Modern ransomware crews read the same best-practice guides you do. They know the standard advice — "keep backups, then you don't have to pay" — so the professional playbook now starts with the backups: find the backup server, delete the restore points, purge the cloud copies with the stolen admin credentials, then encrypt production and send the note. Post-incident reports consistently find backup repositories were targeted in the large majority of serious ransomware cases. Immutable backups exist for exactly this fight: copies that cannot be altered or deleted — not by the attacker, not by a compromised administrator, not by you — until a clock you set in advance runs out. Here's what immutability really means, and how to get it without an enterprise budget.
Why Backups Became the First Target
Ransomware is a negotiation, and your leverage is a working restore. The attacker's counter-move is simple: remove the leverage. By the time encryption fires, a competent crew has typically been inside for days — long enough to find the backup console, delete snapshots, disable jobs, and empty the cloud bucket. They often hold access longer than your backup retention, so even the copies that survive are copies of an already-compromised network.
The uncomfortable implication: a backup that can be deleted by anyone holding the right credentials is not a ransomware control. It's a convenience feature that works right up until the one scenario it was bought for.
What "Immutable" Actually Means
Immutability is a property enforced by the storage layer, not a policy in the backup software: once written, a backup object cannot be modified or deleted until its retention period expires. The technical names vary — WORM (write once, read many), object lock in S3-compatible storage, retention lock on backup appliances, insider-protection holds in cloud backup services — but the test is the same and brutally simple:
- Can a domain administrator delete it? If yes, it isn't immutable — the attacker who owns your domain owns it too.
- Can the backup software's own admin delete it? If yes, same problem: backup consoles are a primary target.
- Can the storage vendor's account holder shorten the lock? Real immutability (compliance-mode object lock) says no, not even them, until expiry.
If the answer to all three is no, an attacker's only remaining move against your backups is waiting out the retention clock — which is why the clock length is a security decision, not a storage-cost decision.
The Modern Rule: 3-2-1-1-0
The classic 3-2-1 backup rule (three copies, two media, one offsite) predates ransomware's backup-hunting era. The updated formulation adds the two pieces that matter now:
- 3 copies of the data,
- 2 different media or platforms,
- 1 copy offsite,
- 1 copy immutable or offline (air-gapped),
- 0 errors on restore verification — because an untested backup is a hope, not a plan.
The last digit deserves emphasis. Immutability guarantees the copy exists; only testing proves it restores, restores completely, and restores fast enough to matter. Our disaster recovery testing guide covers how to make that routine instead of aspirational.
Getting Immutability Without an Enterprise Budget
Cloud object storage with object lock
The most accessible path for most SMBs: point your backup platform at S3-compatible storage with object lock enabled in compliance mode. Most mainstream business backup products support it natively now. Costs scale with data size, and the immutability is enforced by the storage provider's infrastructure — outside your network, outside your credentials.
Vendor-managed immutable repositories
Many managed backup services build immutability and deletion protection in — holds on deleted data, out-of-band confirmation before retention changes, separate credential domains. Ask the pointed questions: who can shorten retention, and what happens when your tenant admin account is the compromised one?
True air gap
Rotated offline media — disks or tapes physically disconnected and offsite — remains valid, cheap, and genuinely unreachable from the network. The trade-offs are recovery speed and human discipline; an air gap only works if the rotation actually happens. It pairs well as the last-resort copy behind a faster immutable tier.
The Mistakes That Undo It
- Immutability in "governance mode." Some object-lock implementations have a mode privileged accounts can override. That's the mode attackers like too. Compliance mode or it doesn't count.
- Retention shorter than dwell time. If attackers sit in networks for weeks and your immutable window is one week, they simply wait. Size the window against realistic dwell, not storage price alone.
- Backup console on the domain. The backup platform needs separate credentials and MFA of its own — never domain-joined admin access. Compromising the domain must not compromise the backups.
- Forgetting the SaaS data. Production isn't just servers — Microsoft 365 and other SaaS data needs its own independent, protected copies (the shared-responsibility gap is its own article).
- Never restoring. The zero in 3-2-1-1-0. Schedule restore tests the way you schedule fire drills.
Immutability Changes the Negotiation
None of this prevents an intrusion — that's the job of the controls in front: patched systems, MFA, endpoint detection, segmentation. What immutable backups change is the ending. A crew that encrypts your production but can't touch your restore points has lost most of its leverage; recovery becomes an operations problem measured in hours or days instead of a ransom negotiation measured in Bitcoin. Insurers have noticed — immutable or offline backups are now a standard underwriting question — and the recovery process itself goes dramatically better when the copies are clean and complete.
The Bottom Line
Ransomware operators target backups first because backups are what make paying optional. Make at least one copy genuinely immutable — locked at the storage layer, in compliance mode, on credentials your domain can't reach — size the retention window realistically, and prove your restores with tests. If you want your current backup posture assessed against the 3-2-1-1-0 standard and hardened where it falls short, our cybersecurity team does exactly that. Get in touch before your leverage gets tested.
