Why Tier 1 (Online) Fails Against Ransomware #

Scenario: an attacker has compromised your network. The file server is encrypted. You attempt to restore from Tier 1 backups.

Problem 1: The attacker also has access to Tier 1

If the attacker has admin access to your network (and in a genuine compromise, they do), they can also reach the backup system. They can:

  • Delete Tier 1 backups
  • Encrypt Tier 1 backups (double extortion: business data plus backup data)
  • Modify Tier 1 backups (silent encryption: changes are replicated into backups)

Problem 2: Automatic synchronization

Many backup systems synchronize daily or even hourly. If the attacker starts encryption and your backups synchronize on the same day, the encryption lands in the backup too. You have a very short window to notice.

Industry incident analyses consistently show the same pattern: most ransomware victims had backups, but a large share could not use them because the backups were reachable from the compromised network and were destroyed or encrypted along with production.

Why Tier 4 (Cloud) Fails Against Ransomware #

Scenario: you have cloud object storage backups. The attacker compromises your network and finds the cloud credentials in code or environment variables.

Problem 1: Cloud credentials are in the network

If your applications communicate with the cloud, the credentials exist in the network. An attacker can steal them and access the cloud account directly, independent of your on-premises network.

Problem 2: The cloud cannot distinguish the attacker from you

With valid credentials, the provider cannot tell authorized access” from attacker access.” The attacker can delete or encrypt cloud backups just like any legitimate administrator.

Problem 3: Delayed detection

Unlike on-premises backups that you see daily, cloud backups are easy to forget. If the attacker deletes them weeks before you detect the intrusion, you discover the loss at recovery time, when it is too late.

Cloud copies are a supplement at best, never the primary line of defense. Isolation against compromised credentials is exactly what the cloud cannot deliver.

The Air Gap Concept #

Air gap means: physical isolation from the production network.

Concretely:

  1. A copy is created from Tier 1 backups (or directly from production)
  2. The copy is written to isolated hardware
  3. The hardware is separated from the network: with the Silent Brick Max Air the connection is galvanically severed automatically after each backup window; with the Silent Brick Pro, storage bricks are physically removable from the Controller X
  4. While separated, the copy is unreachable for any network-based attack
  5. For recovery, the connection is re-established in a deliberate, controlled step

The attacker can delete Tier 1 (network-connected, reachable) and delete Tier 4 (credentials stolen), but not Tier 2 (physically unreachable, offline).

That is the security of the air gap.

Practical Air Gap Implementation #

Step 1: Automated copy cycles

Backups are copied to the air-gap system on a schedule, daily or more frequently. With galvanic separation (Silent Brick Max Air) no administrator has to plug or unplug anything: the system connects for the backup window, verifies the copy, and severs the connection again.

Step 2: Offline by default

Between backup windows the system is electrically separated. During this time no network-based attack can reach it. Multiple recovery points are retained, so even if the most recent copy contains early-stage compromise, older clean copies exist.

Step 3: Recovery

In the event of an attack, the air-gap system is brought online in a controlled, ideally isolated recovery environment. Because the data sits on disk, the restore starts immediately; no media retrieval, no sequential read-back. After verification, data moves back to production step by step.

This is not a high-tech process. It is disciplined simplicity, automated so that it happens every day without depending on anyone remembering it.

Scenario Analysis: What Survives a Full Compromise? #

Scenario: attacker with full control of the production network and 72 hours of access.

  • Tier 1 (online backups): encrypted on day one, deleted by day two. Lost.
  • Tier 4 (cloud copies): credentials stolen on day one, copies deleted on day two. Lost.
  • Tier 3 (hardware archive): the data is immutable and survives, but an archive is built for retention, not for fast full-.
  • Tier 2 (air gap): offline throughout the attack. Available, intact, restorable.

Only Tier 2 delivers both survival and fast recovery.

The Critical Question: What If the Attacker Knows About Tier 2? #

A legitimate concern: What if the attacker does not only compromise the production network, but knows we have air-gapped copies and tries to reach them?”

Answer: there is nothing to reach. A galvanically separated system has no active connection; no command, no credential, and no firewall change creates one. Physical access to the hardware would be required, which is a building security question, not an IT question. This is why security agencies (in Germany, for example, the BSI) and frameworks such as NIST recommend offline copies as the baseline measure against ransomware.

The Role of Recovery Verification #

Tier 2 is only as good as its verification.

Risks without verification:

  • A copy taken after the initial compromise may already contain dormant malware
  • An unverified copy may be incomplete or inconsistent

Solution: verified restorability.

  • Regular recovery tests directly from Tier 2 (not from Tier 1)
  • Integrity checks after recovery (malware scan, hash verification)
  • An isolated recovery environment, never restoring straight into production

This makes Tier 2 a true insurance layer.

Common Mistakes in Air Gap Implementation #

Mistake 1: The air gap is not truly offline. We have an isolated server, but it still has a network cable connected for emergencies.” That is not an air gap. True isolation means: no active connection while offline. Galvanic separation enforces this by design.

Mistake 2: Only one copy. A single recovery point is fragile. Retain multiple copies covering at least four weeks, so you can roll back past the initial compromise date.

Mistake 3: The copy process is too slow or too manual. A copy process that takes half a day or depends on a person walking media to a vault will be skipped under pressure. Automate it.

Mistake 4: No verification. We copy to the air gap, but never check whether the data is consistent.” The recovery will fail exactly when you need it. Always verify: checksums, size, metadata, and periodic full restore tests.

Frequently Asked Questions #

Is removable media (tape, USB) an air gap? Physically separated media do form an air gap, but the protection depends on manual handling, and recovery is slow because data must be retrieved and read back. A disk-based automates the isolation and restores at disk speed, which is why it has replaced media handling in modern architectures.

Can we combine air gap with ? Yes, and you should. Tier 2 (air-gap isolation for backups, Silent Brick System) plus Tier 3 (hardware for compliance archives, Silent Cubes) covers both fast recovery and tamper-proof retention.

Do mid-sized organizations also need an air gap? Yes, arguably more than large enterprises, because their resilience infrastructure is thinner. An automated daily air-gap copy protects without adding headcount.

Further Resources #

IT Resilience Guide (/en/blog/it-resilienz-leitfaden/) → Multi-Tier Backup Architecture (/en/blog/mehrstufige-backup-architektur/) → Isolated Recovery Environment (/en/blog/isolated-recovery-environment/) → Silent Brick System: Backup Storage with Hardware (/en/produkte/silent-brick-system/)

Disclaimer

This article was written by our editorial team and edited using AI. It provides a general overview and does not constitute legal advice – we recommend seeking professional advice for your specific situation.