Backup Strategy: The 3-2-1 Rule and Protection Against Ransomware
May 10, 2025 · 9 min read · System Networks
94% of companies that lost data for more than 10 days went bankrupt within a year. 57% of ransomware attacks specifically target and destroy backup copies before encrypting primary data. Having a backup is not enough — you need the right backup strategy.
The Uncomfortable Reality
The 3-2-1 Rule Explained
Three copies
1 primary + 2 backups. If you have one backup and it fails during restoration, you have nothing.
Two different media
Store backups on at least two different types of storage: e.g., local disk + object storage. Protects against media failure.
One offsite copy
At least one copy must be geographically separate. Protects against fire, flood, theft, and physical server seizure.
3-2-1 Is Not Enough Against Modern Ransomware
Modern ransomware (like LockBit, BlackCat, Cl0p) is designed by sophisticated criminal organisations. They have learned that victims restore from backup rather than paying. So they target backups first. The 3-2-1 rule needs to be extended:
3-2-1-1: Add one immutable copy
Immutable backup storage cannot be modified or deleted for a set period — even by an admin with credentials. Ransomware actors who compromise your backup server cannot delete immutable copies. S3 Object Lock, Wasabi, Backblaze B2 Object Lock all provide this.
3-2-1-1-0: Zero trust for backup infrastructure
Backup servers should not be on the same network segment as production. Use separate credentials for backup systems. Consider air-gapped backup (physically disconnected) for the most critical data.
Recovery Testing: The Most Neglected Part
⚠️ A backup you have never tested is not a backup
34% of backup restores fail the first attempt. Bit rot, software version mismatches, missing dependencies, incomplete backups — these only surface during actual restoration. By then it is too late.
Storage Options for Offsite Backup
| Option | Cost | Immutability | Best for |
|---|---|---|---|
| Colocation in EU DC | ₽2,000–₽5,000/TB/mo | Physical | Large volumes, 152-FZ sensitive data |
| Backblaze B2 | $6/TB/mo | Object Lock | Cost-efficient offsite, SMB |
| Wasabi | $7/TB/mo | Object Lock | No egress fees, good for recovery testing |
| AWS S3 Glacier | $4/TB/mo | Object Lock | Archival, infrequent access |
| Yandex Object Storage (Russia) | ₽2,000/TB/mo | Partial | 152-FZ localisation requirement |
| Tape (LTO-9) | High CAPEX, low/mo | Air-gapped | Maximum protection, large DCs |
Backup infrastructure in EU and Russia
Offsite backup storage in Frankfurt and Prague →Immutable storage · Separate from production · 152-FZ compliant · From €89/month