How to Create a Ransomware-Proof Backup & Recovery Strategy

I’ve been in this industry long enough to not take most security vendor marketing seriously. Ransomware prevention powered by AI? Please. If it were that simple, we wouldn’t be in this mess.

Here’s the thing — ransomware does not only encrypt your files. It goes after backups as well, often residing undetected for weeks before triggering — so when you attempt to restore, guess what? Your backups are toast. That is the reason traditional backup systems are not sufficient anymore.

So today I’d like to discuss how to construct a ransomware-proof backup and data recovery strategy, the type where no matter what happens you have a means of restoring your data without paying some loser in a cheap hoodie their ransom.

Why Traditional Backups are No Match for Ransomware

It’s a simpler time than when I dealt with SQL Slammer back in the early 2000s. You had tapes, external drives, some offsite backups perhaps. If something broke, you could recover cleanly in a couple of hours.

But today’s ransomware is not the same.

The new wave of ransomware doesn’t only encrypt your files. It goes after:

• Network drives. Anything that is mounted and within reach is fair game.
• Backup repositories. The first place they will attack is your backup system if it is online.
• Cloud backups. And if your credentials are compromised, the backup in the cloud can be encrypted or deleted without you having a chance to even realize it.

And then there’s latency. Ransomware frequently remains dormant for weeks (or months) before it is activated. If your backups do not have versioning, you’re restoring encrypted files without knowing. This is why conventional backups — network shares, simple cloud storage, even backups to NAS — aren’t truly safe against ransomware attacks.

The Real Solution: Immutable Backups & Air-Gapping

Okay, here’s the holy grail of ransomware-proof backups:

1. Immutable backups.
   • They cannot be changed or deleted once they are written (including by an admin).
   • Helps stop ransomware from infecting your latest good recovery point.
   • This is supported by most enterprise backup solutions — but you must turn it on.
2. Air-gapped backups.
   • Most of the time the backup is not online on your network.
   • Such as tape backups, offline drives or separate cloud space.
   • Attackers can’t encrypt what they’ve never touched.
3. Multi-version backups.
   • The backups are point-in-time, and typically multiple points-in-time are kept by snapshotting.
   • Even if the ransomware is dormant, you can restore from a known good version.
4. Separate Authentication for Backups
   • Even if Active Directory auth is used by your backup system and AD gets hit—
   • Guess what? No backups for you.
   • Employ local-only admin credentials not associated with your corporate directory.

If you truly need a secure system, you should have at least two of the above protections. Preferably all four.

Best Practices for Recovery: Backups Are Useless If You Can’t Restore

Here’s a little hard truth: a lot of companies don’t actually test their restores. They take it for granted that their backup will be there when they need it. Then ransomware hits, and — surprise — the backups fail.

I’ve witnessed this type of thing happen twice in the past year—both times, the companies involved had backups that didn’t truly allow for a complete restore. Don’t be like them.

Here’s how to make sure your backups aren’t useless:

• Test your restores often.
• Not just once a year. Quarterly, at minimum.
• Ensure the ability to recover systems, not just files.
• But that doesn’t mean you shouldn’t follow the 3-2-1 backup rule:
  • 3 copies of your data.
  • 2 different types of media.
  • 1 offsite & air-gapped backup

– Create an incident response plan.

• Who restores what?
• How do you determine last time files cleanup was done?
• How does roll back work for databases and OS Images?

– Check backups for strange telemetry.

• Unusual deletion patterns?
• Your backups are suddenly shrinking in size?
• That’s often a sign that ransomware is messing with them.

Backup Solutions by PJ Networks: Here’s What We Recommend

At PJ Network, we’ve experienced what works — and what doesn’t — when it comes to making backups resistant to ransomware. Just in the past year, we’ve assisted three banks in deploying a backup overhaul after they came to understand they had zero real protection from a ransomware incident.

Our Ransomware Resistant Backup Setup Looks Something Like:

• Immutable storage. Backups where older versions cannot be changed or deleted by ransomware (or a rogue admin).
• Offsite & air-gapped backups. Establishing cold storage that attackers will never access.
• Snapshots as backups, automated. Having multiple historical snapshots so that ransomware can sit dormant and roll back clean.
• Decouples authentication schemes. No shared AD creds — backup credentials are separate from the main authentication system.
• Granular recovery testing. Confirming entire system functionality post-restore, not just verifying “does a backup restore?”.

This isn’t hypothetical. This is what we’ve deployed for real businesses — banks, manufacturing firms, even health-care — which means real-world resilience.

Conclusion: There Is No Compromise For Secure Backups No Excuses

I know, I know — properly immutable/air-gapped/tested backups aren’t just something you can toss on a network share and high-five everyone in the room. However, if you’re still using traditional backups without protections against ransomware, you’re only one infection away from being out of business.

Ransomware actors are not stupid. There’s a reason they go after backups. The only way to protect yourself is to have no attacker capable of changing, deleting or encrypting your last good restore point.

And if your business does not yet have a robust backup system that will make it impossible for ransomware to hitch a ride on its files — set that up now. Before you learn it the hard way.

Quick Take: Ransomware-Proof Your Backups With These Key Steps

• Use immutable storage. Undeletable or unalterable backups.
• Keep air-gapped backups. It can’t be encrypted if the network can’t reach it.
• Take multiple snapshots. Ransomware can lie dormant — ensure you can restore from a clean state.
• Backup authentication is segregated. If your primary credentials have been compromised, backups should be safe.
• Test restores regularly. A backup that won’t restore is not a backup — it’s false confidence.

Your backups are your final line of defense. Ensure they’re really prepared for the fight.

And if you want to set up a ransomware-proof backup and recovery system—we do this every day. Reach out. The next ransomware attack will be their problem, not yours.