--- title: Ransomware Protection date: 2026-04-23T15:13:00+02:00 author: Hannes Heckel canonical_url: "https://www.fast-lta.de//en/blog/ransomware-protection" section: Pillar Pages --- [1. 1. What is ransomware](#1-what-is-ransomware)[1. 2. How ransomware attacks your backups](#2-how-ransomware-attacks-your-backups)[1. 3. Backup strategies in the ransomware context](#3-backup-strategies-in-the-ransomware-context)[1. 4. Air gap: The only physical protection](#4-air-gap-the-only-physical-protection)[1. 5. BSI recommendations and regulatory requirements](#5-bsi-recommendations-and-regulatory-requirements)[1. 6. Critical infrastructure and NIS2](#6-critical-infrastructure-and-nis2)[1. 7. Ransomware recovery](#7-ransomware-recovery)[1. 8. Implementation: Step by step to protection](#8-implementation-step-by-step-to-protection)[1. 9. Frequently asked questions](#9-frequently-asked-questions) ### 1. What is ransomware — and why is endpoint protection not enough? [\#](#1-what-is-ransomware-and-why-is-endpoint-protection-not-enough "1. What is ransomware — and why is endpoint protection not enough?") Ransomware is malware that encrypts data and demands a ransom for decryption. What started as simple extortion trojans — CryptoLocker (2013), WannaCry (2017) — has evolved into a highly professionalized industry: Ransomware-as-a-Service (RaaS), where specialized groups rent attack tools and take a cut of the ransom. #### Why endpoint protection alone is not enough [\#](#why-endpoint-protection-alone-is-not-enough "Why endpoint protection alone is not enough") Endpoint Detection and Response (EDR), firewalls, and intrusion detection systems are necessary protection layers — but they address only prevention. The problem: no prevention measure provides 100% protection. According to the Veeam Data Protection Trends Report, 76% of surveyed organizations were victims of at least one ransomware attack — despite having protection measures in place. The decisive question is not: *Can I prevent an attack?* But: *Can I recover after a successful attack?* And that is precisely where the real problem begins. #### The cost of a ransomware attack [\#](#the-cost-of-a-ransomware-attack "The cost of a ransomware attack") Cost itemAverage valueSourceTotal damage per attackEUR 5.3mBitkom 2024 (estimate)Downtime until recoveryWeeks to monthsSophos State of Ransomware 2024Share of victims who pay the ransom56%Sophos State of Ransomware 2024Data recovery after paymentOften incompleteSophos State of Ransomware 2024The numbers show: paying is not a strategy. Recovery is often incomplete. The only reliable strategy is the ability to restore systems and data independently — from a backup the attacker could not reach. ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware-as-a-Service Ransomware-as-a-Service (RaaS) is a business model of organized cybercrime in which specialized groups rent out ransomware tools as a service and receive a share of the extorted ransom — responsible for professionalized large-scale attacks on organizations, public bodies and critical infrastructure. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware-as-a-service) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) ### 2. How ransomware attacks your backups [\#](#2-how-ransomware-attacks-your-backups "2. How ransomware attacks your backups") Modern ransomware campaigns follow a methodical sequence designed specifically to destroy your recovery capability. Since 2018, Big Game Hunting campaigns have dominated: professional groups like LockBit, BlackCat/​ALPHV, and Cl0p that systematically target large organizations. #### The typical attack sequence [\#](#the-typical-attack-sequence "The typical attack sequence") **Phase 1 — Initial access (Day 0)** Phishing emails, compromised VPN credentials, or unpatched publicly accessible systems provide the first foothold. This is not immediately exploited — attackers wait and observe. **Phase 2 — Reconnaissance and lateral movement (Days 1 – 21)** Attackers often remain undetected in networks for weeks, sometimes months. They move methodically through your network, escalate permissions, steal domain administrator credentials, and map the entire infrastructure — **including all backup systems**. This step is decisive: attackers identify every backup repository, every snapshot store, every cloud connection. **Phase 3 — Backup destruction (before encryption)** Only once the full picture is complete do attackers act: - Backup databases are deleted - Snapshots are removed - Backup agents are uninstalled - Shadow copies are destroyed - Cloud backup credentials are used to delete off-site copies **Phase 4 — Encryption and extortion** With backups destroyed, the victim faces a binary choice: pay or total loss. #### Why your current backup is at risk [\#](#why-your-current-backup-is-at-risk "Why your current backup is at risk") The critical question for every IT organization: **Can an attacker with compromised administrator credentials destroy your backup?** If your backups are reachable via the same Active Directory, the same network segments, or the same cloud credentials as your production environment — then the answer is: yes. Backup typeReachable with admin credentials?Ransomware protectionNAS/SAN (network-connected)Yes — via SMB/NFSNoneCloud backup (S3, Azure Blob)Yes — via IAM/API keysLow (Object Lock bypassable)Snapshot immutabilityYes — admin can change policiesLow**Hardware air gap****No — physically not addressable****Very high** Ransomware-Angriffsverlauf Wie professionelle Angreifer Ihre Backup-Infrastruktur systematisch zerstören Big-Game-Hunting-Gruppen wie LockBit und BlackCat vernichten Backups *vor* der Verschlüsselung — der entscheidende Unterschied zu frühen Angriffen. Phase 1 Initialer Zugriff Tag 0 - Phishing-E-Mail - Kompromittiertes VPN - Ungepatchte Systeme - Schwache Credentials › Phase 2 Erkundung & Ausbreitung Tag 1–21 - Credential-Diebstahl - Domain-Admin eskaliert - Netzwerk kartiert - Backups identifiziert › ⚠ Phase 3 Backup-Zerstörung Vor Verschlüsselung - Backup-DBs gelöscht - Shadow Copies entfernt - Cloud-Backups gelöscht - Agents deinstalliert › Phase 4 Verschlüsselung & Erpressung Stunde X - Alle Daten verschlüsselt - Lösegeldforderung - Backups vernichtet - Zahlung oder Ausfall 🛡 Air Gap-Backups überstehen Phase 3 — physisch nicht adressierbar Ein Hardware Air Gap hat in Phase 3 keine aktive Netzwerkverbindung. Kein kompromittiertes Admin-Credential kann das System erreichen. Das Backup bleibt intakt — unabhängig vom Ausmaß des Angriffs. Quellen: Sophos State of Ransomware 2024, Bitkom Wirtschaftsschutz 2024, BSI Lagebericht FAST LTA ### 3. Backup strategies in the ransomware context [\#](#3-backup-strategies-in-the-ransomware-context "3. Backup strategies in the ransomware context") #### The 3−2−1 rule — and why it is no longer sufficient [\#](#the-3-2-1-rule-and-why-it-is-no-longer-sufficient "The 3-2-1 rule — and why it is no longer sufficient") The 3−2−1 rule was the gold standard for decades: three copies, two media types, one off-site location. The problem: all three copies can be network-reachable. An attacker with domain administrator rights destroys them within hours. #### The extension: 3−2−1−1−0 [\#](#the-extension-3-2-1-1-0 "The extension: 3-2-1-1-0") Security architects and BSI (German Federal Office for Information Security) recommend extending the rule with two critical elements: - **+1 (offline/air-gapped):** At least one copy must be physically separated from the network — not just logically isolated, not just protected by a firewall, but physically not addressable. - **+0 (zero errors after verification):** Backups must be regularly checked for recoverability. A backup without a verified restore is not a backup — it is a hope. #### Backup isolation comparison [\#](#backup-isolation-comparison "Backup isolation comparison") MethodReal ransomware protectionRTOAutomationCompliance suitabilityOnline backup (NAS/​cloud)No< 1 hourHighInsufficientSnapshot immutabilityLow< 1 hourHighConditionalObject Lock / Cloud WORMMediumMediumHighConditional**Hardware air gap****Very high****4 – 8 hours****High****Yes**The table shows: real ransomware protection requires physical isolation. The only question is whether automated (hardware air gap) or manual and slow. ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ![Rtorpo | FAST LTA](https://fast-lta.transforms.svdcdn.com/production/images/rtorpo.jpg?w=960&q=80&auto=format%2Cavif&fit=crop&dm=1777386177&s=8c345efdd59b581f615720e16b786b0d) ### 4. Air gap: The only physical protection [\#](#4-air-gap-the-only-physical-protection "4. Air gap: The only physical protection") #### What a real air gap is [\#](#what-a-real-air-gap-is "What a real air gap is") The term ​“air gap” is used loosely. Cloud providers market Object Lock as a ​“virtual air gap”; backup software vendors label network segmentation a ​“logical air gap.” Neither is an air gap. **Definition:** An air gap is the physical interruption of the network connection between a backup system and the rest of the IT infrastructure — such that the system has no addressable network interface in its offline state. **The three requirements for a real air gap:** 1. **No active network connection after backup.** The system must be physically disconnected from the network after the backup window. 2. **No addressable network interface in the offline state.** A system with an IP address behind a firewall has no air gap — it is segmented. 3. **Hardware-enforced, not software-controlled.** The separation must occur through physical mechanisms that cannot be reversed by a compromised system. #### How an automated hardware air gap works [\#](#how-an-automated-hardware-air-gap-works "How an automated hardware air gap works") 1. **Backup window opens:** The backup software addresses the air-gap system via standard interfaces (FC, iSCSI, NFS, SMB, S3) 2. **Data is written:** Backup job runs like any other backup target 3. **Hardware separation:** After the write operation completes, an integrated hardware controller physically disconnects the network connection — automatically, without manual intervention 4. **Offline state:** The system is unreachable. No IP address, no network interface, no attack vector 5. **Next backup window:** The system automatically re-establishes the connection This cycle runs fully automatically — no manual process, no risk of human error. #### FAST LTA Silent Brick System: Hardware air gap in practice [\#](#fast-lta-silent-brick-system-hardware-air-gap-in-practice "FAST LTA Silent Brick System: Hardware air gap in practice") The Silent Brick System implements this automated hardware air gap: - **Physical network separation** through an integrated hardware controller, independent of the host operating system - **Disk-based:** Recovery speed in hours, not days - **Compatible** with all common backup solutions: Veeam, Commvault, Veritas, IBM Spectrum Protect - **Audit-proof logging** of all connection times — for compliance documentation - **Made in Germany:** Development and manufacturing in Munich → [More about the Silent Brick System](/en/products/silent-brick-system/) → [Schedule a demo](/en/contact/backup/) ### Immutable Storage Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage) ### 5. BSI recommendations and regulatory requirements [\#](#5-bsi-recommendations-and-regulatory-requirements "5. BSI recommendations and regulatory requirements") #### BSI IT-Grundschutz CON.3: Data backup concept [\#](#bsi-it-grundschutz-con-3-data-backup-concept "BSI IT-Grundschutz CON.3: Data backup concept") The BSI (German Federal Office for Information Security) IT-Grundschutz Compendium defines binding requirements for data backup in building block CON.3. The requirements most relevant for ransomware protection: BSI CON.3 requirementWhat it requiresImplementation with air gap**CON.3.A1** — Identify influencing factorsDocument RTO/RPO per systemTier definitions with concrete time targets**CON.3.A10** — Specially protected dataSeparate backup with enhanced measuresDedicated air-gap layer for critical systems**CON.3.A11** — Regular testsConduct and document recovery testsQuarterly recovery tests**CON.3.A14** — Protection with elevated requirementsPhysical separation of backup mediaHardware air gap as a dedicated tier#### BSI recommendations on ransomware [\#](#bsi-recommendations-on-ransomware "BSI recommendations on ransomware") BSI has explicitly named the following measures in its ransomware protection recommendations: - **Offline backups:** Backup copies that are not reachable via the network - **Regular recovery tests:** Demonstrate that a restore actually works - **Separate administrator accounts:** Do not manage backup systems with production credentials - **Network segmentation:** Operate backup infrastructure in dedicated VLANs These recommendations align with the air-gap architecture: physical isolation, separate credentials, demonstrated recoverability. ### BSI IT-Grundschutz The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz) ### 6. Critical infrastructure and NIS2: Obligations for affected organizations [\#](#6-critical-infrastructure-and-nis2-obligations-for-affected-organizations "6. Critical infrastructure and NIS2: Obligations for affected organizations") #### NIS2 Directive: New backup obligations since 2024 [\#](#nis2-directive-new-backup-obligations-since-2024 "NIS2 Directive: New backup obligations since 2024") The NIS2 Directive (EU 2022⁄2555), transposed through the NIS2 transposition law, obligates essential and important entities to concrete measures in the area of business continuity. §30 BSIG-new requires: - **Backup management and recovery:** Documented strategies and procedures - **Crisis management:** Plans for handling ransomware incidents - **Supply chain security:** Assessment of backup software and hardware vendors - **Vulnerability management:** Include backup systems in vulnerability management #### Who is affected? [\#](#who-is-affected "Who is affected?") - **Essential entities:** Energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration - **Important entities:** Postal services, waste management, chemicals, food, manufacturing, research - **Size threshold:** From 50 employees AND EUR 10m revenue — for certain sectors regardless of size #### Fine framework [\#](#fine-framework "Fine framework") CategoryMaximum fineEssential entitiesEUR 10m or 2% of global annual revenueImportant entitiesEUR 7m or 1.4% of global annual revenue**Personal liability**Management is personally liable for implementation#### What NIS2 means for your backup architecture [\#](#what-nis2-means-for-your-backup-architecture "What NIS2 means for your backup architecture") NIS2 makes a resilient backup architecture a legal obligation. Organizations that cannot demonstrate a functioning backup and recovery strategy risk fines — and in a real incident, personal liability for management. ### 7. Ransomware recovery: What counts in a real incident [\#](#7-ransomware-recovery-what-counts-in-a-real-incident "7. Ransomware recovery: What counts in a real incident") #### The first 72 hours after an attack [\#](#the-first-72-hours-after-an-attack "The first 72 hours after an attack") When ransomware strikes, the first hours determine the damage outcome. The worst-case scenario: you discover that your backups have also been compromised. **Recovery sequence with air-gap backup:** 1. **Hours 0 – 4: Damage containment** 2. Isolate infected systems from the network 3. Map the extent of the attack 4. Activate incident response team 5. **Hours 4 – 8: Backup verification** 6. Check air-gap backup system: verify data integrity 7. Identify the last clean recovery point 8. Determine recovery sequence (critical systems first) 9. **Hours 8 – 24: Recovery of critical systems** 10. Restore Active Directory and DNS 11. Bring up critical business applications 12. Restore communication systems 13. **Days 2 – 7: Full recovery** 14. Restore all systems in stages 15. Verify data integrity 16. Begin root cause analysis #### Why RTO must not be a wish [\#](#why-rto-must-not-be-a-wish "Why RTO must not be a wish") Recovery Time Objective (RTO) is the maximum acceptable downtime. This metric must be backed by tests — not assumptions. Typical RTOs by backup architecture: ArchitectureTypical RTO (full restore)Passed practical test?Cloud backup12 – 72 hours (WAN-dependent)Rarely tested**Hardware air gap (Silent Brick)****4 – 8 hours****Testable quarterly**### RTO / RPO RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo) ### 8. Implementation: Step by step to protection [\#](#8-implementation-step-by-step-to-protection "8. Implementation: Step by step to protection") #### Your 8‑step plan [\#](#your-8-step-plan "Your 8-step plan") StepMeasureTimeframe1**Inventory:** Document all backup systems, assess attack surfaces1 week2**Define RTO/RPO:** Document recovery targets per system1 week3**Plan tier architecture:** Which systems need air-gap protection?1 week4**Select solution:** Apply evaluation matrix, check compliance requirements2 weeks5**Pilot implementation:** Test representative workloads over 4 weeks4 weeks6**Test recovery:** Full restore test before go-live1 week7**Documentation:** Update BSI CON.3, create recovery runbook1 week8**Operations:** Monitoring, quarterly recovery tests, annual architecture reviewsOngoing#### Avoiding the most common mistakes [\#](#avoiding-the-most-common-mistakes "Avoiding the most common mistakes") - **Mistaking a logical air gap for a real one:** Cloud WORM is not an air gap — if an attacker with admin credentials can delete your backup, it is not protection. - **Neglecting backup tests:** A backup without a restore test is a hope system. - **Not verifying RTO:** Your RTO must be demonstrated through tests, not assumed. - **Using the same credentials:** Backup systems need their own, separate administrator accounts. ### WORM WORM (Write Once, Read Many) refers to a storage principle in which data is written once and can technically no longer be altered or deleted — in hardware WORM, this immutability is a physical property of the storage controller, independent of software, operating system or user privileges. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/worm) #### What does a ransomware attack cost an organization? According to Bitkom 2024, a successful ransomware attack causes an average of EUR 5.3 million in damage — this figure is an estimate based on aggregated total damage data. Actual costs vary significantly by organization size, sector, and response speed. Sophos 2024 documents that 65% of victims needed more than a week for complete recovery. #### What is the difference between an air gap and immutable storage? Immutable storage protects data from modification or deletion through software policies. An air gap physically separates data from the network. The decisive difference: immutability policies can be overridden by an attacker with compromised administrator credentials. A physical air gap cannot — because the system has no network connection in its offline state. #### Is a cloud backup sufficient as ransomware protection? No. Cloud backups are reachable via API credentials. An attacker who compromises your cloud IAM permissions can also delete cloud backups — including Object Lock-protected buckets, if MFA is not consistently enforced. Cloud backup is a useful supplementary protection layer, but it is not a substitute for a physical air gap. ### Immutable Storage Immutable storage refers to storage technologies that protect stored data from subsequent alteration or deletion — where the decisive difference lies in whether this protection is enforced at the hardware level (cannot be circumvented) or at the software level (can be circumvented by administrators with sufficient rights). [Mehr erfahren →](https://www.fast-lta.de//en/glossary/immutable-storage) #### What does BSI specifically require for backup protection against ransomware? BSI recommends in its ransomware recommendations and IT-Grundschutz building block CON.3: offline backups (physically disconnected from the network), regular recovery tests, separate administrator accounts for backup systems, and network segmentation. For organizations with elevated protection requirements, CON.3.A14 explicitly requires physical separation of backup media. ### BSI IT-Grundschutz The BSI IT-Grundschutz is a framework developed by the German Federal Office for Information Security (BSI) with standardized security requirements for IT systems — for KRITIS operators, NIS2-affected organizations and public authorities, it is the central reference for demonstrable IT security measures. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/bsi-it-grundschutz) #### How long does recovery from an air-gap backup take? For disk-based air-gap systems like the Silent Brick System, the typical Recovery Time Objective is 4-8 hours for full system recovery. Older tape-based solutions typically require 24-96 hours. The difference lies in access speed: disks enable random access, tapes only sequential reading. ### RTO / RPO RTO (Recovery Time Objective) is the maximum acceptable downtime after an IT failure; RPO (Recovery Point Objective) is the maximum acceptable data loss — both are metrics that must be technically demonstrably met in backup architectures and must not merely be defined as aspirational targets. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/rto-rpo) ### Disaster Recovery Disaster recovery refers to the structured processes and technical measures that ensure IT systems can be restored within defined timeframes (RTO) with maximum data loss (RPO) after a severe failure — ransomware attack, hardware failure or data center outage. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/disaster-recovery) #### Do I need to change my existing backup software? No. A hardware air gap system like the Silent Brick System integrates via standard interfaces (FC, iSCSI, NFS, SMB, S3) into your existing backup infrastructure. It works with all common backup solutions — Veeam, Commvault, Veritas NetBackup, IBM Spectrum Protect, and others. ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) #### How does an air gap protect against double extortion (data theft + encryption)? An air gap protects your recovery capability — it prevents an attacker from destroying your backups. It does not directly protect against the data theft aspect of double extortion; for that, measures like network segmentation, data loss prevention, and encryption of sensitive data are needed. But the air gap ensures that after an attack you remain operationally capable — without having to pay a ransom.