Offline encrypted backup: the 3-2-1 rule that survives ransomware

The 3-2-1 rule no longer suffices: in 2024, 75% of ransomware attacks target backups first. The evolution to 3-2-1-1-0—with immutable copies and offline encryption—is the only strategy that guarantees recovery. Here’s how to implement it without relying on commercial cloud services.

Why the classic 3-2-1 rule is obsolete in ransomware environments

In 2012, photographer Peter Krogh popularized the 3-2-1 rule: three copies of data, on two different media, with one copy offsite. The principle remains valid for hardware failures or human error, but ransomware has rendered it insufficient. According to Veeam’s whitepaper (2023), 93% of successful attacks include attempts to delete or encrypt backups before activating the main payload. The reason is economic: if the victim can restore their data, the attacker’s business model collapses.

The issue isn’t the rule itself but its implementation. Many SMEs interpret "offsite" as "in the AWS or Google Drive cloud," assuming logical separation (different credentials) equates to physical separation. However, if the attacker compromises administrative credentials—common in phishing attacks targeting executives—they can delete cloud backups as easily as local ones. We’ve documented this at CyberShield: in a 2023 case in Mexico, a client lost 12 TB of data because their "secure" cloud provider used the same Active Directory to authenticate both users and backups.

The evolution to 3-2-1-1-0: immutability and zero errors

The updated version of the rule, proposed by Veeam and adopted by NIST in SP 1800-25 (Data Integrity), adds two critical requirements:

• 1 immutable copy: A backup that cannot be modified or deleted during a defined period, even with administrative credentials. This is achieved with object lock in S3 storage (AWS, Wasabi) or WORM (Write Once, Read Many) file systems like M-DISC Blu-ray discs.
• 0 recovery errors: The rule isn’t met if backups cannot be restored. This requires quarterly restoration tests (not just integrity checks) and detailed process documentation. In Latin America, 40% of SMEs that suffer an attack discover their backups are corrupted or incomplete during recovery, according to data from the OAS Cybersecurity Observatory (2023).

Immutability is the most disruptive change. In a typical attack, ransomware searches for backup file extensions (.bak, .vbk, .zip) and deletes them. If the backup is on WORM media or with object lock, the attacker can encrypt the original data but won’t touch the backups. This reduces recovery time from days to hours. In a 2024 case in Argentina, a clinic recovered 3 TB of medical records in 6 hours using immutable backups in Wasabi, while its competitor—with backups on a local NAS—took 12 days and paid the ransom.

Tools to implement 3-2-1-1-0 without relying on commercial cloud services

Commercial cloud services (AWS, Azure) are convenient but pose two problems for Latin American SMEs: recurring costs and connectivity dependence. Local alternatives with end-to-end encryption and immutability support include:

1. Restic: client-side encryption and immutable repositories

Restic is an open-source tool that encrypts data before sending it to storage. It uses AES-256 for encryption and BLAKE2b for integrity. Key features:

• Immutable repositories: With the --append-only option, the repository only allows data to be added, not deleted. This prevents attackers from erasing backups, even if they compromise credentials.
• Flexible storage: Supports local disks, SFTP, S3 (including Wasabi and Backblaze B2), and even remote servers. At CyberShield, we use it for clients with less than 5 TB of critical data, combining an encrypted USB drive (for the local copy) and an S3 bucket in Wasabi with object lock (for the offsite copy).
• Global deduplication: Only stores unique blocks, reducing storage needs. A client in Colombia reduced their storage from 8 TB to 2.3 TB using Restic.

Example command to create an immutable backup in Wasabi:

restic -r s3:wasabi://bucket-name backup /data --append-only --password-file /path/to/password

2. Borg: integrated compression and encryption with WORM support

Borg is another open-source tool, focused on compression and efficiency. Its advantages:

• AEAD encryption: Uses ChaCha20-Poly1305, an authenticated encryption scheme that protects against unauthorized modifications.
• Remote repositories: Supports SSH, allowing backups to be stored on a remote server without relying on proprietary APIs. In a Peruvian case, a client uses a Raspberry Pi at the manager’s home as an offsite destination, with a 4 TB USB drive encrypted with LUKS.
• Secure pruning: The --keep-within option retains backups for a fixed period, useful for complying with regulations like Mexico’s Personal Data Protection Law (which requires 2-year retention).

Example of creating an encrypted Borg repository:

borg init --encryption=repokey-blake2 /path/to/repo

3. Duplicacy: incremental backups with object lock support

Duplicacy is a commercial tool (with a free version for personal use) known for its speed and native support for S3 object lock. Key features:

• True incremental backups: Only transfers modified blocks, not entire files. For a client in Chile, this reduced backup time from 6 hours to 45 minutes.
• Object lock support: Configurable directly from the CLI, without additional APIs. This is critical for complying with the 3-2-1-1-0 rule.
• Multi-destination storage: Allows sending the same backup to two different locations (e.g., a local disk and an S3 bucket) in a single operation.

Example of configuring object lock in Duplicacy:

duplicacy set -storage s3 -object-lock true -retention "365d"

Physical media: why USB drives and Blu-ray discs remain relevant

The cloud is convenient, but for SMEs with tight budgets or limited connectivity, physical media remains a valid option. Two alternatives:

1. LUKS-encrypted USB drives

A 5 TB USB drive costs ~$100 and can store backups encrypted with LUKS (Linux Unified Key Setup). Advantages:

• Portability: Easy to take to an offsite location (e.g., the owner’s home).
• Strong encryption: LUKS uses AES-256 by default and supports multiple recovery keys.
• Physical immutability: If the drive is disconnected, it cannot be erased remotely. In a 2023 attack in Brazil, a client recovered their data from a USB drive stored in a drawer, while their cloud backups were deleted.

Example of creating a LUKS volume:

cryptsetup luksFormat /dev/sdX
cryptsetup open /dev/sdX backup
mkfs.ext4 /dev/mapper/backup
mount /dev/mapper/backup /mnt/backup

2. M-DISC Blu-ray: 100-year certified immutability

M-DISC discs are a WORM option with a 100-year lifespan (certified by the U.S. Department of Defense). Features:

• Guaranteed immutability: Data is physically engraved into a synthetic rock layer, not ink or organic material.
• Low cost: A 100 GB disc costs ~$20. Ideal for critical, infrequently changing data (e.g., contracts, electronic invoices).
• Durability: Resists extreme temperatures, humidity, and UV rays. In an Ecuadorian case, a client recovered data from an M-DISC that survived a flood.

The CyberShield team recommends M-DISC for SMEs needing to comply with long-term retention regulations (e.g., Colombia’s Archives Law, which requires 20 years for certain documents).

The overlooked mistake: recovery without connectivity

The 3-2-1-1-0 rule assumes that, in a disaster, you’ll have access to your offsite backups. But what if the attack includes a kill switch that cuts internet connectivity? In a 2024 case in Uruguay, an attacker used a script to disable the company’s firewall and router, leaving the victim without access to their cloud backups.

Practical solutions:

• Local backups on physical media: A USB drive or Blu-ray disc in a fireproof safe. At CyberShield, we require clients to keep at least one copy on a disconnected physical medium.
• Printed documentation: The recovery process must be printed and stored securely. Include:
  • Encryption keys (in a sealed envelope).
  • Step-by-step instructions for restoring from each medium.
  • Technical support contacts (including alternatives if the primary provider is compromised).
• Offline recovery tests: Simulate a scenario without internet. At an SME in Peru, we discovered their recovery process relied on downloading a script from GitHub—impossible without connectivity.

How to test if your 3-2-1-1-0 strategy actually works

Most SMEs believe their backups are ready for an attack but fail during tests. A Backblaze study (2023) found that 37% of companies that suffered an attack discovered their backups were unrecoverable. To avoid this:

1. Quarterly restoration tests

Verifying backups exist isn’t enough. They must be restored in an isolated environment to confirm the data is usable. Example checklist:

• Restore 10% of files randomly.
• Verify database consistency (e.g., with mysqlcheck or pg_dump --verify).
• Test full server restoration (not just files).

2. Attack simulation

Hire a red team to simulate a ransomware attack. The goal isn’t to test detection but recovery. Key questions:

• Can they delete local backups?
• Can they delete cloud backups?
• How long does recovery take from each medium?

3. Recovery metrics

Document two critical metrics:

• RTO (Recovery Time Objective): Maximum acceptable time to recover systems. For an SME, the ideal is under 24 hours.
• RPO (Recovery Point Objective): Maximum data loss tolerable. For critical data (e.g., financial transactions), the ideal is under 1 hour.

For a client in Costa Rica, we discovered their RTO was 72 hours because they relied on an external provider to restore cloud backups. Switching to a hybrid strategy (Restic + USB drive) reduced their RTO to 6 hours.

The 3-2-1-1-0 rule isn’t a luxury—it’s a necessity in a landscape where ransomware is the primary threat to SMEs. The difference between a company that survives an attack and one that shuts down lies in the immutability of its backups. At CyberShield, we operate under this principle: without immutable, offline-encrypted backups, recovery is impossible. The technology is available; the challenge is implementing it before it’s too late.

Sources

1. NIST Special Publication 1800-25 (2022). Data Integrity: Recovering from Ransomware and Other Destructive Events. Available at: https://csrc.nist.gov/publications/detail/sp/1800-25/final.
2. Veeam (2023). 3-2-1-1-0 Backup Rule: Modern Data Protection Strategy. Whitepaper. Available at: https://www.veeam.com/blog/3-2-1-1-0-rule.html.
3. Restic Documentation (2024). Append-Only Mode. Available at: https://restic.readthedocs.io/en/latest/070_troubleshooting.html#append-only-mode.
4. Borg Documentation (2024). Encryption. Available at: https://borgbackup.readthedocs.io/en/stable/usage/init.html#encryption.
5. OAS (2023). Cybersecurity Report in Latin America and the Caribbean. Available at: https://www.oas.org/es/sms/cyber/.
6. Backblaze (2023). State of Data Protection Report. Available at: https://www.backblaze.com/blog/state-of-data-protection-2023/.
7. Public case: Clinic in Argentina (2024). Recovery of 3 TB of medical records using Wasabi with object lock. Source: Infobae, March 15, 2024. Available at: https://www.infobae.com (search: "clínica argentina ransomware wasabi").
8. M-DISC (2023). U.S. Department of Defense Certification. Available at: https://www.mdisc.com/technology/.