Immutable Backup: The 3-2-1-1-0 Rule Against Ransomware

Let me tell you what a business loses in a ransomware attack despite having backups: the backups. Modern ransomware groups no longer rush to encrypt your files. They move through the network quietly first, locate the backup server, the NAS share, the cloud sync folder — and wipe or encrypt those before touching production data. The moment you discover that the archive you counted on is also encrypted, the negotiation table is the only thing left.

Immutable backup exists to solve exactly this.

What Is an Immutable Backup?

An immutable backup is a copy that no one can change or delete for a defined retention period. Not the administrator, not an attacker who has breached the network, not a stolen admin password. The technical basis is WORM (Write Once, Read Many): data is written once and stays read-only until the retention window expires.

In practice it is implemented one of three ways:

• Object Lock — Amazon S3 Object Lock or Azure Immutable Blob with Compliance Mode in cloud storage
• Hardened Linux repository — in solutions like Veeam, a backup repository where even root cannot delete data
• WORM tape / air-gap — a copy physically disconnected from the network and powered off

In S3 Object Lock’s Compliance Mode, even the AWS root account cannot delete the data before retention ends. The safety of the backup no longer hinges on a password — it is enforced by the storage layer itself.

Why 3-2-1 Became 3-2-1-1-0

Most IT leads know the classic 3-2-1 rule: 3 copies, 2 different media types, 1 copy offsite. It protected against disk failure and fire for years. But because ransomware reaches every accessible copy at once, “offsite but internet-connected” no longer counts as safe.

Veeam’s extended 3-2-1-1-0 rule closes that gap:

Digit	Meaning	What it protects against
3	At least 3 copies (production + 2 backups)	Single point of failure
2	2 different media types	Media-specific faults
1	1 copy offsite	Fire, flood, theft
1	1 copy offline, air-gapped or immutable	Ransomware, insider deletion
0	0 errors in recovery testing	The “backup exists but won’t open” disaster

That final 0 is the part most businesses skip. Taking a backup and being able to restore from it are not the same thing. Without regular restore testing, a backup is just an assumption until the day you actually need it.

RTO and RPO: Two Numbers Drive Everything

Before designing a backup plan, two questions must be answered. They dictate which technology you choose, how often you back up, and how much budget you need.

• RPO (Recovery Point Objective): How much data can you afford to lose? If you back up once a day, your RPO is 24 hours — every invoice, email, and record entered since the last backup is gone.
• RTO (Recovery Time Objective): How quickly must the system be back up after a crash? For e-commerce that is a few hours; for an accounting firm, perhaps a full day.

Workload	Reasonable RPO	Reasonable RTO
ERP / accounting database	1–4 hours	4–8 hours
Email (Exchange/M365)	< 1 hour	a few hours
File server	12–24 hours	1 day
Static archive	24 hours+	flexible

Writing these targets down prevents expensive, unnecessary decisions like “back up everything hourly just in case.” You invest where it matters and keep the rest reasonable.

A Practical Roadmap for SMBs

In Türkiye, the primary target of ransomware is not large holdings — it is mid-sized businesses with 100 or fewer employees. Trend Micro and BTK (Türkiye’s telecom authority) reports consistently list Türkiye among the countries hit hardest by ransomware worldwide. For a small business, a single successful attack often means closing for good.

The sequence that works in the field:

1. Classify critical data — what stops the business if you lose it?
2. Set written RTO/RPO targets for that data
3. Build 3-2-1-1-0: make at least one copy immutable
4. Encrypt backups (in transit and at rest)
5. Schedule restore tests — at least quarterly
6. Separate roles: the backup admin and the network admin should not be the same account

Even the first three steps are enough to take the “should we pay?” question off the table during an attack.

Frequently Asked Questions

Is cloud backup alone enough against ransomware? No. A standard cloud sync (OneDrive, a Drive folder) copies encrypted files to the cloud too. Unless Object Lock or versioning is enabled, the cloud is affected as well. Immutability must be explicitly turned on.

Do I need to back up Microsoft 365 separately? Yes. Under Microsoft’s shared responsibility model, Microsoft protects the infrastructure; backing up the data is your responsibility. A deleted Exchange Online mailbox is typically lost permanently after a set period. We covered this in a separate guide: Microsoft 365 backup guide.

Acronis or Veeam? Both support immutable backups. Veeam is strong in virtualization-heavy environments that want a hardened repository; Acronis is practical for SMBs looking for endpoint plus anti-malware integration. The right choice depends on your environment — there is no blanket “best.”

Want to review your backup architecture against a real ransomware scenario? We will assess your current setup and map out a 3-2-1-1-0 plan. Get in touch, and let us pin down which of your copies actually saves you and which is just comfort.