The 3-2-1 rule is a data management classic: 3 copies, on 2 different media, with 1 offsite. It was sufficient against hardware failures and physical disasters. It is no longer sufficient against modern ransomware.
Why Ransomware Targets Your Backups
Criminal groups operating sophisticated ransomware have a well-established strategy: before deploying encryption, they spend days or weeks exploring your network. Their primary objective is to identify and delete or encrypt your backups.
Here is what they do concretely:
- Identify installed backup solutions (Veeam, Acronis, Windows Server Backup) and their management consoles.
- Steal administrator credentials for the backup solution.
- Delete VMware snapshots, Windows restore points, and synced cloud copies (OneDrive, Dropbox).
- Wait 30 to 90 days so that still-accessible backups become corrupted or outdated.
The 3-2-1-1 Rule: The Extra "1" That Changes Everything
The fourth "1" means: 1 immutable copy. An immutable backup cannot be modified, encrypted, or deleted — even by a compromised administrator account — during a defined retention period (typically 30 to 90 days).
Technologies that enable immutability:
- Veeam Immutable Backups to a Linux repository with the immutable bit enabled via the XFS protocol.
- Azure Blob Storage with Immutable Storage (WORM — Write Once, Read Many): even a compromised storage account cannot delete data during the retention period.
- Rubrik / Cohesity: data protection platforms natively designed for ransomware resilience.
- Air-gapped magnetic tape: physically disconnected from the network. Reserved for critical environments or regulatory requirements.
The Backup Configuration We Recommend for SMBs
- Copy 1 (production): daily snapshot on the production server (local Veeam) — fast recovery of individual files.
- Copy 2 (local immutable): Veeam repository on a dedicated Linux NAS with 30-day immutability — isolated from the rest of the network.
- Copy 3 (cloud immutable): replication to Azure Blob Storage WORM in a Canadian region — physical and geographic separation.
- Copy 4 (air-gapped) (for most critical data): weekly backup to removable media stored offsite.
The Restore Test: The Step Everyone Forgets
An untested backup is not a backup. We recommend a full restore test quarterly for SMBs, with a documented report. This test must include restoring a complete server, not just individual files. The difference between "files exist" and "server is operational" can represent 24 additional hours of delay during a real incident.