Skip to content
3-2-1-1 backup strategy for ransomware defence
Ransomware operators know that organisations with working backups rarely pay. That’s why modern attacks specifically target backup systems before triggering encryption.
If you are dealing with an attack or suspect that something is wrong, contact Zensec now and speak with a response specialist who can help you contain the threat, assess your exposure and guide your cybersecurity team through the next steps.
This guide breaks down each component of the 3-2-1-1 formula, explains the practical options for creating an untouchable backup copy, and covers what industry authorities recommend for ransomware-resilient data protection.
Decoding the 3-2-1-1 formula
The 3-2-1-1 backup strategy is an evolution of the classic 3-2-1 rule, with one key addition: an immutable or offline copy that ransomware cannot touch. In practice, this means keeping three copies of your data on two different media types, with one copy stored offsite and one copy that is either physically disconnected from your network or locked so it cannot be changed or deleted.
The original 3-2-1 rule was created by photographer Peter Krogh over twenty years ago. It worked well for protecting against hardware failures, accidental deletions, and natural disasters like fires or floods. But ransomware has changed the game entirely.
Modern ransomware doesn’t just encrypt your files and hope for the best. Attackers now spend days or even weeks inside a network before triggering encryption, and during that time, they’re hunting for backups. They know that if you can restore from backup, you won’t pay the ransom. So they delete your backups first.
That’s where the extra “1” comes in. Here’s what each number represents:
- 3 copies of data: Your live production data plus two backup copies. If one backup fails, you still have another.
- 2 different media types: Backups stored on different technologies, like local disk and cloud storage, or disk and tape. A failure affecting one type won’t affect the other.
- 1 offsite copy: At least one backup in a separate physical location. This protects against localised events like office fires or flooding.
- 1 offline or immutable copy: A backup that attackers cannot reach or alter, even if they compromise your entire network. This is the ransomware-specific addition.
The critical difference between offsite and offline
Here’s where many organisations get tripped up: they assume that “offsite” and “offline” mean the same thing. They don’t, and confusing the two can leave you completely exposed during a ransomware attack.
An offsite backup simply lives in a different location. Your cloud backup in AWS or Azure counts as offsite. A backup stored at a secondary office counts as offsite. But if your servers can connect to that backup location over the network, then ransomware can connect to it too.
Think of it this way: if you can mount a drive, delete a file, or browse a folder from your compromised server, so can the attacker. Ransomware operators routinely steal administrator credentials and use them to log into backup systems, delete recovery points, and wipe out cloud repositories before anyone notices.
An offline or immutable backup breaks that chain of access:
- Air-gapped (physically offline): The backup media has no network connection whatsoever. A tape cartridge sitting in a vault is air-gapped. An external hard drive locked in a safe is air-gapped. No cable, no connection, no way for ransomware to reach it.
- Immutable (logically offline): The backup exists on connected storage, but special settings prevent anyone from modifying or deleting it. Once data is written, it’s locked for a set period. Even someone with full administrator access cannot change it.
During ransomware incidents, Zensec’s response teams often encounter organisations who thought their cloud backups were safe. In many cases, attackers had already deleted those backups days before triggering the encryption. The organisations only discovered this when they tried to restore.
How to implement the final “1”
Creating an offline or immutable backup doesn’t require expensive or exotic technology. Several approaches exist, and the right choice depends on your budget, technical resources, and how quickly you’d want to recover.
Physical air-gap with tape
Tape storage has made a comeback in the ransomware era, and for good reason. When a tape cartridge is ejected from the drive and placed on a shelf, it’s completely offline. There’s no network path, no credentials to steal, no way for an attacker to reach it remotely.
Modern LTO-9 tapes hold up to 18TB of uncompressed data, and the media itself is relatively inexpensive at around £15-£30 per cartridge. The trade-off is speed. Restoring from tape takes longer than restoring from disk, and you’ll have physical media to manage and rotate. For many organisations, though, the certainty of having an untouchable backup is worth the extra recovery time.
Immutable object storage
Major cloud providers now offer immutability features that lock backup data for a specified retention period. AWS S3 Object Lock, Azure Blob Immutability, and similar services allow you to write data once and prevent any changes until the retention period expires.
The key distinction is between “Governance Mode” and “Compliance Mode.” Governance Mode allows administrators with special permissions to override the lock. Compliance Mode removes that override entirely. For ransomware protection, Compliance Mode is the stronger choice because even a compromised administrator account cannot delete the backups.
Recovery from immutable cloud storage is typically faster than tape, and there’s no physical media to manage. The ongoing storage costs vary by provider but generally run between £0.01 and £0.03 per GB per month.
Hardened Linux repositories
A dedicated Linux server with restricted access and immutability settings can serve as a lower-cost alternative to cloud immutable storage. By disabling remote access, removing unnecessary services, and applying file-level immutability flags, you can create a backup target that resists tampering.
This approach requires more technical expertise to set up and maintain securely. However, it can work well for organisations with existing Linux skills and available hardware.
| Approach | Recovery speed | Upfront cost | Ongoing cost | Technical complexity |
|---|---|---|---|---|
| Tape (air-gapped) | Slower | £2,000-£5,000 for hardware | Low (media only) | Low |
| Immutable cloud storage | Fast | Minimal | Variable by usage | Moderate |
| Hardened Linux repository | Fast | Low if using existing hardware | Low | High |
The 3-2-1-1-0 variant explained
Some organisations extend the 3-2-1-1 strategy by adding a “0” at the end. The zero stands for zero errors, meaning every backup is verified to confirm it can actually be restored.
An immutable backup is only useful if the data inside it is intact and recoverable. Without regular testing, you might discover during an actual incident that your backup is corrupted, incomplete, or missing critical files. By then, it’s too late.
Backup verification can be as simple as automatically restoring a sample of files and checking their integrity. More advanced approaches, like Veeam’s SureBackup feature, spin up virtual machines from backup files and confirm that the operating system boots and applications respond correctly.
The goal is straightforward: don’t wait until you’re facing a ransom demand to find out whether your backups work.
What industry experts recommend
The 3-2-1-1 approach isn’t just a vendor talking point. It’s backed by guidance from recognised authorities in cyber security.
The National Institute of Standards and Technology (NIST) emphasises isolated and offline storage as a critical control for ransomware resilience. While NIST doesn’t use the exact “3-2-1-1” terminology, their guidance in documents like SP 800-209 specifically addresses the importance of recovery environments that attackers cannot reach through compromised production systems.
IDC, the global market intelligence firm, has stated that defeating ransomware requires backup strategies with an offline or immutable component. Their research consistently shows that organisations with immutable backups recover faster and pay ransoms far less often.
Cyber insurance carriers have also adjusted their requirements. Many insurers now ask for evidence of immutable or air-gapped backups before issuing policies. Organisations that cannot demonstrate this capability may face higher premiums or outright denial of coverage.
Tip: When discussing backup strategies with insurers or auditors, be prepared to show documentation of successful restore tests, not just the existence of immutable backups.
Why the 3-2-1-1 strategy defeats ransomware
The original 3-2-1 rule was designed for accidents and disasters. The 3-2-1-1 rule is designed for attackers who are actively trying to destroy your ability to recover.
Ransomware operators understand that organisations with working backups rarely pay ransoms. As a result, they’ve developed specific tactics to eliminate backups before triggering encryption:
- Deleting local shadow copies and backup files
- Using stolen credentials to access and encrypt cloud backup repositories
- Corrupting backup catalogues so that intact backup files become unusable
- Waiting until older backup retention points expire before launching the attack
An immutable or offline copy defeats all of these tactics. Even if every other system in your environment is compromised, that final copy remains intact because it exists outside the attacker’s reach.
The difference in outcomes is significant. Organisations with properly implemented 3-2-1-1 strategies typically recover within days without paying ransoms. Organisations without this protection often face weeks of downtime and difficult decisions about whether to pay attackers who may or may not provide working decryption keys.
Contact Zensec immediately for urgent ransomware recovery support.
Frequently asked questions
How often should immutable backups be updated?
The right frequency depends on your recovery point objective, or RPO, which is the maximum amount of data loss your organisation can tolerate. Most organisations create immutable backups daily, though systems with frequently changing critical data may warrant more frequent snapshots. Retention periods for immutability typically range from 14 to 90 days, balancing storage costs against the risk of needing to restore from a point before an undetected compromise began.
Can ransomware encrypt data before it reaches an immutable backup?
Yes, and this is why verification and multiple retention points matter. If ransomware encrypts files on your production systems and those encrypted files are then backed up, your immutable backup will contain encrypted data. Maintaining several days or weeks of retention points allows you to restore from a backup created before the encryption occurred. Regular verification helps confirm that your recovery points contain usable data.
What’s the cost difference between tape and immutable cloud storage?
Tape has higher upfront costs for hardware, with drives and libraries typically starting around £2,000-£5,000, but very low ongoing media costs at roughly £15-£30 per 18TB cartridge. Cloud immutable storage has minimal upfront costs but ongoing fees that vary by provider, typically £0.01-£0.03 per GB per month. For large data volumes held over long periods, tape often proves more economical. For smaller volumes or organisations that prefer operational expenses over capital expenses, cloud storage may be the better fit.