Backup copies stored on media that is physically disconnected from the network and all connected systems, making them completely immune to ransomware encryption and network-based destruction.
An air-gapped backup is physically isolated from all networks — there is literally an air gap between the backup media and any connected system. Common implementations include tape libraries where tapes are ejected and vaulted after backup completion, removable hard drives stored in secure offsite locations, and dedicated backup systems that are only connected to the network during scheduled backup windows. Because the backup media has no network connection, ransomware — which spreads through networks — cannot reach or encrypt it.
Air-gapped backups provide the highest level of protection against ransomware because they eliminate the attack vector entirely. Even an attacker with domain admin privileges and full control of the production network cannot access media that is physically disconnected. This makes air-gapped backups the last line of defense — the recovery option that works even in the worst-case scenario where everything else has been compromised.
The tradeoff with air-gapped backups is operational complexity and recovery speed. Because the media is offline, recovery requires physical handling — retrieving tapes from a vault, connecting removable drives, or powering on isolated backup systems. This can add hours or days to recovery time compared to online backups. Many organizations use air-gapped backups as part of a layered strategy: online snapshots for fast recovery of minor issues, immutable cloud backups for medium-severity scenarios, and air-gapped backups as the catastrophic recovery option for total ransomware encryption.