Ransomware doesn’t just encrypt your files — it hunts for backups too. Modern ransomware variants actively seek out network shares, connected USB drives, and even cloud-synced folders to encrypt or delete. Your backup strategy must account for this adversarial behaviour.
The Core Problem: Connected Backups Are Vulnerable
If your backup is accessible from the same computer that gets infected, the ransomware can reach it. This applies to:
- External hard drives left plugged in
- Network-attached storage (NAS) mounted as a drive letter
- Cloud sync folders (OneDrive, Dropbox, Google Drive) — ransomware encrypts local files, which sync as encrypted versions
- Mapped network shares with write access
The only backup that ransomware absolutely cannot touch is one it cannot reach.
Air-Gapped Backups: The Offline Strategy
An air-gapped backup is physically disconnected from all networks and computers except during the brief backup window.
How It Works
- Connect an external drive (USB or eSATA)
- Run the backup
- Verify the backup
- Disconnect the drive and store it securely
The drive is only accessible during step 1–4. The rest of the time, it’s in a safe, a locked drawer, or off-site.
Strengths
- Immune to network-based ransomware — can’t encrypt what it can’t reach
- Immune to cloud account compromise — no online credentials involved
- Simple and reliable — no software subscriptions, no internet dependency
- Full control — you own the media, you control access
Weaknesses
- Manual process — requires discipline to connect, back up, and disconnect regularly
- Limited versioning — typically a snapshot, not continuous backup
- Physical risks — fire, flood, theft of the storage location
- Inconvenient for large datasets — USB backup of terabytes is slow
For a detailed workflow on maintaining air-gapped storage, see our offline vault workflow.
Cloud Backups: The Remote Strategy
Cloud backup services store encrypted copies of your data on remote servers. Done correctly, they provide off-site protection with versioning.
How It Works
A backup agent on your computer encrypts and uploads data to a cloud provider’s infrastructure. The provider stores multiple versions, allowing you to restore from any point in time.
Strengths
- Automatic and continuous — no manual steps once configured
- Off-site by default — protects against fire, flood, and local theft
- Version history — restore from before the ransomware hit
- Scalable — handles large datasets without USB bottlenecks
Weaknesses
- Internet dependency — can’t back up or restore without connectivity
- Cloud account compromise — if ransomware gains access to your cloud credentials, it may delete backups
- Provider trust — you’re trusting the provider’s encryption and access controls
- Sync folders are NOT backups — file sync services (OneDrive, Dropbox) propagate ransomware-encrypted files as “changes”
- Cost — ongoing subscription for significant storage
Critical Distinction: Sync vs. Backup
- File sync (OneDrive, Dropbox): mirrors local changes, including destructive ones. NOT a ransomware backup.
- Cloud backup (Backblaze, CrashPlan, Acronis): creates versioned, independent copies. Can restore to pre-infection state.
The 3-2-1 Backup Strategy (Minimum)
The industry-standard approach:
- 3 copies of your data
- 2 different media types
- 1 off-site
For ransomware protection, upgrade to 3-2-1-1:
- 3 copies
- 2 media types
- 1 off-site (cloud or remote location)
- 1 air-gapped (disconnected, immutable)
Encryption Is Essential for Both
Whether your backup is on a USB drive in a safe or on a cloud server, it should be encrypted:
- Air-gapped drives: Use BitLocker or VeraCrypt. See Secure USB Drives.
- Cloud backups: Use client-side encryption (encrypt before upload). Don’t rely solely on the provider’s encryption.
Recommended Combination
For most users, a layered strategy works best:
- Daily cloud backup with a reputable service (versioned, client-side encrypted)
- Weekly air-gapped backup to an encrypted external drive (stored in a safe)
- Monthly off-site rotation — swap the air-gapped drive with one stored at another location
This gives you continuous protection (cloud), ransomware immunity (air-gapped), and disaster recovery (off-site).
Key Takeaways
- Air-gapped backups are immune to ransomware but require manual discipline
- Cloud backups are convenient but must be true backup services, not file sync
- Neither alone is sufficient — use both for layered protection
- Always encrypt your backups, regardless of where they’re stored
- Test restores regularly to verify your backups actually work
Further Reading
- CISA — Ransomware guidance — Government ransomware prevention resources
- NIST — Data integrity: Recovering from ransomware — Framework for ransomware recovery
- Microsoft — Protect against ransomware — Windows-specific ransomware guidance
- US-CERT — Ransomware best practices — Quick reference for backup strategy