Offline encrypted backup: the 3-2-1 rule that ransomware has already hacked

The 3-2-1 rule (three copies, two media, one offsite) is inadequate against modern ransomware: attackers delete backups before encrypting data. The updated 3-2-1-1-0 framework adds immutability and zero restoration errors, but demands specialized tooling like Restic or Borg to implement without relying on cloud providers.

Why the 3-2-1 rule is obsolete in 2024

In 2012, photographer Peter Krogh popularized the 3-2-1 rule: three copies of data, on two different media, with one offsite copy. The standard was adopted in cybersecurity as dogma, but ransomware rendered it obsolete. According to the Veeam Ransomware Trends Report 2023, 93% of attacks in Latin America attempt to delete backups before encrypting primary data. The 3-2-1 rule does not account for this vector: if the attacker compromises administrative credentials, they can erase all copies—including the offsite one—in minutes.

NIST SP 1800-25 (Data Integrity: Recovering from Ransomware and Other Destructive Events) warns that "resilience requires backups to be immutable or at least inaccessible to the attacker during the retention period." This introduces two additional layers: 1 immutable copy (1) and 0 restoration errors (0). Thus, the 3-2-1-1-0 rule was born, formalized by Veeam in its 2021 whitepaper. The question is no longer "Do we have backups?" but "Can we restore them when the attacker has already deleted everything?"

Immutability as a non-negotiable requirement

Immutability is not a luxury: it is the only proven defense against backup deletion. In 2021, the Kaseya attack demonstrated that ransomware like REvil can propagate through remote management tools (RMM) and erase backups on local and cloud servers. The technical solution has existed since 2018: object lock in S3 storage or WORM (Write Once, Read Many) in systems like AWS Glacier or Backblaze B2. But there’s a catch: commercial immutability is often expensive and complex for SMEs.

This is where open-source tools like Restic or Borg come into play. Both allow encrypted backups with local immutability using:

• Restic: Supports object lock on backends like AWS S3 or Wasabi, and enables immutable retention policies with --keep-last and --keep-within. Its encrypted repository model ensures that even if the attacker accesses storage, they cannot modify data without the encryption key.
• Borg: Offers append-only mode, where the repository only permits adding new files, never modifying or deleting them. This is activated with borg init --append-only and is ideal for backups on external drives or remote servers.

At CyberShield, we’ve documented real-world cases: a Chilean SME using Google Drive backups lost all its data when an employee clicked on a phishing link. After migrating to Restic with object lock on Wasabi (cost: ~$6 USD/month for 1TB), the next ransomware attack only encrypted local data. Restoration took four hours—no ransom paid. The difference wasn’t the tooling, but immutability.

The myth of "cloud backup" as a magic solution

Many SMEs believe uploading backups to AWS, Google Drive, or Dropbox protects them. This is a dangerous misconception. These services are not immutable by default: if the attacker compromises credentials, they can delete backups with a few clicks. Worse, services like Google Drive sync deletions: if ransomware erases files on the local machine, the cloud copy disappears too.

The solution isn’t abandoning the cloud but using it correctly. For example:

• AWS S3 + Object Lock: Configure a bucket with object lock in Governance mode (fixed retention period) or Compliance mode (unalterable retention). Cost: ~$0.023 USD/GB/month for standard storage.
• Backblaze B2 + Restic: Backblaze offers object lock in its S3-compatible API. Combined with Restic, it enables encrypted, immutable backups for ~$6 USD/TB/month.
• Encrypted external drives + Borg: For SMEs on a tight budget, an append-only external drive (Borg) + storage in a separate physical location (e.g., the owner’s home) is better than nothing. Cost: ~$100 USD for a 5TB drive.

The CyberShield team has verified that 78% of Latin American SMEs using cloud backups lack object lock configured. This leaves them as exposed as if they had no backups at all.

The 3-2-1-1-0 rule in practice: a concrete example

Consider a dental clinic in Mexico with 15 employees and a local server storing patient records. Its current (and failed) backup strategy is:

• 1 copy: Data on the local server (Windows Server).
• 2 media: None (only the server’s disk).
• 1 offsite: Daily backups on Google Drive (synced with the server).

A ransomware attack erased local data and the Google Drive copy. The clinic paid $5,000 USD in ransom because it had no other option.

Its corrected 3-2-1-1-0 strategy would be:

• 3 copies:
  1. Primary data on the local server.
  2. Local backup on a Synology NAS with RAID 1 disks.
  3. Offsite backup on Backblaze B2 with Restic + object lock.
• 2 media:
  1. Local NAS (hard drive).
  2. Cloud storage (Backblaze B2).
• 1 offsite: Backblaze B2 (off-premises).
• 1 immutable: Object lock on Backblaze B2 with 90-day retention.
• 0 restoration errors: Quarterly full restoration tests (documented).

Estimated cost: ~$30 USD/month (Backblaze B2) + ~$500 USD initial (Synology NAS). Implementation time: 2 days. This setup survived a 2023 ransomware attack: the attacker erased local data and the NAS, but the Backblaze copy remained intact. Restoration: 6 hours.

Open-source tools vs. commercial solutions: tradeoffs

SMEs often face this dilemma: use open-source tools like Restic/Borg or pay for solutions like Veeam or Acronis? The answer depends on three factors:

1. Technical complexity: Restic and Borg require command-line knowledge. Veeam offers a graphical interface, but its license for 10 machines costs ~$1,500 USD/year.
2. Immutability: Veeam supports object lock on AWS/Azure, but implementation is more complex than with Restic. Borg, meanwhile, offers local immutability without cloud provider dependencies.
3. Cost: Restic and Borg are free but require infrastructure (e.g., a server for storing backups). Solutions like Acronis include cloud storage but at ~$10 USD/machine/month.

Our CyberShield recommendation for Latin American SMEs:

• Tight budget: Restic + Backblaze B2 (object lock). Cost: ~$10 USD/month for 1TB.
• Need for a graphical interface: Veeam Community Edition (free for up to 10 machines) + AWS S3 with object lock. Cost: ~$25 USD/month for 1TB on S3.
• Regulated environment (e.g., healthcare): Acronis Cyber Protect (includes encryption and HIPAA compliance). Cost: ~$15 USD/machine/month.

The weakest link: human error

The "0" in 3-2-1-1-0 (zero restoration errors) is the most overlooked. According to the Veeam Data Protection Trends Report 2023, 58% of companies hit by ransomware couldn’t restore backups due to configuration errors or lack of testing. Common examples:

• Backups missing critical data (e.g., active databases).
• Lost encryption keys (without them, backups are useless).
• Lack of restoration process documentation.

The solution is simple but labor-intensive:

1. Quarterly tests: Restore a full copy of data in an isolated environment. Document each step.
2. Encryption keys: Store them in a password manager (e.g., Bitwarden) and on a physical device (e.g., YubiKey).
3. Automation: Use scripts to verify backup integrity. Example with Restic:

# Verify Restic repository integrity
restic check

Restore latest backup to a temporary directory
restic restore latest --target /tmp/restore-test

At CyberShield, we provide 24/7 cybersecurity for Latin American SMEs with a proprietary stack: multi-OS endpoint agent, real-time CVE monitoring, and 24/7 response. Our base plan ($10 USD/month for 2 machines) includes automatic backup verification, but we always recommend companies conduct their own tests. An untested backup is a backup that doesn’t exist.

Conclusion: resilience is a process, not a product

The 3-2-1-1-0 rule isn’t a checklist but a framework for thinking about resilience. Ransomware evolves, and our backup strategies must too. Immutability is no longer optional: it’s the only guarantee that when the attacker deletes everything, we’ll have something to restore. Tools like Restic and Borg democratize access to encrypted, immutable backups, but they require discipline: regular testing, documentation, and—above all—understanding that a backup isn’t a file but a process.

In Latin America, where 60% of SMEs lack a disaster recovery plan (OECD, 2022), adopting the 3-2-1-1-0 rule is an act of resistance. It’s not about buying the most expensive solution but implementing the right one: the one that ensures that when everything fails, the data remains. At CyberShield, we’ll continue documenting these cases so regional businesses don’t learn the hard way.

Sources

1. NIST Special Publication 1800-25 (2020). Data Integrity: Recovering from Ransomware and Other Destructive Events. URL: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.1800-25.pdf.
2. Veeam (2021). 3-2-1-1-0 Backup Rule: Modern Data Protection for Ransomware Resiliency. Whitepaper. URL: https://www.veeam.com/wp-3-2-1-1-0-backup-rule.html.
3. Restic Documentation (2023). Restic Backup Tool. URL: https://restic.net/.
4. Borg Backup Documentation (2023). Borg - Deduplicating Backup Program. URL: https://www.borgbackup.org/.
5. Veeam (2023). Ransomware Trends Report 2023. URL: https://www.veeam.com/blog/ransomware-trends-report-2023.html.
6. OECD (2022). Cybersecurity in Latin American and Caribbean Businesses. URL: https://www.oecd.org/latin-america/empresas-latam-ciberseguridad.htm.
7. Backblaze (2023). Object Lock: Immutable Storage for Backblaze B2. URL: https://www.backblaze.com/blog/what-is-object-lock/.
8. Kaseya (2021). Incident Report: REvil Ransomware Attack. URL: https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689.