Backup and disaster recovery: ransomware-proof data backup

"We have backups."—That’s what almost every company says. But: Are the backups regularly tested for recoverability? Are they isolated from the primary network (so ransomware can’t reach them)? Has a full disaster recovery scenario ever been tested?

According to the Veeam Data Protection Trends Report 2024, 76% of companies experienced at least one ransomware attack last year. Of those who paid the ransom, 24% were still unable to fully recover their data. The most common reason: the backups were also encrypted.

The Evolution of Backup Rules

Classic: The 3-2-1 Rule

3 copies of the data
2 different media types (e.g., disk + tape)
1 offsite copy (outside the company)

The 3-2-1 rule is a good start—but insufficient for ransomware protection because:

All 3 copies can be compromised by the same ransomware attack
Offsite storage does not need to be online to be secure

Modern: 3-2-1-1-0 Rule

3 copies of the data
2 different media types
1 offsite copy
1 air-gapped / offline / immutable copy  ← NEW
0 errors – verifiable backups (regular restore tests)  ← NEW

The "1 offline/immutable" is the crucial addition for ransomware resilience.

Immutable Backups: What Does That Mean?

Immutable means: Once written, the backup cannot be modified or deleted—not even by administrators or ransomware.

Implementation Options

Object Storage with WORM (Write Once Read Many):

AWS S3 Object Lock:
  Governance Mode: Only root users can delete (good)
  Compliance Mode: No one can delete before expiration (better for critical backups)

Azure Blob Storage Immutability Policies:
  Time-based Retention: Data immutable for X days
  Legal Hold: Until explicitly released

Wasabi S3-compatible (cheaper than AWS):
  Object Lock can be enabled, very good value for money

Tape / Offline Storage:

Classic offline tape (LTFS, LTO-9): physically disconnected → ransomware cannot access it
Modern tape libraries with air gap: automatic disconnection after backup

Dedicated Backup Appliances with Immutability:

Dell PowerProtect (PowerScale, EMC DataDomain)
HPE StoreOnce Catalyst
Veeam Hardened Repository (Linux with immutable flags)

Backup Architectures for Different Company Sizes

SMEs (< 50 employees)

Primary data: NAS in the office
                ↓
Backup job:    Veeam/Acronis → local backup NAS (daily, 30 days)
                ↓
Offsite:       Automatic backup to the cloud (Wasabi/Backblaze B2)
               Immutable Object Lock enabled

Cost: ~€200/month for 5 TB of cloud storage + backup software

Mid-sized businesses (50–500 employees)

Primary data:  SAN/NAS + VMware VMs + M365
                ↓
Backup Tier 1:  Veeam → Hardened Linux Repository (immutable, 30 days)
                         in the same data center – fast recovery
Backup Tier 2:  Veeam → Backup site (20 km away, daily, 90 days)
Backup Tier 3:  Azure/AWS S3 Object Lock (weekly, 1 year)

M365 Backup:   Veeam for M365 / Acronis Cyber Protect Cloud
               (Emails, SharePoint, Teams, OneDrive)

Enterprise (> 500 employees)

Multi-site with synchronous replication for Tier 1 data
Backup with Veeam Enterprise / Commvault / Zerto
Air-gapped tape library for critical data (annually, 10 years)
Dedicated recovery site / Cloud DR (Azure Site Recovery, Zerto)
Separate backup AD infrastructure (ransomware on production AD does not compromise backup AD)

Microsoft 365 Backup - Often Overlooked!

Microsoft only guarantees availability—not true backup:

Standard retention in M365:
  Deleted emails: recoverable for 30–90 days
  Deleted Teams messages: 30 days
  SharePoint versioning: 500 versions or 30 days

Not covered:
  - Ransomware that encrypts SharePoint/OneDrive
  - Malicious deletion by insiders
  - Accidental mass deletion
  - Data after the retention period expires

M365 Backup Solutions:

Veeam Backup for Microsoft 365
Acronis Cyber Protect Cloud
Druva inSync
NAKIVO for M365

Recovery Tests: The Most Important Things Are Often Overlooked

Untested backups are worthless. Backups fail during recovery for various reasons:

Backup job failed, no one checked the alerts
Restore tool is not installed on the recovery system
Backup contains only incremental data without a base backup
Hard drive is broken (red light on tapes)
Recovery process was never documented

Recommended Test Frequency:

Backup Type	Restore Test Frequency
Critical systems (DC, ERP)	Monthly
Important systems (file servers)	Quarterly
Standard systems	Semi-annually
Full DR test	Annually

Automated SureBackup (Veeam):

Every morning: Veeam automatically starts backup in an isolated sandbox
Boot test: Does the system start successfully?
Application test: Does the database respond to queries?
Result: Email with &quot;Backup OK&quot; or &quot;Restore failed&quot;

Disaster Recovery: More Than Just Backup

Disaster Recovery (DR) is the process of restoring operations after a complete failure:

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

Company A defines:
  ERP system: RTO = 4 hours, RPO = 1 hour

Meaning:
  After failure: System must be up and running again within max. 4 hours
  Data loss: Maximum 1 hour (hourly backups required)

Technical implementation:
  Synchronous replication: RPO = ~0 (no data loss), expensive
  Hourly snapshots: RPO = 1 hour, inexpensive
  Daily backup: RPO = 24 hours, very inexpensive

DR Scenarios for Ransomware

Scenario: Ransomware encrypts 80% of the systems

Question 1: Which systems should be restored first?
  Priority 1: Active Directory (everything else depends on it)
  Priority 2: VPN + Email (communication and remote access)
  Priority 3: ERP/Core Business

Question 2: From which backup?
  → Backup taken before the ransomware infection (often weeks earlier!)
  → Analysis required: When was the &quot;clean state&quot;?

Question 3: Restore to which environment?
  → NOT to the infected environment
  → Set up a clean, fresh infrastructure
  → Then restore from the backup

Question 4: How long will this take?
  100 servers × 2 hours restore = 200 hours / 10 parallel restores = 20 hours
  → RTO planning must account for realistic restore times

Backup Checklist: Audit Your Backup Strategy

□ Is the 3-2-1-1-0 rule implemented?
□ Is there at least one immutable/offline copy available?
□ Is M365 (email, SharePoint, Teams) backed up separately?
□ Is the backup infrastructure separated from the primary network?
  (Separate AD domain, separate credentials for backup access)
□ Are backup jobs monitored daily for success?
□ Are restore tests performed and documented quarterly?
□ RTO and RPO defined for critical systems?
□ Disaster recovery plan documented and known?
□ Annual DR test performed?
□ Retention periods (GoBD: 10 years for accounting documents)?

Compliance Requirements

GoBD: 6–10 years for tax-relevant documents. Backups must ensure immutable storage (WORM or audit-proof archiving).

BSI IT-Grundschutz CON.3: Detailed data backup concept required.

NIS2 Art. 21: Business continuity and backup explicitly required.

ISO 27001 A.8.13: Data backup – regular tests of recoverability.

GDPR Art. 32: Recoverability of personal data as a technical measure.