Immutable Backup Strategies: Ransomware-Proofing Your Data

Learn how immutable backups work and how to implement write-once, tamper-proof backup strategies that ransomware cannot delete or encrypt.

Last updated: 2 April 2026

Immutable backups are copies of your data that cannot be modified or deleted for a defined retention period — not by ransomware, not by a compromised admin account, and not by accident. They’re one of the strongest defences against ransomware that specifically targets backups.

Why Standard Backups Fail Against Modern Ransomware

Ransomware has evolved. Current variants don’t just encrypt your working files — they:

  1. Enumerate backup locations by searching for backup agent configuration files
  2. Delete shadow copies using vssadmin delete shadows /all
  3. Encrypt backup files on network shares and connected USB drives
  4. Compromise cloud backup accounts using harvested credentials
  5. Wait silently (dwell time) to ensure even recent backups contain the ransomware

An immutable backup breaks this attack chain because even if the attacker gains admin access, they cannot alter or delete the protected copies.

What Makes a Backup Immutable?

True immutability means the backup data is write-once for a configurable retention period. This can be achieved through:

Software-Enforced Immutability

Cloud backup services and NAS systems that support WORM (Write Once, Read Many) policies:

  • Object lock on cloud storage (AWS S3 Object Lock, Azure Immutable Blob Storage, Backblaze B2 Object Lock)
  • WORM mode on NAS appliances (Synology, QNAP)
  • Backup software with immutability (Veeam, Acronis, Duplicati with S3 backend)

Hardware-Enforced Immutability

Physical media that cannot be overwritten:

  • Write-once optical media (M-DISC Blu-ray) — physically cannot be rewritten
  • Air-gapped drives — not strictly immutable (they can be reformatted), but unreachable from the network. See offline vault workflow.
  • Tape backups with write-protect tabs — inexpensive, high-capacity, physically removable

Logical Immutability

Some systems implement immutability through access controls rather than physical write-once:

  • Separate admin credentials for the backup system (not the same as domain admin)
  • MFA on backup management — deleting backups requires a second factor
  • Time-locked deletion — deletion requests require a waiting period (24–72 hours)

Implementing Immutable Backups on Windows

Option 1: Cloud Storage With Object Lock

Use a cloud backup tool that supports S3-compatible storage with Object Lock:

  1. Create an S3 bucket (AWS, Backblaze B2, or Wasabi) with Object Lock enabled
  2. Configure your backup software to target the bucket
  3. Set a retention policy (e.g., 30 days) — backups cannot be deleted until retention expires
  4. Use separate IAM credentials for the backup agent (least privilege)
  5. Enable MFA Delete on the bucket for additional protection

Option 2: Air-Gapped Rotation

For home users and small businesses:

  1. Purchase 3–4 encrypted external drives (see Secure USB Drives)
  2. Label them (Monday, Wednesday, Friday, Monthly)
  3. Back up to one drive, then disconnect and store it
  4. Rotate drives so the most recent offline backup is never more than 2 days old
  5. Keep the monthly drive off-site

Option 3: Write-Once Optical Media

For critical, rarely-changing data (recovery keys, legal documents, certificates):

  1. Write data to M-DISC Blu-ray (rated for 1,000+ years)
  2. Store discs in a fireproof safe
  3. The data physically cannot be altered or encrypted by ransomware

The 3-2-1-1-0 Backup Rule

Building on the classic 3-2-1 strategy:

  • 3 copies of data
  • 2 different media types
  • 1 off-site copy
  • 1 immutable or air-gapped copy
  • 0 errors (verified through regular test restores)

Testing Immutable Backups

Immutability is only valuable if the backups are actually restorable:

  • Monthly: Restore a sample file from the immutable backup to verify integrity
  • Quarterly: Perform a full test restore to a clean system
  • Annually: Review retention policies and storage costs

Common Mistakes

  • Using sync services as “backups” — OneDrive/Dropbox propagate ransomware encryption. They are not immutable.
  • Sharing backup credentials with domain admins — if Active Directory is compromised, the attacker gets backup access too.
  • Setting retention too short — ransomware may dwell for weeks before triggering. 30-day minimum retention is recommended.
  • Never testing restores — an untested backup isn’t a backup.

Key Takeaways

  • Immutable backups are your strongest defence against ransomware that targets backup infrastructure
  • Cloud object lock, air-gapped drives, and write-once media each provide different levels of immutability
  • No single approach is sufficient — layer immutable backups with other strategies
  • Regularly test that immutable backups are actually restorable

For a broader comparison of backup approaches, see Air-Gapped vs. Cloud Backups.

Further Reading