Immutable Backup: Tamper-Proof Backups Against Ransomware
TL;DR: What immutable backup is, how it defends against ransomware, the technologies an SME can deploy, and a practical architecture guide.
Summary: An immutable backup is one that nobody — admins included — can delete or modify for a defined period. Because modern ransomware variants actively target backup servers and NAS devices, "we have backups" no longer suffices; you need a backup layer the ransomware can't reach. Immutable backup is delivered through S3 Object Lock, WORM (Write Once Read Many) disks, immutable-repository features in backup software (Veeam, Acronis), air-gapped tape, or cloud cold storage. Even a simple SME-scale start materially raises the resilience of your existing backup architecture.
The assumption "we take backups" often ends in disappointment during a ransomware incident at SMEs. The reason: the backup NAS is on a domain account, always writable; when the attacker captures domain admin, they reach the backups too. "We had three copies; all three got encrypted" has become an ordinary story in recent years. That's where the traditional backup model fails — and where immutable backup closes the gap.
In this article we cover the immutable-backup concept, applicable technologies, and architectural decisions at SME scale. Target audience: IT owners, system administrators, and decision-makers reviewing their existing backup architecture through a ransomware lens.
The Weakness of Traditional Backup
The classic 3-2-1 rule — 3 copies, 2 media, 1 offsite — has been the standard for years. Modern ransomware bypasses that model.
Weak Points of Classic Backup Architecture
- The backup NAS is on the production network, authorised under the same domain account
- Backup-software agents usually run as admin
- Cloud backups are usually writable (always in sync)
- Backup snapshots live under the same backup system; they can be maliciously deleted
How Modern Ransomware Hunts Backups
Sophisticated ransomware groups, once on the network:
- Reconnoitre the backup NAS first
- Delete backup snapshots
- If cloud-backup API access exists, attack that too
- The backup infrastructure is compromised before encryption begins
By the time production data starts getting encrypted, the backups are already gone. Paying the ransom looks like the only option.
The Answer: a Layer Even an Attacker Can't Reach
An immutable backup guarantees that — even if the attacker holds domain admin, even if an IT lead is malicious — the backup files cannot be touched in any way for a defined period.
What an Immutable Backup Is
For a backup to be considered immutable it must:
- Be unchangeable after it's written (no modify)
- Be undeletable (no delete)
- Be unoverwritable (no overwrite)
- Sit behind a mechanism where nobody, including admins, can bypass those rules
That guarantee isn't at the software level — it's technically enforced at the hardware / protocol level.
WORM and Immutable
- WORM (Write Once Read Many): the historical term; once written, the data is readable but not modifiable (originally on optical media — CD-R, DVD-R)
- Immutable: the modern term; the same concept implemented in the cloud / on disk
The two terms are used interchangeably in practice.
Immutable-Backup Technologies
Solutions applicable at SME scale:
1. S3 Object Lock (AWS)
Amazon S3's Object Lock feature makes an object undeletable and unmodifiable for a defined period.
Modes:
- Compliance Mode: nobody can remove it, root user included
- Governance Mode: someone with explicit permission can remove it (more flexible)
For SMEs, Compliance Mode is the strongest against ransomware — but watch out for the "misconfiguration → an accumulating pile of undeletable disks" risk.
2. Cloud Cold Storage
- AWS Glacier Vault Lock
- Azure Blob Storage immutable policy
- Google Cloud Bucket Lock
The same immutable guarantee on lower-cost storage tiers.
3. Veeam Hardened Repository
Veeam Backup & Replication offers a Linux-based "hardened repository" feature:
- The backup repository on a Linux server with strict file permissions
- After write, the backup is marked immutable with
chattr +i - Even Veeam can't delete the file before the period expires
- Popular at SME scale
4. Acronis Immutable Storage
Acronis Cyber Backup offers immutable cloud storage:
- Files don't change for the configured retention period
- Ransomware can't reach this backup layer
5. Synology / QNAP NAS Immutable Snapshots
Synology Active Backup, with snapshot replication, offers immutable lock. Snapshots stay undeletable for the chosen period (when configured correctly).
6. Tape Backup — the Classic Air-Gap
An LTO tape, physically removed, is unaffected no matter what an attacker does:
- Backup written to tape
- Tape removed from the library and placed in a safe
- However capable the attacker, they don't reach a physical tape
An old principle's strength in a modern technology.
7. Append-Only Cloud
Some cloud providers (Backblaze B2, Wasabi) offer "append-only" API keys — new backups can be written; old ones can't be deleted. Economical for SMEs.
A Practical Architecture for SMEs
A typical immutable-backup design for a 10–30 server SME:
Three-Tier Backup
Production data (servers, NAS, file shares)
↓
Primary backup — local NAS / Veeam
(for fast restore, not immutable)
↓
Secondary backup — cloud (S3 Object Lock or Veeam Hardened)
(immutable, 30–90 day lock)
↓
Cold backup — tape or Glacier
(annual snapshots, retained 1–2 years)
Retention Policy
- Primary: 14-day rolling
- Secondary immutable: 30-day lock
- Cold: 1–2 years
The 30-day lock should exceed ransomware's reconnaissance window (typical attacker "dwell time" is 14–30 days).
Air-Gap Cadence
Ideal: daily backup immutable; weekly tape or offline-disk archive.
Veeam Hardened Repository Setup Principles
Given Veeam's popularity, the setup principles for this solution in detail:
Preparation
- A separate Linux server (Ubuntu, CentOS Stream, RHEL)
- Not domain-joined — a standalone Linux user
- SSH access keys-only
- Sudo permissions minimal
Repository Settings
- Single-Use Credentials: one-time-use password
- Make Recent Backups Immutable: on
- Immutability period: 7–30 days
Common Mistakes
- Repository server joined to the domain (attacker reaches it)
- chattr not active (configuration missing)
- SSH access by password, no certificate
- Bypass mechanism enabled (the immutable protection becomes meaningless)
Air-Gap Strategy
Air-gap means the backup storage is physically separated from the network.
Practical Air-Gap Methods
| Method | Description |
|---|---|
| Tape rotation | LTO tapes removed weekly / monthly and placed in a safe |
| Offline disk | Encrypted SSD/HDD; physically detached after backup |
| Cloud cold storage | Access constrained at the API layer (economical air-gap) |
| Backup in a different data centre | Geographic air-gap |
Most practical in an SME: cloud immutable + weekly offline disk.
Cost Comparison
| Solution | Investment | Monthly cost (1 TB) |
|---|---|---|
| AWS S3 Object Lock | Low | ~25 USD (Standard) |
| AWS Glacier Vault Lock | Low | ~4 USD |
| Backblaze B2 | Low | ~6 USD |
| Wasabi | Low | ~7 USD |
| Veeam Hardened Repository | Medium (a Linux server) | Only hardware / power |
| Synology / QNAP immutable | Medium | Only hardware |
| LTO Tape | High (drive + cartridges) | Very low (per disk) |
For SMEs, cloud immutable + a Veeam Hardened Repository combination is usually optimal.
Testing — the Most Important Step
An immutable backup that hasn't been tested isn't a backup either.
Monthly Test Flow
- Restore a single critical file from the immutable backup
- Do a full restore of a VM into a test environment
- Measure RTO and RPO
- Verify the immutable lock period works correctly
Test results are documented; used during the annual DR drill.
What Yamanlar Bilişim Offers
Our immutable-backup support areas at SME scale:
- Audit of the current backup architecture (ransomware lens)
- Veeam Hardened Repository rollout
- AWS S3 Object Lock or alternative cloud immutable
- Air-gap strategy (tape or offline disk)
- Monthly restore tests
- Annual DR drill
- Alignment with KVKK retention periods
Frequently Asked Questions
Conclusion
Immutable backup is the fundamental guarantor that backups remain "backups" in the modern ransomware threat environment. Combinations of cloud S3 Object Lock, Veeam Hardened Repository, cold storage, and classic tape are deployable economically at SME scale. Reviewing your existing backup architecture with the question "if ransomware knew the admin password, could it reach the backups?" is now standard practice.
Yamanlar Bilişim provides immutable-backup architecture design, rollout, and monthly restore-testing services sized to your needs — moving the backup layer from "hopefully it'll work" to designed-in guarantee.
Frequently Asked Questions
Should I just make all my backups immutable?
That's not enough — immutable backups aren't ideal for fast restores. A user who accidentally deletes a file needs it back in minutes; pulling 1 TB from immutable cloud takes hours. The multi-tier approach is optimal: a fast local backup + immutable second tier + cold archive.
How can Veeam Hardened Repository be immutable when Veeam itself wrote the backup?
The Veeam server writes the backup and marks it immutable. After that, even Veeam can't delete the file — the chattr +i on the Linux server makes the file immutable; only Linux root + retention expiry can change it. The Veeam admin panel can't bypass it. This architecture rests on the backups stay protected even if Veeam itself is compromised principle.
What if S3 Object Lock is set up incorrectly?
In Compliance Mode, deletion within the retention period is impossible — if you misconfigure a long retention (e.g. 10 years), you're holding that data for 10 years. Costs accumulate. So the first rollout is tested with a short period (30 days); once verified, production retention is decided.
What if the cloud provider goes away or freezes the account?
This is exactly why relying on a single backup location / provider is risky. The ideal flow: primary cloud immutable + a secondary provider or offline disk. To avoid payment problems, use a corporate card and set up automatic-billing alerts.
Is tape backup an outdated technology?
No — a modern LTO-9 tape holds 18 TB uncompressed; the tape market continues to grow in 2024. Hyperscalers (AWS, Google) use tape for cold storage too. For SMEs, the cost / storage ratio is one of the best on the market; it just requires operational discipline (rotation, safe).
Can I make my old backups immutable?
New backups can be written immutable; rewriting old backups as immutable is possible but costly. The practical approach for most SMEs: from today, all new backups are immutable; old backups continue through the normal retention flow. After 30–90 days, the entire backup pool is immutable.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Backup and Business Continuity solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
Hyper-V / VMware VM Backup: SME Scenarios
Backup strategies for Hyper-V and VMware virtual machines — the snapshot-vs-real-backup distinction, hands-on SME backup architecture with Veeam / Acronis.
File-Server Migration: From an Old NAS to a New Solution
An SME file-server migration guide — moving from an old NAS to new hardware, SharePoint, or cloud storage, with permission mapping and downtime management.
Backup Test Drills: How to Run a Recovery Exercise
An SME guide to planning backup drills, scenario-based recovery tests, measuring RTO/RPO, and documenting the exercise.