UK’s trusted IT infrastructure partner since 2003
Servnet
FinanceToolsConfiguratorGet in Touch
Backup & DR

Immutable Backup vs Air Gap: Ransomware Defence 2026

Servnet Editorial · IT infrastructure analysis8 min read

Modern ransomware no longer just encrypts your live data — it hunts down and destroys the backups first. In 94% of attacks, criminals now try to compromise the backup, and more than half succeed. This guide separates what immutability protects against from what an air gap protects against, and sets out the layered 3-2-1-1-0 design UK firms need to be sure they can actually recover.

Threat vs defence: backup posture coverage
ImmutableAir gapLayeredSnapshot/VSS deletionFullFullFullBackup repo encryptionFullFullFullStolen admin credsFullFullFullMalicious insiderPartialFullFullFull env takeoverPartialFullFullRestore point poisonedPartialPartialFullFast recovery, low RTOFullPartialFull

Ransomware learned to kill the backup first

For a decade the advice was simple: keep good backups and you can refuse to pay. Attackers adapted. The backup repository is now a primary target, because an intact copy is the one thing that removes their leverage. Sophos's State of Ransomware 2025 found that in 94% of incidents the attackers attempted to compromise backups, and across all sectors 57% of those attempts succeeded — rising to 79% in energy, oil, gas and utilities. Veeam's data tells the same story: 89% of victims had backup repositories targeted, and 17% still could not recover their data even after paying.

The mechanics are mundane and effective. Before deploying encryption, intruders delete Windows Volume Shadow Copies, wipe storage snapshots, purge cloud backup vaults and, where they can, revoke or reset the credentials that guard them. Acronis's H2 2025 report recorded ransomware volumes up roughly 50% year on year, led by groups such as Qilin, Akira and Cl0p. The result shows up in recovery statistics: in 2025 only 54% of victims restored from backups — the lowest figure Sophos has measured in six years.

The lesson is not that backups failed as an idea. It is that an ordinary backup — online, mutable, reachable with the same admin credentials as everything else — is inside the blast radius. Two design properties change that: immutability and the air gap. They are often used interchangeably in marketing, but they defend against different failure modes, and the firms that recover cleanly tend to use both.

Immutable backups: unchangeable, but still in the room

An immutable backup is written once and cannot be altered or deleted until a retention lock expires. It is enforced at the storage layer — object-lock in S3-compatible storage, WORM on-premises, hardened repositories in backup software — not by a policy an administrator can toggle off. The critical property is that even a compromised administrator account, or a piece of malware running with domain-admin rights, cannot rewrite or prematurely erase the locked copy. That directly counters the most common 2026 tactic: mass deletion of snapshots and vaults.

Immutability's other advantage is speed. The data stays online and immediately readable, so recovery is fast — you are not waiting for tapes to be couriered back from an off-site facility. For most encryption-and-deletion events, an immutable copy is the fastest route to a clean restore.

Its limits matter too. Immutability protects what is already locked; a very fast attacker can still corrupt a backup job before the lock engages, so the newest restore point may be poisoned. A retention window set too short, a misconfigured policy, a compromise of the storage control plane or backup console, or manipulation of the system clock can all undermine it. And because the repository is still network-reachable, a total environment compromise leaves it exposed in a way physical isolation would not. Immutability is essential — but it is not, on its own, the copy of last resort.

Air-gapped backups: the copy the attacker can't reach

An air gap defends by isolation rather than permission. The backup lives on media that is disconnected from the production network — offline tape in a vault, a rotated disk that is powered down, or a logically isolated cloud tenant with separate identity and no standing network path. If the attacker cannot reach it, they cannot encrypt, delete or tamper with it, no matter what credentials they steal.

This is why the air gap is the true last line of defence. It survives scenarios immutability may not: a full compromise of your directory and backup infrastructure, a malicious insider with the right keys, or a supply-chain attack on the backup platform itself. When everything reachable has been touched, the disconnected copy is the one you rebuild from.

The trade-offs are practical. Recovery is slower — media has to be retrieved, mounted and read, which adds hours or days to a restore. There is operational cost and handling risk in rotating tapes or managing a segregated environment. And no air gap is perfectly closed: there is a synchronisation window when the copy is connected to receive new data, and disciplined firms keep that window as short and tightly controlled as possible. The air gap trades recovery speed for the highest possible assurance that a clean copy still exists.

Threat vs defence: what each layer actually covers

The two techniques are not competitors — they cover different squares on the board. A standard online backup gives you point-in-time copies but little protection once an attacker holds privileged access. Immutability blocks alteration and deletion but keeps the data reachable. An air gap removes reachability but slows recovery. Only the combination covers the full range of realistic ransomware behaviour, from snapshot wiping to a complete environment takeover.

The matrix below maps common 2026 attack techniques against each defensive posture. Read it as a gap analysis: wherever a single control shows only partial cover, that is where the layered design earns its cost. [[fig:coverage-matrix|How each backup posture holds up against modern ransomware techniques]] If cyber resilience is being reviewed alongside your wider estate, our cyber security and storage solutions pages set out how these controls fit real hardware.

The layered answer: 3-2-1-1-0 for UK firms

The backup community's response to backup-hunting ransomware is the 3-2-1-1-0 rule, an evolution of the classic 3-2-1 strategy. It reads: keep 3 copies of data, on 2 different media types, with 1 copy off-site, 1 copy immutable or air-gapped (ideally both, on different tiers), and 0 recovery errors verified through testing.

The two extra digits are precisely the ones ransomware exposed. The additional isolated copy means that deleting your snapshots and encrypting your primary backup still leaves a copy the attacker never controlled. The zero means you have proven — not assumed — that the copy restores cleanly. [[fig:layered-architecture|The 3-2-1-1-0 rule, layer by layer, with the ransomware failure each digit addresses]]

In practice a mid-sized UK firm might run: fast local backups on disk for day-to-day restores; an immutable, object-locked copy in a hardened repository for quick ransomware recovery; and an air-gapped tier — offline tape or an isolated cloud vault — as the untouchable last resort. That is three copies, two-plus media types, off-site, immutable and air-gapped. The design does not depend on any single control being perfect, which is exactly the point.

The layered 3-2-1-1-0 architecture
53 — Three copiesProduction plus two backups42 — Two media typesFast disk plus object or tape31 — One copy off-siteSeparate location or cloud region21 — Immutable/air-gapWORM lock plus an offline vault10 — Zero errorsTested, integrity-checked restores

Recovery assurance: the '0' is where firms fail

Owning immutable and air-gapped copies is necessary but not sufficient. The figure most firms overlook is the recovery gap — the distance between having a backup and being able to restore the business from it. The chart below tracks that erosion across cited datasets: nearly every victim's backups are targeted, most attempts to compromise them succeed, and barely half of all victims end up restoring from backup at all. [[fig:recovery-assurance|Where recovery assurance breaks down — cited figures across the attack chain]]

Three habits close the gap. First, test restores on a schedule and measure them against a real recovery-time objective, not a hopeful one — the '0' means verified, integrity-checked, actually-booted restores. Second, protect the newest restore points: because a fast attacker can poison a job just before immutability locks, retain enough clean generations that you can roll back past the intrusion. Third, watch dwell time — attackers often sit in the network for days, so keep immutable retention comfortably longer than your likely detection window.

Recovery also depends on having somewhere to restore to. If your production platform is the crime scene, clean spare capacity — or a rehearsed rebuild on refurbished servers — can be the difference between days and weeks of downtime.

The UK buyer angle: ageing kit, budgets and who restores it

UK organisations are not on the sidelines of this trend. The NCSC's Annual Review 2025 reported 204 nationally significant incidents in the year to September — more than double the previous year's 89 — and CrowdStrike ranks the UK among Europe's most-targeted nations, with the region absorbing roughly a fifth of global ransomware victims. The Jaguar Land Rover attack alone is estimated to have cost the British economy around £1.9 billion, a figure driven largely by the length of the outage rather than the ransom.

Two practical buyer issues follow. First, unsupported infrastructure is disproportionately exposed: unpatched, end-of-life systems are a favoured entry point, and they are also harder to restore. Check where you stand with our server end-of-life checker and storage end-of-life checker, and where a vendor has pulled support but the hardware is still fit for purpose, third-party maintenance keeps it patched and covered without a forced refresh.

Second, resilience is a budgeting decision. An immutable-plus-air-gap design costs more than a single online backup, but a fraction of one JLR-scale outage. If the spend needs to land as operating cost rather than a capital hit, our IT finance calculator models leasing or subscription options for backup and storage refreshes. Design for the attack that deletes your backups first — because in 2026, that is the default, not the exception.

Sources

Every figure in this guide is drawn from the following published research. Dates reflect the version cited at the time of writing.

Where recovery assurance breaks down
%100%75%50%25%0%94Backups attacked%89Repos targeted%92EU theft+encrypt%57Attempts succeed%54Restored 2025%17Paid, no recoveryShare of victims
Key takeaways
  • Immutability and air-gapping defend against different failures: immutability blocks alteration and deletion even by a compromised admin, while an air gap removes reachability entirely — layer both, don't choose.
  • Backups are now the primary target: 94% of ransomware victims see their backups attacked and 57% of those attempts succeed, so an online, mutable backup is inside the blast radius (Sophos).
  • Adopt 3-2-1-1-0 — three copies, two media, one off-site, one immutable or air-gapped, and zero recovery errors proven by regular restore testing.
  • The 'zero' is where firms fail: only 54% of 2025 victims restored from backup (a six-year low), usually because the copy was reachable, poisoned just before locking, or never tested.
  • UK exposure is rising fast — the NCSC handled 204 nationally significant incidents in 2025 (up from 89) and the JLR attack cost the economy an estimated £1.9bn — so treat backup resilience as a board-level spend.
Frequently asked

FAQs — Immutable Backup vs Air Gap

What is the difference between an immutable backup and an air-gapped backup?

An immutable backup stays online but cannot be altered or deleted until a retention lock expires — it is enforced at the storage layer (object-lock or WORM), so even a compromised administrator cannot erase it. An air-gapped backup is physically or logically disconnected from the network, so an attacker simply cannot reach it. Immutability protects against tampering and deletion with fast recovery; the air gap protects against a total environment compromise but recovers more slowly. They cover different risks, which is why leading guidance uses both.

Can ransomware delete or encrypt an immutable backup?

A correctly configured immutable copy cannot be deleted or encrypted during its locked retention period, even with stolen admin credentials — that is the whole point of WORM/object-lock enforcement. The realistic failure modes are around the edges: a retention window set too short, a misconfigured policy, compromise of the backup console or storage control plane, clock manipulation, or an attacker corrupting a backup job in the seconds before the lock engages. Those gaps are exactly why an additional air-gapped copy is recommended as the last line of defence.

What is the 3-2-1-1-0 backup rule?

It extends the classic 3-2-1 rule for the ransomware era. Keep 3 copies of your data, on 2 different media types, with 1 copy off-site, 1 copy immutable or air-gapped (ideally both, on separate tiers), and 0 recovery errors — meaning you have tested and verified that the backups actually restore. The two added digits directly answer backup-hunting ransomware: the extra isolated copy survives snapshot deletion, and the zero forces you to prove recoverability rather than assume it.

Do UK firms really need both immutability and an air gap?

For anything business-critical, yes. Immutability gives you fast recovery from the common encrypt-and-delete attack, while the air gap is the copy that survives a full compromise of your identity and backup infrastructure — the scenario immutability alone may not cover. Given that 89% of victims have their backup repositories targeted and only 54% ultimately restore from backup, the layered approach is the difference between a fast, confident recovery and paying a ransom you may still not recover from.

Why does end-of-life hardware make ransomware recovery worse?

Unsupported, end-of-life systems no longer receive security patches, so they are a favoured entry point — and they are also harder to restore onto because spares and firmware fixes dry up. Knowing your renewal position (via a server or storage EOL check) lets you either refresh, or keep the kit patched and supported through third-party maintenance, so your recovery target isn't an unsupported box you can't rebuild quickly.

Related

Got a question this article didn't answer?

One conversation with an engineer who's done this before. No sales script.

Talk to Servnet →

Talk to a UK specialist

Get expert advice or a no-obligation quote — servers, storage, networking, maintenance, finance and cloud. We reply the same working day.

or call 0800 987 4111