Ransomware Backup and Recovery Strategy
When ransomware succeeds, backups are what stand between a bad week and a closed business. But the old advice to “keep backups” no longer holds, because modern attackers go looking for your backups and destroy them before they encrypt anything. A backup strategy that survives ransomware has to assume the attacker is hunting it.
When ransomware succeeds, backups are what stand between a bad week and a closed business. But the old advice to “keep backups” no longer holds, because modern attackers go looking for your backups and destroy them before they encrypt anything. A backup strategy that survives ransomware has to assume the attacker is hunting it.
The goal is simple to state: have a copy of your data the attacker cannot reach, and know for certain that you can restore it.
The 3-2-1-1-0 rule
| Rule | What it means |
|---|---|
| 3 copies | Keep at least three copies of your data, including the production copy. |
| 2 media types | Store them on at least two different types of media. |
| 1 offsite | Keep one copy offsite, away from the primary environment. |
| 1 immutable or air-gapped | Keep one copy that cannot be altered or deleted, isolated from the network attackers reach. |
| 0 errors | Test restores regularly so you have zero errors on recovery. An untested backup is a hope, not a plan. |
The classic 3-2-1 backup rule grew two more digits for the ransomware era. The added copies are the ones that matter most when an attacker has admin rights and is deleting everything reachable.
How to recover without reinfecting
Restoring from backup is not just copying files back. Do it in the wrong order and you reinfect the systems you just cleaned. The sequence matters.
[[INSIGHT: The most expensive words during a ransomware recovery are “we had backups.” Having them is not the same as restoring them. The only backup that counts is the one you have tested, and the only safe one is the copy the attacker could not delete.]]
- Modern ransomware hunts and deletes backups before encrypting, so reachable backups are targets.
- Follow the 3-2-1-1-0 rule: three copies, two media, one offsite, one immutable, zero recovery errors.
- Confirm clean backups before you touch infected systems.
- Rebuild heavily infected systems from trusted images, then restore data.
- Reset credentials before reconnecting, and watch for reinfection.
Frequently asked questions
What is the 3-2-1-1-0 backup rule?
Three copies of data, on two media types, with one offsite, one immutable or air-gapped, and zero errors on recovery testing. It is a ransomware-resilient evolution of the classic 3-2-1 rule.
Why do backups need to be immutable or offline?
Modern ransomware actively hunts and deletes backups and shadow copies before encrypting. A backup reachable from the network can be destroyed. Immutable or air-gapped copies cannot.
Why rebuild from images instead of cleaning infected systems?
Cleaning in place risks leaving persistence mechanisms or backdoors behind. Rebuilding heavily infected systems from trusted images gives a known-good starting point.
What does zero errors mean in the rule?
It means testing your restores. A backup you have never restored is unproven. Regular recovery testing is what turns a backup into a recovery capability.
