Modern ransomware no longer just encrypts your live data — it hunts down and destroys the backups first. In 94% of attacks, criminals now try to compromise the backup, and more than half succeed. This guide separates what immutability protects against from what an air gap protects against, and sets out the layered 3-2-1-1-0 design UK firms need to be sure they can actually recover.
Ransomware learned to kill the backup first
For a decade the advice was simple: keep good backups and you can refuse to pay. Attackers adapted. The backup repository is now a primary target, because an intact copy is the one thing that removes their leverage. Sophos's State of Ransomware 2025 found that in 94% of incidents the attackers attempted to compromise backups, and across all sectors 57% of those attempts succeeded — rising to 79% in energy, oil, gas and utilities. Veeam's data tells the same story: 89% of victims had backup repositories targeted, and 17% still could not recover their data even after paying.
The mechanics are mundane and effective. Before deploying encryption, intruders delete Windows Volume Shadow Copies, wipe storage snapshots, purge cloud backup vaults and, where they can, revoke or reset the credentials that guard them. Acronis's H2 2025 report recorded ransomware volumes up roughly 50% year on year, led by groups such as Qilin, Akira and Cl0p. The result shows up in recovery statistics: in 2025 only 54% of victims restored from backups — the lowest figure Sophos has measured in six years.
The lesson is not that backups failed as an idea. It is that an ordinary backup — online, mutable, reachable with the same admin credentials as everything else — is inside the blast radius. Two design properties change that: immutability and the air gap. They are often used interchangeably in marketing, but they defend against different failure modes, and the firms that recover cleanly tend to use both.
Immutable backups: unchangeable, but still in the room
An immutable backup is written once and cannot be altered or deleted until a retention lock expires. It is enforced at the storage layer — object-lock in S3-compatible storage, WORM on-premises, hardened repositories in backup software — not by a policy an administrator can toggle off. The critical property is that even a compromised administrator account, or a piece of malware running with domain-admin rights, cannot rewrite or prematurely erase the locked copy. That directly counters the most common 2026 tactic: mass deletion of snapshots and vaults.
Immutability's other advantage is speed. The data stays online and immediately readable, so recovery is fast — you are not waiting for tapes to be couriered back from an off-site facility. For most encryption-and-deletion events, an immutable copy is the fastest route to a clean restore.
Its limits matter too. Immutability protects what is already locked; a very fast attacker can still corrupt a backup job before the lock engages, so the newest restore point may be poisoned. A retention window set too short, a misconfigured policy, a compromise of the storage control plane or backup console, or manipulation of the system clock can all undermine it. And because the repository is still network-reachable, a total environment compromise leaves it exposed in a way physical isolation would not. Immutability is essential — but it is not, on its own, the copy of last resort.
Air-gapped backups: the copy the attacker can't reach
An air gap defends by isolation rather than permission. The backup lives on media that is disconnected from the production network — offline tape in a vault, a rotated disk that is powered down, or a logically isolated cloud tenant with separate identity and no standing network path. If the attacker cannot reach it, they cannot encrypt, delete or tamper with it, no matter what credentials they steal.
This is why the air gap is the true last line of defence. It survives scenarios immutability may not: a full compromise of your directory and backup infrastructure, a malicious insider with the right keys, or a supply-chain attack on the backup platform itself. When everything reachable has been touched, the disconnected copy is the one you rebuild from.
The trade-offs are practical. Recovery is slower — media has to be retrieved, mounted and read, which adds hours or days to a restore. There is operational cost and handling risk in rotating tapes or managing a segregated environment. And no air gap is perfectly closed: there is a synchronisation window when the copy is connected to receive new data, and disciplined firms keep that window as short and tightly controlled as possible. The air gap trades recovery speed for the highest possible assurance that a clean copy still exists.
Threat vs defence: what each layer actually covers
The two techniques are not competitors — they cover different squares on the board. A standard online backup gives you point-in-time copies but little protection once an attacker holds privileged access. Immutability blocks alteration and deletion but keeps the data reachable. An air gap removes reachability but slows recovery. Only the combination covers the full range of realistic ransomware behaviour, from snapshot wiping to a complete environment takeover.
The matrix below maps common 2026 attack techniques against each defensive posture. Read it as a gap analysis: wherever a single control shows only partial cover, that is where the layered design earns its cost. [[fig:coverage-matrix|How each backup posture holds up against modern ransomware techniques]] If cyber resilience is being reviewed alongside your wider estate, our cyber security and storage solutions pages set out how these controls fit real hardware.
The layered answer: 3-2-1-1-0 for UK firms
The backup community's response to backup-hunting ransomware is the 3-2-1-1-0 rule, an evolution of the classic 3-2-1 strategy. It reads: keep 3 copies of data, on 2 different media types, with 1 copy off-site, 1 copy immutable or air-gapped (ideally both, on different tiers), and 0 recovery errors verified through testing.
The two extra digits are precisely the ones ransomware exposed. The additional isolated copy means that deleting your snapshots and encrypting your primary backup still leaves a copy the attacker never controlled. The zero means you have proven — not assumed — that the copy restores cleanly. [[fig:layered-architecture|The 3-2-1-1-0 rule, layer by layer, with the ransomware failure each digit addresses]]
In practice a mid-sized UK firm might run: fast local backups on disk for day-to-day restores; an immutable, object-locked copy in a hardened repository for quick ransomware recovery; and an air-gapped tier — offline tape or an isolated cloud vault — as the untouchable last resort. That is three copies, two-plus media types, off-site, immutable and air-gapped. The design does not depend on any single control being perfect, which is exactly the point.
Recovery assurance: the '0' is where firms fail
Owning immutable and air-gapped copies is necessary but not sufficient. The figure most firms overlook is the recovery gap — the distance between having a backup and being able to restore the business from it. The chart below tracks that erosion across cited datasets: nearly every victim's backups are targeted, most attempts to compromise them succeed, and barely half of all victims end up restoring from backup at all. [[fig:recovery-assurance|Where recovery assurance breaks down — cited figures across the attack chain]]
Three habits close the gap. First, test restores on a schedule and measure them against a real recovery-time objective, not a hopeful one — the '0' means verified, integrity-checked, actually-booted restores. Second, protect the newest restore points: because a fast attacker can poison a job just before immutability locks, retain enough clean generations that you can roll back past the intrusion. Third, watch dwell time — attackers often sit in the network for days, so keep immutable retention comfortably longer than your likely detection window.
Recovery also depends on having somewhere to restore to. If your production platform is the crime scene, clean spare capacity — or a rehearsed rebuild on refurbished servers — can be the difference between days and weeks of downtime.
The UK buyer angle: ageing kit, budgets and who restores it
UK organisations are not on the sidelines of this trend. The NCSC's Annual Review 2025 reported 204 nationally significant incidents in the year to September — more than double the previous year's 89 — and CrowdStrike ranks the UK among Europe's most-targeted nations, with the region absorbing roughly a fifth of global ransomware victims. The Jaguar Land Rover attack alone is estimated to have cost the British economy around £1.9 billion, a figure driven largely by the length of the outage rather than the ransom.
Two practical buyer issues follow. First, unsupported infrastructure is disproportionately exposed: unpatched, end-of-life systems are a favoured entry point, and they are also harder to restore. Check where you stand with our server end-of-life checker and storage end-of-life checker, and where a vendor has pulled support but the hardware is still fit for purpose, third-party maintenance keeps it patched and covered without a forced refresh.
Second, resilience is a budgeting decision. An immutable-plus-air-gap design costs more than a single online backup, but a fraction of one JLR-scale outage. If the spend needs to land as operating cost rather than a capital hit, our IT finance calculator models leasing or subscription options for backup and storage refreshes. Design for the attack that deletes your backups first — because in 2026, that is the default, not the exception.
Sources
Every figure in this guide is drawn from the following published research. Dates reflect the version cited at the time of writing.
- •Sophos — The State of Ransomware 2025: https://www.sophos.com/en-us/content/state-of-ransomware
- •Sophos — The impact of compromised backups on ransomware outcomes: https://www.sophos.com/en-us/blog/the-impact-of-compromised-backups-on-ransomware-outcomes
- •Veeam — Air Gap vs Immutable Backups: Key Differences: https://www.veeam.com/blog/air-gap-vs-immutable-backups-key-differences.html
- •CrowdStrike — 2025 European Threat Landscape Report: https://www.crowdstrike.com/en-us/press-releases/crowdstrike-2025-european-threat-landscape-report-ransomware-hits-region-at-record-pace/
- •Acronis — Cyberthreats Report H2 2025: https://www.acronis.com/en/pr/2026/acronis-h2-2025-cyberthreats-report-cyberattacks-surge-as-phishing-ransomware-and-ai-driven-threats-escalate/
- •Black Kite — 2026 European Cyber Risk Report (via Infosecurity Magazine): https://www.infosecurity-magazine.com/news/increase-ransomware-europe/
- •NCSC — Annual Review 2025: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025
- •Zmanda — Understanding the 3-2-1-1-0 Backup Rule: https://www.zmanda.com/blog/understanding-the-3-2-1-1-0-backup-rule/
