--- title: Why Cloud Backups Provide No Real Ransomware Protection date: 2026-01-15T15:45:00+01:00 author: FAST LTA canonical_url: "https://www.fast-lta.de//en/blog/warum-cloud-backups-keinen-echten-ransomware-schutz-bieten" section: "Entries: Articles" --- ### Three Critical Vulnerabilities of Cloud Backups [\#](#three-critical-vulnerabilities-of-cloud-backups "Three Critical Vulnerabilities of Cloud Backups") #### Vulnerability 1: IAM and API Key Compromise [\#](#vulnerability-1-iam-and-api-key-compromise "Vulnerability 1: IAM and API Key Compromise") Cloud backups are authenticated via API credentials. These credentials are often: **Stored locally:** - In configuration files (credential files in user directories) - In environment variables - In source code (a frequent mistake) - In the memory of a running backup process **How ransomware proceeds:** Once attackers have administrative rights on a system, harvesting cloud credentials is routine: searching the file system for key patterns, reading credential files, dumping environment variables. With stolen credentials, the malware connects to the cloud **with the same rights as the legitimate administrator** and issues a recursive delete on the backup bucket. The backup is gone. From the provider’s perspective, a legitimate, authenticated user deleted it. **Why cloud providers cannot help here:** They see valid API calls. There is no reliable way to distinguish ​“administrator intentionally deleting” from ​“ransomware with stolen credentials.” #### Vulnerability 2: Object Lock and Governance Mode [\#](#vulnerability-2-object-lock-and-governance-mode "Vulnerability 2: Object Lock and Governance Mode") Object lock features (in AWS S3, Azure and Google Cloud) appear to offer immutability. There is a catch. **Governance mode:** Objects cannot be modified or deleted, **unless** the user holds the bypass permission. Administrators typically hold it for emergency scenarios. If admin credentials are compromised, the attacker removes the retention setting and deletes the object. **Compliance mode:** This is stronger: even the root account cannot delete objects while retention is active. But: 1. **It requires strict policy discipline:** Nobody may be able to shorten retention, and the configuration of every new backup object must be correct 2. **It does not protect against everything:** Attackers with account-level control can change lifecycle rules going forward, stop new backups, or in the worst case close payment and account structures around the data 3. **It is administratively rigid:** Genuinely needing to delete data early means waiting out the retention period **The core problem:** Software-based protection is administered through the same logical plane the attacker is targeting. That is a design limitation of any purely remote, software-defined safeguard. #### Vulnerability 3: CLOUD Act and Jurisdiction [\#](#vulnerability-3-cloud-act-and-jurisdiction "Vulnerability 3: CLOUD Act and Jurisdiction") A subtler but underestimated point. The US **CLOUD Act** obliges US providers to comply with valid US orders for data they hold, **even if the servers are physically located in Europe**. **Example:** You store backups with a US provider in an EU data centre. The data is physically in Germany. The provider is a US company; a valid US order compels production of the data, regardless of the server location. This is not an IT problem, it is a jurisdiction problem. For organisations with sensitive data (medical, financial, public sector), it is a compliance risk that cloud backups do not resolve. --- ### Why These Problems Are Hard to Solve [\#](#why-these-problems-are-hard-to-solve "Why These Problems Are Hard to Solve") Cloud providers can reduce these gaps, but not eliminate them: - **IAM security:** Helps only as long as admin credentials are not compromised, and advanced ransomware targets exactly those - **Compliance mode:** Reduces flexibility and still operates within the attackable logical plane - **Jurisdiction:** Unsolvable within a US provider’s cloud; only data outside its control is outside the reach of orders against it --- ### Cloud Backups as Supplement, Not Replacement [\#](#cloud-backups-as-supplement-not-replacement "Cloud Backups as Supplement, Not Replacement") Cloud backups have real advantages: - **Geographic redundancy:** An off-site copy without operating a second site - **Simple provisioning:** Capacity on demand - **Disaster recovery:** If your data centre burns down, an off-site copy enables recovery **But they are not sufficient for ransomware resilience.** The last line of defence against ransomware cannot be a feature that is bypassable with administrative rights. The last line of defence must be **physical**. --- ### The Real Solution: Multi-Tier Backup [\#](#the-real-solution-multi-tier-backup "The Real Solution: Multi-Tier Backup") Modern ransomware protection works in layers: - **Layer 1, local and fast:** NAS or SAN for rapid restores (RTO in hours). Ransomware protection: moderate, because it is network-reachable - **Layer 2, air gap:** On-premises secondary storage that is physically or galvanically isolated. With the Silent Brick System, Silent Brick Pro bricks are physically removable from the Controller X (physical air gap); Silent Brick Max Air isolates galvanically without removal. Ransomware protection: strong, because no network compromise reaches an isolated medium - **Layer 3, geographic redundancy:** A cloud copy or second site for disaster scenarios. Ransomware protection: moderate, admin-bypassable; its job is geo-redundancy, not last-line defence An attack can destroy layer 1. Layer 2 is isolated and survives. Layer 3 covers site loss. No single layer does all three jobs. --- ### Best Practice: Backup Strategy by System Criticality [\#](#best-practice-backup-strategy-by-system-criticality "Best Practice: Backup Strategy by System Criticality") #### Critical Systems (Domain, ERP, Email) [\#](#critical-systems-domain-erp-email "Critical Systems (Domain, ERP, Email)") - **Backup target:** On-premises with air gap (isolated, immutable copies) - **Frequency:** Daily - **Recovery test:** Monthly - **Cloud copy:** Optional, as an additional disaster recovery layer #### Non-Critical Systems (File Servers, Reporting Databases) [\#](#non-critical-systems-file-servers-reporting-databases "Non-Critical Systems (File Servers, Reporting Databases)") - **Backup target:** On-premises NAS with snapshots as primary - **Frequency:** Daily to weekly - **Recovery test:** Quarterly - **Cloud copy:** Optional supplement for off-site redundancy In both cases the principle holds: the primary backup and the restore path stay on-premises; cloud is an additional layer where geo-redundancy justifies it. --- ### Frequently Asked Questions [\#](#frequently-asked-questions "Frequently Asked Questions") **Can I back up only to the cloud?** Technically yes, but not advisable for critical data. Cloud alone provides no layer that survives compromised administrative credentials, and recovery speed depends on internet bandwidth and egress budgets. Use cloud as an additional layer, not as the foundation. **Should I use compliance mode object lock?** Yes, if you keep cloud copies, harden them as far as the platform allows. But treat it as hardening of a supplementary layer, not as a substitute for a physically isolated copy. **What about multi-cloud backups?** Copies at two cloud providers protect against the failure of one provider. They do not protect against ransomware that harvests your credentials, because your environment holds credentials for both. It helps, but it is not the missing layer. **Is a local air gap backup enough on its own?** It is the strongest single layer against ransomware, but it does not cover site loss (fire, flood). Combine it with a geographically separate copy. --- ### Further Resources [\#](#further-resources "Further Resources") → How Ransomware Destroys Backups: Technical Analysis (/en/blog/wie-ransomware-backups-zerstoert/) → Logical vs. Physical Air Gap: The Difference (/en/blog/logischer-vs-physischer-air-gap/) → Hardware Air Gap: Comparison for IT Decision-Makers (/en/blog/hardware-air-gap-vergleich/) → Silent Brick System: On-Premises Backup with Air Gap (/en/produkte/silent-brick-system/) → Request a Demo (/​en/​kontakt/​demo/​) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Air Gap An air gap is the complete physical interruption of all network connections between a backup system and the rest of the IT infrastructure, so that the system has no addressable network interface in its offline state and is therefore unreachable by ransomware and attackers. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/air-gap) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware) ### Ransomware Ransomware is malware that encrypts data on infected systems and demands a ransom for decryption — with the goal of forcing organizations and public bodies to pay by paralyzing their operations. [Mehr erfahren →](https://www.fast-lta.de//en/glossary/ransomware)