Cyber Security, Insights, Ransomware

Immutable backups: the only guarantee against ransomware

19th January 2026
Cyber security engineer

In 2024, 93% of ransomware attacks explicitly targeted backup repositories before encrypting production data. The old safety net no longer works when attackers know to cut the rope first.

If you’re reading this because you’re concerned about the security of your remote workforce and endpoints, contact Zensec. Our experienced team can consult you on best practice and appropriate steps to take.

Immutable backups change this dynamic entirely by creating recovery points that cannot be modified, deleted, or encrypted, even by someone with full administrator access. Implementing this technology is a cornerstone of business continuity planning, because it ensures your data remains accessible – even under siege.

What are immutable backups?

Immutable backups are backup files that, once created, cannot be altered, deleted, or encrypted for a predetermined retention period. The technology works on a “write once, read many” (WORM) principle, meaning the storage system accepts new data but rejects any request to modify or remove existing files until a predetermined retention window expires.

To put it another way, think of a safety deposit box with a time lock. Even if someone steals your keys, they cannot open the box until the timer runs out. This characteristic makes an immutable backup solution fundamentally different from traditional backups, which can be overwritten or deleted by anyone with sufficient access privileges.

The concept originated in physical media such as CD-Rs and WORM tape drives, but modern implementations use cloud object storage or hardened on-premises repositories.

Whether stored in AWS S3, Azure Blob, or a Linux-based backup appliance, the underlying principle remains the same: the backup storage is locked to ensure data availability.

Why standard backups fail against modern ransomware

Here’s something that surprises many IT leaders: having a data backup is no longer enough. Modern ransomware operators have adapted their tactics specifically to neutralise traditional backup strategies before encrypting production systems.

The typical attack chain now follows a predictable pattern. First, attackers gain access through phishing, exposed remote desktop protocol (RDP), or a vulnerable application. Next, they escalate privileges by stealing administrator credentials, often waiting weeks while gathering intelligence about the network. Then, using those admin credentials, they locate and delete or encrypt mutable backup files. Only after backups are compromised do they encrypt production systems and demand payment.

When attackers reach this phase with an immutable data storage system, the platform simply rejects the deletion command. It ensures a low recovery point objective (RPO) and creates a clean recovery point that ransomware can’t access.

  • Standard backups: Attackers with admin credentials can delete or encrypt backup files before launching the main attack

  • Immutable backups: The storage system rejects modification commands regardless of who issues them, preserving recovery options

This distinction explains why Zensec’s incident response teams consistently find that organisations with properly configured immutable backups recover faster and avoid ransom payments entirely.

How immutable backup technology works

Understanding the mechanics helps explain why immutable backups protect organisations. Three primary implementation methods exist, each suited to different environments and recovery requirements.

Object Lock for cloud storage

Most major backup providers offer Object Lock functionality for their storage services. AWS S3, Azure Blob, Wasabi, and Backblaze B2 all support this feature, which applies retention policies at the individual file level.

Two modes are typically present in Object Lock implementations. Governance Mode allows administrators with special permissions to delete data, making it useful for testing and development environments. Compliance Mode, on the other hand, prevents anyone from deleting data, including root accounts and even the cloud provider’s support team. Compliance Mode represents the gold standard for ransomware protection.

Mode

Who can delete?

Best for

Governance Mode

Administrators with special permissions

Testing and development

Compliance Mode

Nobody, including root accounts

The gold standard for data protection and production disaster recovery

Hardened Linux repositories

For organisations requiring fast local recovery, hardened Linux-based backup repositories offer on-premise immutability. These systems use filesystem-level protections to prevent data corruption and ensure backup integrity.

The backup software writes data to the repository, but the underlying operating system configuration prevents deletion commands from executing. This approach combines the speed of local storage with the security of immutability, making it particularly valuable when recovery time is critical.

Air-gapped and offline storage

Air-gapped backups take a different approach by physically disconnecting storage from the network. While not technically “immutable” in the software sense, air-gapping achieves a similar outcome, attackers cannot reach what they cannot connect to.

Many organisations combine air-gapping with immutability to achieve defence-in-depth, ensuring critical data remains safe. The immutable copy provides rapid recovery, while the air-gapped copy serves as a last resort if the primary backup infrastructure fails catastrophically.

Benefits beyond ransomware protection

Even though data loss prevention drives adoption, immutable backups still matter for several other reasons. These include:

Regulatory compliance and audit trails

Industries with strict data retention requirements (such as financial services, healthcare, and legal) benefit from immutability’s built-in compliance features.

The backup system maintains cryptographic proof of data integrity, satisfying auditors and regulators who require demonstrable proof that valuable data hasn’t been modified.

For organisations subject to FCA regulations or handling NHS data, this audit trail can mean the difference between passing and failing a compliance review.

Insider threat protection

Not all data destruction is caused by external attackers. Disgruntled employees, accidental deletions by tired administrators, or simple human error can devastate an organisation’s data. Immutable backups protect against the accidental “delete everything” command just as effectively as they protect against ransomware.

Legal hold and forensic preservation

When litigation requires preserving data in its original state, immutable backups provide a verifiable chain of custody. Lawyers and forensic investigators can demonstrate that evidence hasn’t been tampered with, which proves invaluable during disputes or regulatory investigations.

Common challenges and how to address them

Immutable storage isn’t without complications. Understanding these challenges helps you implement immutable backups effectively.

Storage costs and data growth

If data cannot be deleted, data storage costs accumulate. A misconfigured retention policy or an infected file that gets backed up will consume space until the retention window expires.

The solution involves careful planning. Setting retention periods that balance protection with cost (typically 30 to 90 days) covers most ransomware scenarios without excessive expense. Using tiered storage to move older immutable backups to cheaper archive tiers automatically also helps manage costs over time.

GDPR and the right to erasure

The “right to be forgotten” under GDPR creates an interesting tension with immutable storage. If a customer requests deletion of their personal data, but that data exists in an immutable backup, what happens?

Most legal interpretations accept that storing backup data represents a legitimate technical limitation. Organisations typically document their retention periods, delete data from production systems immediately, and allow the backup to expire naturally. Some implementations use crypto-shredding, destroying the encryption keys for specific data, as an alternative approach.

Testing and validation

An immutable backup that doesn’t actually restore is worthless. Regular recovery testing remains essential, yet many organisations skip this step because it’s time-consuming. Building testing into your backup schedule, quarterly full recovery tests and monthly partial tests, helps ensure your immutable backups will actually work when you need them.

Implementing immutable backups in your organisation

Moving from traditional backups to an immutable strategy doesn’t require replacing everything overnight. Most organisations follow a phased approach that minimises disruption while incrementally building protection.

Moving to an immutable strategy doesn’t require replacing everything. Most organisations follow a phased approach:

  1. Identify: Locate your most critical data.

  2. Protect: Enable immutability for backup data associated with those systems.

  3. Refine: Review retention policies to balance data security with budget.

Contact Zensec immediately for urgent support, or reach out to discuss how to protect data with a modern resilience strategy.

Contact Zensec immediately for urgent ransomware recovery support if you’re currently experiencing an incident, or reach out to discuss how immutable backups fit into your broader cyber resilience strategy.

Frequently asked questions

What is the difference between immutable and air-gapped backups?

Immutable backups use software controls to prevent modification, while air-gapped backups use physical network separation. Immutable backups remain online and accessible for fast recovery but rely on the storage platform’s security. Air-gapped backups are offline and unreachable by network-based attacks, but require manual processes to access. Many organisations use both for layered protection.

Can ransomware encrypt immutable backups?

Ransomware cannot encrypt properly configured immutable backups because the storage system rejects any write or modification commands to existing data.

However, if immutability isn’t enabled before an attack, or if the retention period has expired, backups become vulnerable, and data encryption is possible. Configuration and timing matter significantly.

How long does immutable backup retention typically last?

Most organisations set retention periods between 30 and 90 days for ransomware protection purposes. Compliance requirements may dictate longer periods, some financial regulations require seven years of immutable records. The right duration depends on your recovery objectives, regulatory obligations, and storage budget.

Do immutable backups cost more than standard backups?

Storage costs are typically 10-30% higher due to the inability to delete data before retention expires and the premium some providers charge for Object Lock features.

However, this cost is relatively small compared to the operational losses from extended downtime or the reputational damage from a successful ransomware attack. When you invest in immutable backups, you’re taking a significant step toward ensuring data integrity in the future.