Defending Against Ransomware: The 3-2-1 Backup Rule

Overview

Ransomware is a type of malicious software designed to block access to a computer system or encrypt data until a sum of money is paid. As cybercriminals have become more sophisticated, simply having a local backup is no longer sufficient to guarantee data recovery.

The Problem

Modern ransomware variants (such as Ryuk or LockBit) are designed to actively seek out and destroy or encrypt backup files connected to the corporate network before triggering the encryption of primary data. If an organization stores its daily backups on a NAS (Network Attached Storage) that is mapped to the main network, the ransomware will compromise both the production data and the backups simultaneously, leaving the company with no recovery options.

Solution and Configuration

The gold standard for data protection is the 3-2-1 Backup Rule.

• Keep 3 copies of your data (1 primary, 2 backups).
• Store them on 2 different types of media (e.g., Disk and Tape, or Disk and Cloud).
• Keep 1 copy completely offsite.

Most importantly, the modern addition to this rule requires that at least one backup is Immutable or Air-Gapped.

Technical Details

Immutability means the data, once written, cannot be modified, deleted, or encrypted by anyone—even an administrator—for a specified period. This is often achieved using Object Storage features like AWS S3 Object Lock (WORM - Write Once, Read Many). An Air-Gapped backup refers to data that is physically disconnected from the network (like a tape drive stored in a vault) or logically isolated on a separate network with entirely different credentials.

Conclusion

Paying a ransom never guarantees the return of data and often funds future criminal operations. By strictly adhering to the 3-2-1 rule and incorporating immutable storage solutions, organizations can ensure resilience and maintain business continuity regardless of the severity of a cyberattack.