Between late 2024 and mid 2025 we walked three clients through ransomware aftermaths. The attacker pattern has shifted: "having a backup" is no longer enough — you must be ransomware-safe. Here is what we changed.
1. Mandatory immutability
Not just "separate backup" but immutable: write-once, no overwrite or delete for N days. Concrete implementations:
- Backblaze B2 with Object Lock enabled (legal hold).
- AWS S3 with Object Lock in compliance mode.
- Synology WriteOnce volumes on dedicated NAS.
Without immutability, an attacker with admin creds also wipes the backup.
2. MFA delete
On backup buckets we enable MFA Delete: deleting versions requires an MFA token. Even a compromised account cannot delete backups without the hardware key.
3. Three backup heirs
For every client we now keep:
- Operational backup: fast restore, last week.
- Quarantine backup: 30-90 days, immutable, on another provider.
- Cold archive: 1 year, on LTO or glacier-like service, AD-independent.
4. Monthly restore test
An untested backup is not a backup. Per client, once a month a real restore on a clean VM. You find surprises — always.
5. Separate accounts
The backup user is not a network admin, not a cloud admin, has no ERP access. If compromised, the blast radius is small.
Extra cost
For a 30-person SME, these practices add ~€80-150/mo to backup infra. Compared with a real ransomware event (recovery, data loss, downtime, reputation: starting from €50k), it pays back on the first averted incident.