--- title: "Backup Media Compared: Ransomware Resilience" date: 2026-03-16T13:45:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/backup-medien-im-ransomware-vergleich" section: "Entries: Articles" --- ### The Four Options at a Glance [\#](#the-four-options-at-a-glance "The Four Options at a Glance") **NAS/SAN (online disk):** - Network reachability: always online - Ransomware risk: very high - Restore speed: fast - Operations: fully automated - Role: short-term operational restores only **Tape (LTO):** - Network reachability: offline once the cartridge is removed - Ransomware risk: low while offline, but exposed in the library and during handling - Restore speed: slow (media must be located, mounted, read sequentially) - Operations: manual media handling, transport, and storage; no online verification of offline cartridges - Role: the legacy offline medium that air-gapped disk systems replace **Cloud (S3/​Azure/​Google):** - Network reachability: always online - Ransomware risk: high without object lock; moderate with correctly configured compliance-mode object lock - Restore speed: depends on bandwidth and egress; large restores take long and cost money - Operations: automated, but credential and configuration management is critical - Role: geographic redundancy as a supplement, never the primary line of defence **Hardware air gap on disk (Silent Brick System):** - Network reachability: physically or galvanically separated outside controlled backup windows - Ransomware risk: very low - Restore speed: fast (disk-based, random access) - Operations: automated separation, online integrity verification, no media handling - Role: the modern offline layer for ransomware recovery --- ### Detailed Comparison by Medium [\#](#detailed-comparison-by-medium "Detailed Comparison by Medium") #### 1. NAS / SAN (Network-Attached Storage) [\#](#1-nas-san-network-attached-storage "1. NAS / SAN (Network-Attached Storage)") **How it works:** - Backup software writes to a network share (SMB, NFS) - The NAS/SAN is always reachable (24÷7 online) - Often with snapshots for fast point-in-time recovery **Ransomware scenario:** Ransomware obtains admin rights, finds the NAS credentials in the backup software configuration, connects to the share, and deletes or encrypts the backup data. **Ransomware resilience: very weak.** - Network-reachable, with credentials stored locally - No enforced immutability (an admin can delete everything) - Snapshots live on the same system as the data **When to use:** Only for short-term operational restores (24 to 48 hours). Never as ransomware protection. Always combine with an offline layer. #### 2. Tape (LTO) [\#](#2-tape-lto "2. Tape (LTO)") **How it works:** - Data is written sequentially to LTO cartridges - Cartridges are removed from the library and stored offline - Historically the default for offsite and long-term copies **Ransomware scenario:** A cartridge sitting in a vault is unreachable for ransomware. But cartridges still in the library, and the backup server controlling the library, are not protected. Attackers who compromise the backup server can erase or overwrite loaded media and sabotage future jobs. **Ransomware resilience: offline cartridges are protected; the overall process is fragile.** **The operational price of tape:** - Slow restores: media must be retrieved, mounted, and read sequentially; large restores take many hours to days - Manual media handling: removal, labelling, transport, and storage are human processes, and human processes fail silently - No online verification: an offline cartridge cannot be checked; you discover unreadable media during the restore, which is the worst possible moment - Generation and drive compatibility management over years **Assessment:** Tape delivers the offline property, but at the cost of slow recovery and error-prone manual processes. This is precisely the gap that hardware air gap on disk closes: the same offline protection, with fast random-access restores, automated separation, and continuous integrity verification. For organisations still running tape, replacing it is one of the most effective resilience upgrades available. #### 3. Cloud (AWS S3, Azure Blob, Google Cloud) [\#](#3-cloud-aws-s3-azure-blob-google-cloud "3. Cloud (AWS S3, Azure Blob, Google Cloud)") **How it works:** - Data is transferred via HTTPS to a cloud provider - Object lock (WORM) can be enabled - Scales to very large volumes **Ransomware scenario:** Ransomware finds cloud credentials locally (in a config file), connects to the bucket with stolen credentials, and deletes or re-encrypts the backups. Governance-mode object lock can be bypassed with the right stolen permissions. **Ransomware resilience: moderate to weak.** - Credentials are reachable on local systems - Object lock in governance mode is bypassable; only compliance mode enforces retention strictly - Large restores are slowed by bandwidth and burdened by egress costs **When to use:** Geographic redundancy and disaster recovery as a supplementary layer, for non-critical data, or as an additional copy. Never alone for ransomware protection, and never as the primary strategy: the last line of defence belongs on premises, under your physical control. #### 4. Hardware Air Gap on Disk (Silent Brick System) [\#](#4-hardware-air-gap-on-disk-silent-brick-system "4. Hardware Air Gap on Disk (Silent Brick System)") **How it works:** - Backup data is written over a secured connection during controlled windows - After the backup, the storage is separated from the network: with Silent Brick Pro, the bricks are physically removed from the Controller X (a true physical air gap); with Silent Brick Max Air, galvanic separation disconnects the storage electrically, with no physical removal needed - Data integrity is verified by the system, so you know the copy is restorable before you need it **Ransomware scenario:** Ransomware has admin rights and attempts to reach the backup target. Outside the backup window there is no data path. Access is impossible, and the backup stays intact. **Ransomware resilience: very strong.** - Physically or galvanically isolated, not addressable from the network - No credentials that can be stolen to reach offline copies - Automated separation removes the human error of manual media handling - Disk-based: restores start immediately, with random access instead of sequential tape reads **When to use:** As the offline layer for critical systems (domain, ERP, email, file services), daily backups with fast RTO requirements, and as the recovery foundation required by frameworks such as NIS2 (Directive (EU) 2022⁄2555 lists backup management and crisis management among the mandatory risk measures) and DORA for the financial sector. --- ### Multi-Tier Backup Strategy (Recommended) [\#](#multi-tier-backup-strategy-recommended "Multi-Tier Backup Strategy (Recommended)") No single medium is optimal. Recommended strategy by layer: #### Tier 1: Hot Recovery (Fast Operational Restores) [\#](#tier-1-hot-recovery-fast-operational-restores "Tier 1: Hot Recovery (Fast Operational Restores)") - Medium: NAS/​snapshots - RTO: minutes to a few hours - Retention: 48 hours to 7 days - Purpose: fast local recovery from everyday failures - Ransomware protection: no #### Tier 2: Offline Layer (Ransomware Protection) [\#](#tier-2-offline-layer-ransomware-protection "Tier 2: Offline Layer (Ransomware Protection)") - Medium: hardware air gap on disk - RTO: fast, disk-based restores - Retention: weeks to unlimited - Purpose: guaranteed recoverability after a network-wide compromise - Ransomware protection: yes #### Tier 3: Geographic Redundancy (Disaster Recovery) [\#](#tier-3-geographic-redundancy-disaster-recovery "Tier 3: Geographic Redundancy (Disaster Recovery)") - Medium: cloud or a second site (supplementary copy) - RTO: hours, depending on bandwidth - Retention: 90 days to 1 year - Purpose: protection against site-level disasters - Ransomware protection: partial; depends on object lock configuration **Example implementation for critical systems:** - Continuous: snapshots to NAS (hot recovery) - Daily: backup to the hardware air gap (Tier 2) - Weekly: copy to a second site or cloud for DR (Tier 3) - Monthly: full recovery test from the air gap layer For regulated long-term archiving with legally mandated retention, add hardware WORM storage (Silent Cubes) as a separate archive layer; that is an archiving task, distinct from backup. --- ### Decision Guide: Which Medium for Which Data? [\#](#decision-guide-which-medium-for-which-data "Decision Guide: Which Medium for Which Data?") - Is the data critical for business operations? Then it needs Tier 1 (fast restore) plus Tier 2 (air gap). Add Tier 3 for site-level risk. - Is the data non-critical? NAS plus a supplementary offsite copy is sufficient. - Do you need fast recovery after a ransomware attack (RTO under a day)? Then the offline layer must be disk-based. Sequential offline media cannot deliver that. - Do you need compliant long-term archiving (6 to 30 years)? That is a separate requirement: hardware WORM archive storage (Silent Cubes), not the backup layer. - Are you still rotating tapes? Evaluate replacing the tape process with an automated hardware air gap: same offline property, faster restores, no media handling, verified integrity. --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Should I use only one medium?** No. Redundancy is the point of the 3−2−1−1−0 rule: at least two different media, one copy offsite, one copy offline or immutable, zero errors in the restore test. **Is tape still a valid choice?** Tape provides the offline property, and that is its one remaining argument. Everything else speaks against it: slow sequential restores, manual handling, no online verification of offline media. A hardware air gap on disk provides the same protection without these drawbacks. That is why organisations replace tape with air-gapped disk systems. **Why is cloud alone not enough?** Because credentials can be stolen and large restores are slow and expensive. Cloud works as Tier 3 (geographic redundancy), not as primary ransomware protection. The primary offline layer belongs on premises. **What does a secure multi-tier solution cost?** That depends on data volume, retention, and RTO targets. The decisive comparison is not media cost per terabyte but total risk: industry reports consistently put the full cost of a ransomware incident (downtime, recovery, forensics) at a multiple of any backup investment. Request a sizing consultation for concrete numbers. --- ### Further Resources [\#](#further-resources "Further Resources") → Logical vs. Physical Air Gap: The Difference (/en/blog/logischer-vs-physischer-air-gap/) → Hardware Air Gap: Comparison for IT Decision-Makers (/en/blog/hardware-air-gap-vergleich/) → Why Cloud Backups Provide No Real Ransomware Protection (/en/blog/cloud-backup-ransomware-schutz/) → The 3−2−1−1−0 Backup Strategy (/​en/​blog/​3 – 2‑1 – 1‑0-backup-strategie/) → Silent Brick System: Hardware Air Gap for Ransomware Protection (/en/produkte/silent-brick-system/) → Request a Demo (/​en/​kontakt/​demo/​) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### DORA DORA (Digital Operational Resilience Act, EU 2022/2554) is an EU regulation that has applied to all regulated financial market participants since January 2025, setting concrete requirements for ICT risk management, backup systems (Art. 11 and 12), third-party provider management (Art. 28–30) and incident reporting. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/dora) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap)