Ransomware Protection

1. What is ransomware — and why is endpoint protection not enough? #

Ransomware is malware that encrypts data and demands a ransom for decryption. What started as simple extortion trojans — CryptoLocker (2013), WannaCry (2017) — has evolved into a highly professionalized industry: Ransomware-as-a-Service (RaaS), where specialized groups rent attack tools and take a cut of the ransom.

Why endpoint protection alone is not enough #

Endpoint Detection and Response (EDR), firewalls, and intrusion detection systems are necessary protection layers — but they address only prevention. The problem: no prevention measure provides 100% protection. According to the Veeam Data Protection Trends Report, 76% of surveyed organizations were victims of at least one ransomware attack — despite having protection measures in place.

The decisive question is not: Can I prevent an attack? But: Can I recover after a successful attack?

And that is precisely where the real problem begins.

The cost of a ransomware attack #

The numbers show: paying is not a strategy. Recovery is often incomplete. The only reliable strategy is the ability to restore systems and data independently — from a backup the attacker could not reach.

2. How ransomware attacks your backups #

Modern ransomware campaigns follow a methodical sequence designed specifically to destroy your recovery capability. Since 2018, Big Game Hunting campaigns have dominated: professional groups like LockBit, BlackCat/​ALPHV, and Cl0p that systematically target large organizations.

The typical attack sequence #

Phase 1 — Initial access (Day 0) Phishing emails, compromised VPN credentials, or unpatched publicly accessible systems provide the first foothold. This is not immediately exploited — attackers wait and observe.

Phase 2 — Reconnaissance and lateral movement (Days 1 – 21) Attackers often remain undetected in networks for weeks, sometimes months. They move methodically through your network, escalate permissions, steal domain administrator credentials, and map the entire infrastructure — including all backup systems. This step is decisive: attackers identify every backup repository, every snapshot store, every cloud connection.

Phase 3 — Backup destruction (before encryption) Only once the full picture is complete do attackers act:

• Backup databases are deleted
• Snapshots are removed
• Backup agents are uninstalled
• Shadow copies are destroyed
• Cloud backup credentials are used to delete off-site copies

Phase 4 — Encryption and extortion With backups destroyed, the victim faces a binary choice: pay or total loss.

Why your current backup is at risk #

The critical question for every IT organization: Can an attacker with compromised administrator credentials destroy your backup?

If your backups are reachable via the same Active Directory, the same network segments, or the same cloud credentials as your production environment — then the answer is: yes.

3. Backup strategies in the ransomware context #

The 3−2−1 rule — and why it is no longer sufficient #

The 3−2−1 rule was the gold standard for decades: three copies, two media types, one off-site location. The problem: all three copies can be network-reachable. An attacker with domain administrator rights destroys them within hours.

The extension: 3−2−1−1−0 #

Security architects and BSI (German Federal Office for Information Security) recommend extending the rule with two critical elements:

• +1 (offline/air-gapped): At least one copy must be physically separated from the network — not just logically isolated, not just protected by a firewall, but physically not addressable.
• +0 (zero errors after verification): Backups must be regularly checked for recoverability. A backup without a verified restore is not a backup — it is a hope.

Backup isolation comparison #

The table shows: real ransomware protection requires physical isolation. The only question is whether automated (hardware air gap) or manual and slow.

4. Air gap: The only physical protection #

What a real air gap is #

The term ​“air gap” is used loosely. Cloud providers market Object Lock as a ​“virtual air gap”; backup software vendors label network segmentation a ​“logical air gap.” Neither is an air gap.

Definition: An air gap is the physical interruption of the network connection between a backup system and the rest of the IT infrastructure — such that the system has no addressable network interface in its offline state.

The three requirements for a real air gap:

1. No active network connection after backup. The system must be physically disconnected from the network after the backup window.
2. No addressable network interface in the offline state. A system with an IP address behind a firewall has no air gap — it is segmented.
3. Hardware-enforced, not software-controlled. The separation must occur through physical mechanisms that cannot be reversed by a compromised system.

How an automated hardware air gap works #

1. Backup window opens: The backup software addresses the air-gap system via standard interfaces (FC, iSCSI, NFS, SMB, S3)
2. Data is written: Backup job runs like any other backup target
3. Hardware separation: After the write operation completes, an integrated hardware controller physically disconnects the network connection — automatically, without manual intervention
4. Offline state: The system is unreachable. No IP address, no network interface, no attack vector
5. Next backup window: The system automatically re-establishes the connection

This cycle runs fully automatically — no manual process, no risk of human error.

FAST LTA Silent Brick System: Hardware air gap in practice #

The Silent Brick System implements this automated hardware air gap:

• Physical network separation through an integrated hardware controller, independent of the host operating system
• Disk-based: Recovery speed in hours, not days
• Compatible with all common backup solutions: Veeam, Commvault, Veritas, IBM Spectrum Protect
• Audit-proof logging of all connection times — for compliance documentation
• Made in Germany: Development and manufacturing in Munich

→ More about the Silent Brick System → Schedule a demo

5. BSI recommendations and regulatory requirements #

BSI IT-Grundschutz CON.3: Data backup concept #

The BSI (German Federal Office for Information Security) IT-Grundschutz Compendium defines binding requirements for data backup in building block CON.3. The requirements most relevant for ransomware protection:

BSI recommendations on ransomware #

BSI has explicitly named the following measures in its ransomware protection recommendations:

• Offline backups: Backup copies that are not reachable via the network
• Regular recovery tests: Demonstrate that a restore actually works
• Separate administrator accounts: Do not manage backup systems with production credentials
• Network segmentation: Operate backup infrastructure in dedicated VLANs

These recommendations align with the air-gap architecture: physical isolation, separate credentials, demonstrated recoverability.

6. Critical infrastructure and NIS2: Obligations for affected organizations #

NIS2 Directive: New backup obligations since 2024 #

The NIS2 Directive (EU ²⁰²²⁄₂₅₅₅), transposed through the NIS2 transposition law, obligates essential and important entities to concrete measures in the area of business continuity. §30 BSIG-new requires:

• Backup management and recovery: Documented strategies and procedures
• Crisis management: Plans for handling ransomware incidents
• Supply chain security: Assessment of backup software and hardware vendors
• Vulnerability management: Include backup systems in vulnerability management

Who is affected? #

• Essential entities: Energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration
• Important entities: Postal services, waste management, chemicals, food, manufacturing, research
• Size threshold: From 50 employees AND EUR 10m revenue — for certain sectors regardless of size

Fine framework #

What NIS2 means for your backup architecture #

NIS2 makes a resilient backup architecture a legal obligation. Organizations that cannot demonstrate a functioning backup and recovery strategy risk fines — and in a real incident, personal liability for management.

7. Ransomware recovery: What counts in a real incident #

The first 72 hours after an attack #

When ransomware strikes, the first hours determine the damage outcome. The worst-case scenario: you discover that your backups have also been compromised.

Recovery sequence with air-gap backup:

1. Hours 0 – 4: Damage containment

   • Isolate infected systems from the network
   • Map the extent of the attack
   • Activate incident response team

2. Hours 4 – 8: Backup verification

   • Check air-gap backup system: verify data integrity
   • Identify the last clean recovery point
   • Determine recovery sequence (critical systems first)

3. Hours 8 – 24: Recovery of critical systems

   • Restore Active Directory and DNS
   • Bring up critical business applications
   • Restore communication systems

4. Days 2 – 7: Full recovery

   • Restore all systems in stages
   • Verify data integrity
   • Begin root cause analysis

Why RTO must not be a wish #

Recovery Time Objective (RTO) is the maximum acceptable downtime. This metric must be backed by tests — not assumptions. Typical RTOs by backup architecture:

8. Implementation: Step by step to protection #

Your 8‑step plan #

Avoiding the most common mistakes #

• Mistaking a logical air gap for a real one: Cloud WORM is not an air gap — if an attacker with admin credentials can delete your backup, it is not protection.
• Neglecting backup tests: A backup without a restore test is a hope system.
• Not verifying RTO: Your RTO must be demonstrated through tests, not assumed.
• Using the same credentials: Backup systems need their own, separate administrator accounts.