A structured plan for creating, storing, testing, and restoring data backups — the single most important control for ransomware recovery and the foundation of organizational resilience.
A backup strategy defines what data is backed up, how often, where backups are stored, how long they are retained, and how recovery is validated. The gold standard for ransomware resilience is the 3-2-1-1-0 strategy: 3 copies of data, on 2 different media types, 1 copy offsite, 1 copy offline or immutable, with 0 errors verified through regular testing. This ensures that even if ransomware encrypts production systems and compromises online backups, at least one copy remains recoverable.
Ransomware operators specifically target backup infrastructure because eliminating recovery options maximizes pressure to pay. Modern attacks routinely include backup destruction as a pre-encryption step: deleting shadow copies, encrypting backup repositories, corrupting backup catalogs, and even compromising backup administrator credentials to delete cloud-based backups. A robust backup strategy must account for these threats by ensuring at least one backup copy is completely inaccessible to an attacker who has domain admin privileges on the production network.
The most critical — and most neglected — aspect of any backup strategy is testing. A backup that has never been restored is an assumption, not a plan. Organizations should conduct full restoration tests quarterly, verifying not just that files can be recovered, but that applications function correctly with the restored data. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) should be validated against actual restoration performance, not vendor estimates.