For decades, enterprise backup followed the 3-2-1 rule: three copies of data, on two different media types, with one copy offsite. That rule was designed for a world where the primary threats were hardware failure, accidental deletion, and natural disasters. Ransomware has rewritten the threat model, and the 3-2-1 rule no longer holds.
Why 3-2-1 fails against ransomware
Modern ransomware is patient. Attackers establish persistence weeks or months before encryption, and they specifically target backup infrastructure first. If your backups are reachable from the production network, they will be encrypted alongside production data. The "offsite copy" provides no protection if it is just a replicated copy that follows the same encryption. Multiple high-profile Indian enterprises in 2024 discovered exactly this: clean backups that had been silently corrupted or encrypted weeks before the visible attack.
The 3-2-1-1 evolution
The modern rule adds one critical "1": one immutable, air-gapped copy. Immutable means the backup cannot be modified or deleted by anyone — not even an administrator with full credentials — for a defined retention period. Air-gapped means physically or logically isolated from the production network, so ransomware cannot reach it even with valid credentials.
What immutable actually requires
Immutability is not a feature you enable; it is an architectural property. Hardened Linux repositories with object lock (S3 Object Lock or equivalent), tape libraries with WORM media, or dedicated immutable backup appliances are the proven implementations. The retention period must exceed your ransomware detection window — typically 30 to 90 days — so that even if an attack is detected late, you still have clean recovery points.
Testing is mandatory
The backup architecture that has never been tested is the backup architecture that does not work. A full DR drill — restoring production workloads from immutable backups to a clean environment, validated by application teams — must happen at least annually. Quarterly is better. The first time you test your backup architecture should never be during a live ransomware incident.