Backup Security: The Importance of Backups in Data Recovery After a Ransomware Attack

A robust backup strategy goes far beyond simply making copies of data. It requires a deep understanding of architecture, isolation, and access control. Let us explore the core concepts that define a modern, secure backup environment.

The 3-2-1 Backup Rule (and its Modern Variations)

The foundational principle of data protection is the 3-2-1 rule. Originally conceived decades ago, it remains highly relevant, provided it is adapted for modern threats.

• 3 Copies of Data: You should have at least three total copies of your data (the primary production data and two backup copies). This ensures that a single point of failure (like a corrupted hard drive) does not result in total data loss.
• 2 Different Media Types: Store the backups on at least two different types of storage media. For example, one copy on a local NAS or SAN, and another copy in cloud storage or on physical tape. This protects against failures specific to one type of technology.
• 1 Offsite Copy: Keep at least one copy of the data geographically separated from the primary site. This protects against localized physical disasters (fires, floods) and, crucially, against localized cyber incidents.

Modern variations (like 3-2-1-1-0) introduce critical enhancements:

• 1 Offline/Immutable Copy: One copy must be either completely offline (air-gapped, like a disconnected tape) or immutable (write-once, read-many). This is the absolute defense against ransomware.
• 0 Errors: The backups must be regularly tested and verified to ensure zero errors upon restoration. A backup is only as good as its ability to be restored successfully.

Immutable Backups and WORM Storage

Immutability is the most critical feature in modern backup security. An immutable backup cannot be altered, encrypted, or deleted—even by an administrator with full system privileges or a ransomware strain executing with SYSTEM-level access.

• WORM (Write-Once, Read-Many): Immutability is often implemented using WORM technology. Once data is written to a WORM storage volume, a time-based lock is applied. Until that lock expires (e.g., after 30 or 90 days), the data cannot be modified.
• Implementation: This can be achieved via specialized hardware appliances, cloud storage features (like Amazon S3 Object Lock or Azure Blob Storage Immutable policies), or specialized file systems designed to enforce retention periods at the kernel level.

Air-Gapping (Physical and Logical)

Air-gapping involves creating an absolute barrier between the production network and the backup environment.

• Physical Air-Gap: The traditional method, involving storing backups on physical media (like LTO tapes) that are physically disconnected from any network and stored in a secure vault. While highly secure, recovery times (RTO) are often slow.
• Logical Air-Gap: A modern approach that uses network isolation and strict access controls. The backup storage is on the network but resides in an isolated, highly restricted VLAN. Connections are only established temporarily during the backup window, and the storage uses different authentication domains than the primary production environment, preventing lateral movement.

RTO and RPO

Understanding your recovery objectives is essential for designing the right backup architecture.

• Recovery Point Objective (RPO): The maximum acceptable amount of data loss measured in time. If your RPO is 4 hours, you must perform backups at least every 4 hours.
• Recovery Time Objective (RTO): The maximum acceptable amount of time it takes to restore operations after a failure. If your RTO is 2 hours, your backup infrastructure must be capable of restoring critical systems within that timeframe. Balancing fast RTO (often requiring online, local backups) with the security of an air-gapped, offline backup is a key challenge in backup design.

Examining high-profile ransomware incidents reveals a consistent pattern: attackers deliberately target backup infrastructure to maximize leverage over their victims.

The Travelex Ransomware Attack

In late 2019, the global foreign exchange company Travelex was hit by the devastating REvil (Sodinokibi) ransomware. The attack forced the company to take its systems offline across 30 countries, reverting to pen and paper for currency exchange transactions for weeks.

The attackers exploited an unpatched vulnerability in Travelex's Pulse Secure VPN servers to gain initial access. Once inside, they spent considerable time dwelling in the network, mapping systems, and specifically targeting the company's backup infrastructure. The ransomware operators successfully compromised the backup servers and deleted the backup archives before initiating the encryption of the primary systems.

Because their backups were compromised, Travelex was left without a viable recovery option. They were forced into prolonged negotiations with the attackers and reportedly paid a multi-million dollar ransom in Bitcoin to obtain the decryption keys and restore their operations. This incident highlights the catastrophic consequences of storing backups on the same flat network as production systems, without adequate logical isolation or immutability.

The NotPetya Wiper Attack (Maersk)

While technically a destructive wiper rather than traditional ransomware, the 2017 NotPetya attack on the shipping giant Maersk demonstrates the critical need for offline, isolated backups. NotPetya propagated rapidly across Maersk's global network, exploiting the EternalBlue vulnerability and using stolen credentials to encrypt thousands of servers and workstations within hours.

The malware was highly virulent and moved laterally across trust boundaries, effectively taking down the entire IT infrastructure of the world's largest shipping conglomerate. Crucially, the malware also targeted and encrypted Maersk's online, connected backup servers.

Maersk was saved from total annihilation only by an incredible stroke of luck. During the attack, a single domain controller in Ghana happened to be offline due to a local power outage. This offline server contained an unencrypted copy of the Active Directory schema, which served as the seed to rebuild the company's entire global identity infrastructure. Maersk's experience underscores that interconnected, online backups are vulnerable to rapid-spreading worms; a true physical or logical air-gap is necessary for absolute survival.

Targeted Attacks on Backup Consoles (Conti Ransomware)

The Conti ransomware gang, known for its sophistication, frequently utilized a specific playbook regarding backups. Upon breaching a network, Conti operators would actively search for backup management consoles—specifically targeting popular enterprise backup software like Veeam, Commvault, or Veritas.

Once they located the management console, they would attempt to compromise it by dumping credentials from memory, finding hardcoded passwords, or exploiting vulnerabilities in the backup software itself. If they gained administrative access to the backup console, they would deliberately alter retention policies, issue commands to wipe existing backup repositories, and disable future backup jobs. By compromising the central management pane, the attackers neutralized the entire backup strategy before the victim even realized they were under attack, ensuring maximum extortion pressure.

To ensure data recovery is possible after a sophisticated ransomware attack, organizations must implement a defense-in-depth strategy specifically tailored for their backup environment.

Implement Immutability as a Standard

Immutability is no longer optional; it is a mandatory requirement for modern backup security.

• Utilize Cloud Object Lock: If backing up to the cloud (AWS S3, Azure Blob, Wasabi), enable Object Lock/Immutable Storage policies. Configure these policies in compliance mode, ensuring that even the root cloud account administrator cannot delete the backups before the retention period expires.
• Deploy Hardened Repositories: Use hardened Linux repositories for on-premises backups. Configure these servers with single-use credentials, disable SSH access after configuration, and utilize file system-level immutability (like XFS block cloning with immutability flags) to prevent modification by malicious actors.

Enforce Strict Access Control and Isolation

The backup environment must be treated as the most secure enclave within your IT infrastructure.

• Separate Authentication Domains: Never join your backup servers to your primary Active Directory domain. If AD is compromised (which happens in almost all ransomware attacks), the attackers will instantly have access to your backups. Use separate, highly restricted authentication mechanisms for the backup environment.
• Mandate Multi-Factor Authentication (MFA): Enforce MFA for all access to backup management consoles, storage arrays, and cloud backup portals. This prevents attackers from using stolen credentials to alter backup policies.
• Network Segmentation: Place backup servers and storage arrays in a dedicated, isolated VLAN. Use internal firewalls to restrict traffic, allowing only the specific ports required for backup agents to communicate with the backup server. Deny all internet access from the backup servers unless strictly necessary for cloud integration.

Adhere to the 3-2-1-1-0 Rule

Modernize your backup architecture to include an air-gapped or immutable copy, and focus heavily on verified restoration.

• Establish an Air-Gap: Maintain at least one copy of critical data that is physically or logically completely disconnected from the network. This could involve returning to tape backups stored offsite or utilizing modern logical air-gapping solutions that only open network ports during brief, randomized backup windows.
• Automated Recovery Testing: A backup is useless if it cannot be restored. Implement automated, daily testing (like Veeam SureBackup or similar features in other platforms) that spins up backup images in an isolated sandbox to verify OS boot, application consistency, and data integrity.

Secure the Backup Management Plane

The central console used to manage backups is a primary target.

• Apply the Principle of Least Privilege: Create distinct roles within your backup software. Do not grant full administrative privileges to all IT staff. Use granular roles that allow Helpdesk staff to restore individual files, while restricting the ability to delete entire backup jobs to a select few highly trusted individuals.
• Patch and Update: Backup software and the underlying operating systems of backup servers must be patched rigorously. Attackers frequently exploit known vulnerabilities in older versions of enterprise backup software to gain control.

Proactive Threat Detection and Monitoring

Do not wait until you need to restore data to find out your backups are compromised.

• Monitor for Anomalous Activity: Configure alerts for suspicious actions within the backup environment. Alert the security team immediately if retention policies are modified, if large amounts of backup data are deleted, or if backup jobs are mysteriously disabled.
• Scan Backups for Malware: Integrate your backup solution with your endpoint detection and response (EDR) or antivirus tools to scan backup data for known malware signatures or dormant ransomware payloads. This ensures that when you restore a system, you are not inadvertently restoring the malware that caused the outage in the first place.