Why 3-2-1 backup saves the day against ransomware

Ransomware attacks share a common trait: the moment the attacker gets into the systems, they look for and delete backups first. Because a victim with no backup is forced to pay. Against this, the old "back up to the NAS once a day" approach is no longer enough.

A simple rule the industry has embraced for decades is still the strongest defense when applied correctly: the 3-2-1 rule.

What is the 3-2-1 rule?

• 3 copies of data — the original + at least two backups
• kept on 2 different media (e.g. NAS + cloud)
• 1 copy off-site and, if possible, offline

This rule is a practical application of the "don't put all your eggs in one basket" principle. Even if the attacker reaches the local network, you can recover your data as long as they can't reach the off-site copy.

A modern addition: immutable backup

Traditional 3-2-1 may not be enough on its own today, because ransomware can manage to corrupt backup files by encrypting them. The countermeasure is immutable storage or WORM (Write Once Read Many) backups: copies that cannot be deleted or modified for a set period after being written.

This capability is available as an immutable snapshot on both Synology and QNAP NAS devices. Modern cloud backup services also offer an "object lock" feature.

How is a 3-2-1 architecture built in practice?

A typical SMB example

1. Server and end-user data is backed up to the office NAS (local, fast)
2. The NAS is replicated to a second NAS or an external disk
3. Important data is sent to the cloud encrypted (off-site)
4. An immutable snapshot is taken on the NAS every night (the attacker can't delete it)

In this setup, even if the attacker fully accesses the office network, they can't touch the cloud copy; and with NAS snapshots you can already recover within minutes.

I'm backing up — isn't that enough?

No. An untested backup is not a backup. If you don't regularly do restore tests, you run a high risk of discovering in a real incident that your backup doesn't work. Our recommendation:

• A monthly restore test of a few random files/folders
• A full restore drill every three months
• Your RTO (recovery time) and RPO (data-loss tolerance) targets in writing

5 common mistakes

1. Backing up to the same server — if the server fails, the backup goes too
2. Keeping the backup "open" — ransomware encrypts the backup share as well
3. Relying on a single NAS — if the NAS fails, the data is gone
4. Not making a cloud copy — a building fire ends everything
5. Not testing — you don't want to find out the backup won't restore on the day it matters

Our backup and disaster recovery projects are designed with exactly this approach: 3-2-1 + immutable + regular testing. If you need broader ransomware protection, backup is only one part of the protection architecture — network segmentation, EDR and training matter equally.