backup is a full or incremental copy of data or systems stored on a medium separate from the original system. Backups are the most important—and often the only—measure for recovery after a ransomware attack.
Why Backups Fail – Common Mistakes
70% of all ransomware victims find that their backups do not work or have also been encrypted by the ransomware (Sophos State of Ransomware 2024). The reasons:
- Backups on network drives accessible from the infected system → encrypted directly
- Backups never tested → faulty or incomplete in an emergency
- No air gap → ransomware also reaches the backup server
- Backups too infrequent → data loss spanning days or weeks
The 3-2-1 Rule
The recognized minimum standard for backup architectures:
- 3 copies of the data (1 primary + 2 backups)
- 2 different media/technologies (e.g., local hard drive + cloud)
- 1 copy off-site or air-gapped (physically or logically separated from the production network)
Extended: 3-2-1-1-0 rule
- +1: One "immutable" copy (e.g., WORM media or object storage with versioning)
- +0: Zero errors during the last restore test (backups must be tested)
Backup Types
Full Backup: Complete copy of all data. High storage requirements, but fastest recovery.
Incremental Backup: Only changes since the last backup (whether full or incremental). Space-saving, but recovery takes longer (all increments must be applied).
Differential Backup: Changes since the last full backup. Compromise: takes up more space than incremental, but restores faster.
Snapshot: Snapshot of the system state at a specific moment (typical for VMs: VMware Snapshot, Hyper-V Checkpoint). Not a true backup replacement—snapshots are usually stored on the same storage system.
Backup Media and Strategies
Tape (LTO): Magnetic tape is the classic air-gap medium. Not connected to the network, physically robust, very durable, inexpensive per TB. Disadvantage: Slow restore.
External Hard Drives / USB: Inexpensive and fast—but only if stored physically separate. Risk: Often left permanently connected.
NAS (Network Attached Storage): Fast, convenient—but accessible from the network. Ransomware encrypts NAS shares. Solution: Immutable backups (Veeam Hardened Repository, Synology WORM).
Cloud Backup: AWS S3 with Object Lock, Azure Blob Storage with Immutability Policy, Veeam Cloud Connect – off-site, often cost-effective.
Immutable Storage: Data cannot be modified or deleted after being written (WORM: Write Once, Read Many). Considered the best current method against ransomware.
Recovery Time Objective (RTO) and Recovery Point Objective (RPO)
RPO (Recovery Point Objective): Maximum data loss in time. "We accept a maximum of 4 hours of data loss." → Backup every 4 hours.
RTO (Recovery Time Objective): Maximum downtime. "The system must be up and running again in 8 hours." → Determines backup technology and restore process.
| System Category | RPO | RTO | Strategy |
|---|---|---|---|
| Critical Systems | 1h | 2h | Hot standby, frequent snapshots |
| Important Systems | 4h | 8h | Daily backups, cloud restore |
| Archive Data | 24h | 48h | Tapes, slow restore |
Backup Testing – The Neglected Step
A backup that has never been tested is not a backup—it is a hope.
Minimum Tests:
- Monthly: Verify random file/folder restoration from backup
- Quarterly: Full system restoration in a test environment
- Annually: Disaster recovery test with a real-world scenario (How long does it take?)
Test Documentation: Date, tester, result, duration of recovery—for ISO 27001 and NIS2 compliance.
Backup and Ransomware Resilience
Today, ransomware groups often wait 2–4 weeks after initial compromise before encrypting data. During this time:
- They explore the network (lateral movement)
- They identify backup systems
- They delete or encrypt backups
Countermeasures:
- Separate backup credentials from production credentials (no domain admin in the backup tool)
- Restrict backup access for administration to jump hosts only (not accessible from the production network)
- Alerting: If a backup job fails → immediate alert
- Immutable storage: Cannot be deleted even with admin credentials within the retention period
Compliance Requirements
BSI IT-Grundschutz CON.3: "Data Backup Concept" – detailed requirements for backup strategy, media, testing, and storage locations.
ISO 27001:2022 A.8.13: "Information Backup" as an explicit control.
GDPR Art. 32: Technical measures for the "resilience" and "recoverability" of personal data.
NIS2 Art. 21: Business continuity and backup management as an explicit mandatory measure.
Retention periods (Germany):
- Commercial and tax data: 10 years (Section 257 HGB)
- Business correspondence: 6 years
- Recommendation: Coordinate backup strategy with the legal department
