Ransomware is the most common reason people wish they’d taken backups more seriously. A solid backup strategy — built around offline encryption and the right disciplines — is your most reliable recovery path when prevention fails.
The Ransomware Backup Problem
Modern ransomware is designed to eliminate your recovery options:
- It deletes Windows shadow copies (Volume Shadow Service)
- It searches for backup files by extension (.bak, .vbk, .vmdk)
- It enumerates network shares and encrypts everything reachable
- It targets cloud sync folders that automatically propagate encrypted files
- Some variants dwell for weeks before activating, poisoning backups with dormant malware
The only backup ransomware cannot touch is one that’s physically unreachable when the attack happens.
Building Ransomware-Proof Backups
Layer 1: Frequent Local Backups (For Speed)
Use Windows File History or a backup tool to maintain frequent local snapshots. These are your first line of recovery for accidental deletions and minor issues.
Limitation: These are reachable by ransomware on the same network. They’re not ransomware-proof — they’re a convenience layer.
Layer 2: Encrypted Air-Gapped Backups (The Core Defence)
This is the critical layer. An air-gapped backup is:
- Stored on an encrypted external drive (BitLocker or VeraCrypt — see Secure USB Drives)
- Connected to the computer only during the backup window
- Disconnected and stored securely the rest of the time
Weekly workflow:
- Connect the encrypted drive
- Unlock with your passphrase
- Run the backup (robocopy, Windows Backup, or your preferred tool)
- Verify a sample file from the backup
- Lock the drive (dismount/eject)
- Store in a safe or locked drawer
Maintain at least two rotating drives so you always have a recent backup that wasn’t connected during a potential infection.
Layer 3: Immutable Off-Site Backup (For Disasters)
Cloud backup with object lock or WORM (Write Once, Read Many) protection:
- The backup agent uploads encrypted data
- The cloud provider enforces a retention period during which data cannot be deleted or modified
- Even if your cloud credentials are compromised, the immutable copies survive
Services like Backblaze B2 Object Lock, AWS S3 Object Lock, or Wasabi provide this at reasonable cost.
Layer 4: Critical Data on Write-Once Media
For your most important data (recovery keys, financial records, legal documents):
- Burn to M-DISC Blu-ray (physically cannot be overwritten)
- Store in a fireproof safe or safety deposit box
- Update annually or when significant data changes
Encrypting Your Backups
Encryption protects your backup data if the storage media is lost or stolen. But the encryption must be applied correctly:
- Encrypt before uploading to cloud storage (client-side encryption)
- Use strong passphrases — the backup drive may be subjected to offline brute-force attacks
- Store passphrase separately from the backup media — in a password manager and/or offline vault
- Never use the same passphrase for your backup encryption as for your Windows login
For Windows encryption tool comparisons, see BitLocker vs VeraCrypt and Windows Encryption Basics.
Backup Verification: The Step Everyone Skips
A backup you haven’t tested is not a backup. Schedule:
- Weekly: Spot-check — open one file from the latest backup to verify it’s not corrupted
- Monthly: Restore a folder to a different location and verify contents
- Quarterly: Full test restore to a clean system (or virtual machine)
Ransomware dwell time can be weeks. If all your recent backups contain dormant malware, you need to go further back. This is why retention depth matters — keep at least 30 days of backup history.
Quick Reference: Ransomware-Proof Backup Checklist
| Component | Purpose | Frequency |
|---|---|---|
| Local backup (File History) | Fast recovery from minor issues | Continuous |
| Encrypted air-gapped drive A | Primary ransomware-proof backup | Weekly (alternate) |
| Encrypted air-gapped drive B | Secondary ransomware-proof backup | Weekly (alternate) |
| Cloud backup with immutability | Off-site disaster recovery | Daily |
| Write-once media (M-DISC) | Critical data preservation | Annually |
| Test restore | Verify backups work | Monthly |
Common Mistakes to Avoid
- ”My cloud sync is my backup.” No. File sync propagates ransomware encryption.
- ”I back up to a NAS that’s always connected.” Ransomware will find and encrypt it.
- ”I encrypted the backup but stored the passphrase with it.” If the backup media is stolen, the encryption is worthless.
- ”I haven’t tested a restore in years.” You may be backing up corrupted or unusable data.
Key Takeaways
- Ransomware specifically targets backups — your strategy must account for this
- Air-gapped, encrypted backups are the most reliable ransomware defence
- Layer multiple backup approaches: local, air-gapped, cloud immutable, write-once
- Test restores regularly — a backup you can’t restore is worthless
- Encrypt all backup media and manage passphrases separately
Further Reading
- CISA — #StopRansomware Guide — Government ransomware prevention
- NIST — Data Integrity: Recovering from Ransomware — Recovery framework
- Microsoft — Ransomware protection overview — Windows-specific guidance
- NCSC — Mitigating malware and ransomware attacks — UK government guidance
- No More Ransom Project — Free decryption tools and prevention advice