Ransomware has become a highly coordinated and pervasive threat, and traditional defenses are increasingly struggling to neutralize it. Today's ransomware attacks initially target your last line of defense — your backup infrastructure. Before locking up your production environment, cybercriminals go after your backups to cripple your ability to recover, increasing the odds of a ransom payout.

Notably, these attacks are carefully engineered takedowns of your defenses. The threat actors disable backup agents, delete snapshots, modify retention policies, encrypt backup volumes (especially those that are network accessible) and exploit vulnerabilities in integrated backup platforms. They are no longer trying just to deny your access but erase the very means of recovery. If your backup environment isn't built with this evolving threat landscape in mind, it's at high risk of getting compromised.

How can IT pros defend against this? In this guide, we'll uncover the weak strategies that leave backups exposed and explore actionable steps to harden both on-site and cloud-based backups against ransomware. Let's see how to build a resilient backup strategy, one that you can trust 100% even in the face of sophisticated ransomware attacks.

Common pitfalls that leave backups exposed

Inadequate separation and the lack of offsite or immutable copies are among the most common weaknesses in backup strategies. Snapshots or local backups alone aren't enough; if they reside in the same on-site environment as production systems, they can be easily discovered, encrypted or deleted by attackers. Without proper isolation, backup environments are highly susceptible to lateral movement, allowing ransomware to spread from compromised systems to backup infrastructure.

Here are some of the most common lateral attack techniques used to compromise backups:

  • Active Directory (AD) attacks: Attackers exploit AD to escalate privileges and gain access to backup systems.
  • Virtual host takeover: Malicious actors utilize a misconfiguration or vulnerability in the guest tools or hypervisor code to control the hypervisor and virtual machines (VMs), including those hosting backups.
  • Windows-based software attacks: Threat actors exploit built-in Windows services and known behaviors across versions for entry points into backup software and backup repositories.
  • Common vulnerabilities and exposures (CVE) exploit: High-severity CVEs are routinely targeted to breach backup hosts before patches are applied.

Another major pitfall is relying on a single cloud provider for cloud backups, which creates a single point of failure and increases the risk of total data loss. For instance, if you're backing up Microsoft 365 data in the Microsoft environment, your backup infrastructure and source systems share the same ecosystem, making them easy to discover. With stolen credentials or application programming interface (API) access, attackers can compromise both at once.

Build backup resilience with the 3-2-1-1-0 strategy

The 3-2-1 backup rule has long been the gold standard in data protection. However, as ransomware increasingly targets backup infrastructure, it's no longer enough. Today's threat landscape calls for a more resilient approach, one that assumes attackers will try to destroy your ability to recover.

That's where the 3-2-1-1-0 strategy comes in. This approach aims to keep three copies of your data and store them on two different media, with one copy offsite, one immutable copy and zero backup errors.

Fig 1: The 3-2-1-1-0 backup strategy

Here's how it works:

3 copies of data: 1 production + 2 backups

When backing up, it's critical not to rely solely on file-level backups. Use image-based backups that capture the full system — the operating system (OS), applications, settings and data — for more complete recovery. Look for capabilities, such as bare metal recovery and instant virtualization.

Use a dedicated backup appliance (physical or virtual) instead of standard backup software for greater isolation and control. When looking for appliances, consider ones built on hardened Linux to reduce the attack surface and avoid Windows-based vulnerabilities and commonly targeted file types.

2 different media formats

Store backups on two distinct media types — local disk and cloud storage — to diversify risk and prevent simultaneous compromise.

1 offsite copy

Ensure one backup copy is stored offsite and geographically separated to protect against natural disasters or site-wide attacks. Use a physical or logical airgap wherever possible.

1 immutable copy

Maintain at least one backup copy in an immutable cloud storage so that it cannot be altered, encrypted or deleted by ransomware or rogue users.

0 errors

Backups must be regularly verified, tested and monitored to ensure they're error-free and recoverable when needed. Your strategy isn't complete until you have full confidence in recovery.

To make the 3-2-1-1-0 strategy truly effective, it's critical to harden the environment where your backups live. Consider the following best practices:

  • Deploy the backup server in a secure local area network (LAN) environment to limit accessibility.
  • Restrict access using the principle of least privilege. Use role-based access control (RBAC) to ensure no local domain accounts have admin rights over the backup systems.
  • Segment backup networks with no inbound traffic from the internet. Only allow outbound. Also, only protected systems should be able to communicate with the backup server.
  • Employ a firewall to enforce network access controls and use port-based access control lists (ACLs) on network switch ports.
  • Deploy agent-level encryption so data written to the backup server is encrypted using a unique key that only you can generate with your own passphrase.
  • Disable unused services and ports to reduce the number of potential attack vectors.
  • Enable multifactor authentication (MFA) — preferably biometric rather than time-based one-time password (TOTP) — for all access to the backup environment.
  • Keep backup systems patched and up to date to avoid exposure to known vulnerabilities.
  • Physically secure all backup devices with locked enclosures, access logs and surveillance measures.

Best practices for securing cloud-based backups

Ransomware can just as easily target cloud platforms, especially when backups live in the same ecosystem. That's why segmentation and isolation are critical.

Data segmentation and isolation

To build a true air gap in the cloud, backup data must reside in a separate cloud infrastructure with its own authentication system. Avoid any reliance on production-stored secrets or credentials. This separation reduces the risk of a compromised production environment impacting your backups.

Use private cloud backup architecture

Choose services that move backup data out of the source environment and into an alternative cloud environment, such as a private cloud. This creates a logically isolated environment that's shielded from original access vectors, delivering the air-gapped protection needed to withstand modern ransomware. Shared environments make it easier for attackers to discover, access or destroy both source and backup assets in a single campaign.

Authentication and access control

Cloud-based backups should use a completely separate identity system. Implement MFA (preferably biometric), RBAC and alerting for unauthorized changes, such as agent removal or retention policy modifications. Credentials must never be stored in the same ecosystem being backed up. Keeping access tokens and secrets outside of the production environment (like Azure or Microsoft 365) eliminates any dependency on them for backup recovery.

How Datto BCDR secures your backups for 100% recovery confidence

Even with the right strategy, resilience ultimately depends on the tools you choose. That's where Datto's business continuity and disaster recovery (BCDR) platform stands out. Datto BCDR offers seamless local and cloud continuity powered by its SIRIS and ALTO appliances and immutable Datto BCDR Cloud. It ensures your backups are always recoverable, even in worst-case scenarios.

Fig 2: How Datto BCDR delivers business continuity

Here's how Datto BCDR delivers guaranteed recovery:

  • Local and cloud redundancy: Datto BCDR provides robust backup appliances that double as local recovery targets. You can run workloads and applications directly on the device during a failure. If on-prem systems are compromised, recovery shifts seamlessly to the Datto BCDR Cloud for virtualized operations, ensuring business continuity without disruption.
  • The power of immutable Datto BCDR Cloud: Purpose-built for backup and disaster recovery, the Datto BCDR Cloud delivers unmatched flexibility, security and performance. It goes beyond basic offsite storage to offer multilayered protection, making critical data both safe and instantly recoverable.
  • Effective ransomware defense: Datto appliances run on a hardened Linux architecture to mitigate vulnerabilities commonly targeted in Windows systems. They also include built-in ransomware detection that actively scans for threats before any recovery is initiated.
  • Automated, verified backup testing: Datto's automated screenshot verification confirms that VMs can boot from backups. It also performs application-level checks to ensure workloads function correctly after restore, helping IT teams validate recovery without guesswork.
  • Lightning-fast recovery options to make recovery seamless include:
    • Features like 1-Click Disaster Recovery (1-Click DR) that make disaster recovery near instant.
    • Secure, image-based backups for full-system restoration.
    • Cloud Deletion Defense™ to instantly recover deleted cloud snapshots, whether accidental or malicious.

Is it time to rethink your backup strategy?

Cyber resilience starts with backup security. Before ransomware strikes, ask yourself: Are your backups truly separated from your production systems? Can they be deleted or encrypted by compromised accounts? When was the last time you tested them?

Now is the time to evaluate your backup strategy through a risk-based lens. Identify the gaps, fortify the weak points and make recovery a certainty — not a question.

Explore how Datto BCDR can help you implement a secure, resilient backup architecture that's built for real-world threats. Get pricing today.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.