Montana Data Company
Ransomware & Recovery

Immutable Backup: What It Is and Why Your Current Backup Isn't Enough

Traditional backups can be deleted by ransomware. Immutable backups cannot. Here's the technical difference, and why the distinction matters when an attack is already in progress.

3 June 20268 min readMontana Data Company · Data Protection Team

Here is the scenario that exposes the critical flaw in most business backup strategies: ransomware encrypts your production data. You initiate a restore from backup. The backup is also encrypted. The attack happened three weeks ago — it just waited before triggering. Every backup job since then has faithfully backed up the encrypted files, overwriting the clean versions.

This is not a theoretical scenario. It is the failure mode that makes ransomware catastrophic for organisations that believed they were protected. And it happens because standard backup, however diligently maintained, is fundamentally vulnerable to the same attack vector as the data it is meant to protect.

Immutable backup was designed specifically to close this gap.

What Does "Immutable" Actually Mean?

Immutability, in the context of data storage, means that once data is written, it cannot be modified, overwritten, or deleted for a defined retention period — by anyone, including administrators with full system access.

This is technically enforced, not policy-enforced. It is not a matter of setting permissions or restricting access. The storage system itself refuses to accept modification commands during the retention window. Write once, read many — WORM — is the underlying principle.

When applied to backup, immutability means:

  • The backup copy cannot be encrypted by ransomware, even if the ransomware has administrator-level access to your network
  • The backup copy cannot be deleted by a compromised admin account
  • The backup copy cannot be modified to overwrite clean data with encrypted data
  • The backup copy remains exactly as it was written, for the full retention period, regardless of what happens elsewhere in your environment

This is the technical property that makes immutable backup the only reliable recovery option against sophisticated ransomware.

Why Standard Backup Fails Against Modern Ransomware

To understand why immutability matters, it helps to understand how modern ransomware specifically targets backup systems.

The Dwell Time Problem

Sophisticated ransomware does not encrypt immediately upon infection. It establishes a foothold, spreads laterally across the network during a reconnaissance phase, and waits — sometimes for weeks or months — before triggering the encryption payload.

During this dwell period, your backup jobs are running normally. They are backing up files that are in the process of being quietly staged for encryption. When the attack finally triggers and you attempt to restore, your most recent 30, 60, or 90 days of backups may all contain the pre-encryption staging the attacker planted.

An immutable backup with a sufficient retention window (beyond the typical dwell period) gives you a recovery point that pre-dates the compromise entirely.

Direct Backup Targeting

Modern ransomware variants specifically identify and target backup infrastructure before triggering the main encryption payload. This includes:

  • Deleting Windows Volume Shadow Copies
  • Targeting backup agent processes and terminating them
  • Identifying mapped network drives and NAS devices used for backup storage and encrypting them
  • Using compromised admin credentials to log into backup management consoles and delete recovery points

If your backup storage is connected to your network — even as a separate device — and is accessible with the same credentials that ransomware can compromise, it is not protected. Immutability removes this attack surface entirely: even with valid admin credentials, the storage refuses deletion commands during the retention window.

The Encryption Sync Problem

For organisations relying on Microsoft 365 or cloud-synced storage as their primary "backup," the sync mechanism itself becomes the attack vector. When ransomware encrypts files on a local machine, the sync client faithfully propagates those encrypted files to the cloud, overwriting the originals. OneDrive version history provides partial mitigation, but sophisticated attacks are designed to exhaust version history limits before triggering.

How Immutable Backup Works in Practice

Modern cloud backup platforms implement immutability at the storage layer using several technical mechanisms:

Object-locked cloud storage: Backup data is written to cloud object storage (such as AWS S3 with Object Lock, or equivalent) configured with a retention lock. During the lock period, the storage provider's own API will reject any delete or overwrite request — even from authenticated account holders.

Air-gapped architecture: The backup storage environment is logically and/or physically separated from the production environment. There is no direct network path between the two. Backup data is transmitted to the immutable store but cannot be accessed, modified, or deleted from the production network.

Cryptographic verification: Each backup snapshot is cryptographically hashed at write time. Any subsequent modification to the stored data would invalidate the hash, making tampering detectable even if immutability controls were somehow bypassed.

Retention lock policies: Administrators can set minimum retention periods that cannot be reduced, even by account holders with administrative privileges. This prevents the attack scenario where a compromised admin account attempts to delete backups before triggering encryption.

What to Look for in an Immutable Backup Solution

Not all products that claim immutability deliver the same level of protection. When evaluating a solution, ask these specific questions:

Can backup data be deleted via the admin console? If yes, it is not truly immutable — a compromised admin account can still destroy your backups.

Is the backup storage logically or physically separated from the production network? A backup that lives on a server within your network perimeter is within the blast radius of a network-level attack, even if the storage is technically immutable.

What is the minimum retention period, and is it enforced at the storage layer? Policy-level retention (configured in software, which can be modified) is not the same as storage-level immutability (enforced by the storage infrastructure itself).

Does the solution include anomaly detection? AI-driven anomaly detection that identifies unusual encryption or deletion behaviour — and triggers an alert or preservation hold — adds a critical early-warning layer that can stop an attack before it completes.

What is the tested recovery time for your specific environment? Immutability guarantees the backup survives. Recovery speed determines how long you are down while restoring. Both matter.

The 3-2-1-1-0 Rule

The original 3-2-1 backup rule — three copies, on two different media types, with one off-site — remains valid but has been updated for the ransomware era. The modern standard is 3-2-1-1-0:

  • 3 copies of data
  • 2 different storage media types
  • 1 copy off-site
  • 1 copy immutable (air-gapped or offline, unable to be modified)
  • 0 unverified backups — every backup must be regularly tested to confirm it can be restored

The addition of the immutability requirement and the zero-unverified-backup discipline reflects the reality of modern attack techniques. A backup strategy that satisfies the original 3-2-1 rule but lacks immutability is incomplete.

What Immutable Backup Changes About Recovery

The practical difference immutability makes in a ransomware recovery scenario is significant:

Without immutable backup: You discover the encryption. You attempt to restore from backup. The backup is also encrypted or has been deleted. You are now choosing between paying the ransom, engaging a forensic recovery firm with limited success probability, or accepting data loss. Recovery time: weeks to months. Cost: potentially catastrophic.

With immutable backup: You discover the encryption. You identify the clean recovery point (pre-dating the attack). You initiate restore from the immutable copy. Recovery time: hours to one or two days depending on data volume. Cost: operational disruption only — no ransom, no forensic engagement, no data loss.

The investment in immutable backup is not primarily about the probability of an attack. It is about the severity of the outcome when an attack occurs. Immutability converts a potentially business-ending event into a recoverable operational incident.

Montana Data Company deploys Druva's cloud backup platform, which stores all backup data in immutable, object-locked cloud storage with AI-driven anomaly detection and a tested recovery SLA. If you are currently relying on backup software with mutable storage, we can assess your current exposure and show you specifically what a migration to immutable protection would look like for your environment.

Immutable BackupRansomware3-2-1 BackupCloud Backup
Back to all articles

More in Ransomware & Recovery

Ransomware & Recovery

What Is Ransomware? A Plain-English Guide for Business

Ransomware locks your business data and demands payment to restore it. Here's what it is, how attacks unfold, and what South African businesses can do to protect themselves.

Ransomware & Recovery

How Does Ransomware Spread? 6 Common Entry Points

Ransomware doesn't appear from nowhere. It enters through specific, predictable weaknesses in your business. Here are the six most common entry points — and what to do about each one.

Ransomware & Recovery

How Much Does a Ransomware Attack Cost SA Businesses?

The ransom is only the beginning. Here's the full cost of a ransomware attack for a South African business — downtime, recovery, regulatory fines, and reputational damage included.

Monty

Montana Data Assistant

Hi, I'm Monty, your Montana Data Company assistant. How can I help you today?