Immutable Backups: The Last Line of Defence Against Ransomware

Ransomware has become the single most destructive cyber threat facing UK businesses. The NCSC (National Cyber Security Centre) has repeatedly warned that ransomware attacks are increasing in both frequency and sophistication, targeting organisations of every size across every sector. According to the UK Government's Cyber Security Breaches Survey, ransomware now accounts for a significant proportion of the most disruptive cyber incidents reported by British businesses.

What makes modern ransomware particularly devastating is its evolving tactics. Today's ransomware does not simply encrypt your live data and demand payment. Sophisticated attacks now specifically target backup systems, deleting or encrypting backup files before activating the ransomware on production systems. The attackers understand that if they can destroy your backups alongside your live data, you have no choice but to pay the ransom — or lose everything.

Immutable backups are the technology response to this threat. By creating backup copies that literally cannot be modified or deleted — not by administrators, not by ransomware, not by anyone — immutable backups ensure that you always have a clean copy of your data to restore from, regardless of how sophisticated the attack.

Why Traditional Backups Are No Longer Enough

Traditional backup strategies were designed to protect against hardware failures, accidental deletions, and natural disasters. They work on the assumption that the backup infrastructure itself is safe — that if a server fails, the backup tapes or disks are intact and ready to restore from. This assumption is no longer valid in the age of targeted ransomware.

Modern ransomware groups — including those specifically targeting UK businesses such as LockBit, BlackCat (ALPHV), and Clop — follow a methodical attack pattern. They gain initial access (often through phishing emails or exploited vulnerabilities), spend days or weeks silently mapping the network, identify and compromise backup systems, delete or encrypt backup files and shadow copies, and only then deploy the encryption payload across production systems.

By the time you see the ransom note, your backups may already be destroyed. If your backup infrastructure uses standard storage that can be accessed and modified by network administrators (or by attackers who have stolen administrator credentials), then your backups are vulnerable to exactly the same attack as your production systems.

The Evolving Ransomware Threat Landscape in the UK

The UK has become one of the most targeted countries for ransomware in Europe, with attacks affecting NHS trusts, local councils, law firms, accounting practices, manufacturing companies, and retailers. The NCSC handled a record number of ransomware incidents in its most recent annual review, and the true figure is likely far higher since many organisations do not report attacks. What makes the current threat landscape particularly dangerous is the rise of Ransomware-as-a-Service (RaaS) operations, where criminal groups provide ransomware toolkits to affiliates in exchange for a percentage of the ransom payments. This has dramatically lowered the barrier to entry for cybercriminals and increased the volume of attacks targeting businesses of all sizes.

Double extortion has also become standard practice. Attackers not only encrypt your data but also exfiltrate it before deploying the ransomware, threatening to publish sensitive information on leak sites if the ransom is not paid. For UK businesses subject to the Data Protection Act 2018 and GDPR, this creates an additional layer of pressure — a data breach that results in published customer or employee data carries regulatory fines of up to four per cent of annual global turnover, reputational damage, and potential legal action from affected individuals. Even with strong immutable backups that allow you to restore operations, the data exfiltration component means that backup alone is not a complete ransomware strategy. However, immutable backups remain the critical foundation that ensures business continuity and eliminates the encryption leverage that attackers depend upon.

What Makes a Backup Immutable?

An immutable backup is one that cannot be altered, deleted, or encrypted after it has been written — for a specified retention period. The immutability is enforced at the storage level, not by the backup software alone. This means that even if an attacker gains full administrator access to your backup server, they cannot modify or delete the immutable backup copies.

There are several technical approaches to achieving immutability, each with different characteristics.

Object Lock (S3-Compatible Cloud Storage)

Cloud storage services like Amazon S3, Azure Blob Storage, and Wasabi support object lock functionality that prevents objects from being deleted or overwritten for a specified retention period. Once data is written with object lock enabled, it is immutable until the retention period expires — even the storage account administrator cannot override this protection. This is one of the most popular approaches for UK businesses using cloud backup solutions.

WORM Storage (Write Once, Read Many)

WORM storage has been used in regulated industries for decades to ensure data integrity. Modern WORM implementations use either specialised hardware or software-defined storage that physically prevents data modification after writing. WORM compliance is often required in financial services, healthcare, and legal sectors for audit trail integrity.

In practice, WORM storage implementations vary considerably in their technical approach and cost. Hardware-based WORM solutions use specialised storage media that physically prevents data alteration — this includes certain optical disc systems and purpose-built WORM tape formats. Software-defined WORM solutions, which are more common in modern deployments, use file system controls and access policies to prevent modification. Products such as NetApp SnapLock, Dell PowerScale SmartLock, and various Linux-based solutions can provide software WORM capabilities on standard hardware, making this approach accessible to a broader range of UK businesses without requiring specialised storage infrastructure.

For businesses in the UK financial services sector, the FCA (Financial Conduct Authority) requires firms to maintain records in a form that cannot be altered. Similarly, law firms must preserve client files and correspondence in tamper-proof storage under SRA (Solicitors Regulation Authority) rules. Healthcare organisations handling NHS patient data must comply with records management requirements under the NHS Code of Practice. In each of these cases, WORM storage provides the technical foundation for demonstrating compliance with data integrity requirements, and combining WORM with immutable backup gives organisations both operational resilience against ransomware and regulatory compliance in a single architecture.

Air-Gapped Backups

An air-gapped backup is physically disconnected from the network. Because there is no network path to the backup media, ransomware cannot reach it. Tape backup remains the most common air-gapped solution, though some businesses achieve air-gapping by physically disconnecting USB drives or portable storage after backup completion. The drawback is that air-gapped backups require manual handling and are typically less frequent than online backups.

Despite the operational overhead, air-gapped backups remain an important component of a comprehensive data protection strategy, particularly for UK businesses with very high-value data or strict regulatory requirements. Modern tape technology — such as LTO-9, which offers up to 45 TB of compressed capacity per cartridge — provides a cost-effective and reliable air-gapped solution. Many UK managed service providers offer tape rotation services where backup tapes are collected on a regular schedule and stored in secure offsite vaults, reducing the administrative burden on in-house IT teams.

A practical approach for many UK SMEs is to combine online immutable backups (for rapid recovery of day-to-day incidents) with periodic air-gapped backups (as a last-resort recovery option for catastrophic scenarios). For example, you might maintain cloud-based immutable backups with a 30-day retention for operational recovery, supplemented by monthly air-gapped tape backups stored offsite for 12 months. This layered approach provides the speed of cloud restoration for common incidents whilst maintaining an absolute guarantee of data availability even in a worst-case scenario where both your production environment and cloud backup account are simultaneously compromised.

Implementing Immutable Backups for Your Business

Implementing immutable backups does not require replacing your entire backup infrastructure. Most modern backup solutions support immutability as a configuration option when paired with compatible storage. Here are the most common approaches for UK businesses.

Cloud-Based Immutable Backup

The most accessible approach for UK SMEs is to use a cloud backup solution that supports immutability. Products such as Veeam Backup and Replication (with S3-compatible object lock storage), Datto SIRIS and ALTO, Acronis Cyber Protect, and Druva offer immutable cloud backup capabilities. These solutions write backup data to cloud storage with object lock enabled, ensuring that backup copies cannot be tampered with.

When evaluating cloud-based immutable backup solutions for your UK business, several factors beyond basic immutability should influence your decision. First, consider the granularity of your retention requirements — some solutions offer object-level immutability where each individual backup can have its own retention period, whilst others apply immutability at the container or vault level. Second, evaluate the bandwidth requirements for your initial seed backup and ongoing incremental backups. If you are backing up several terabytes of data over a standard UK business broadband connection, the initial backup could take weeks unless the provider offers a physical data seeding service.

Cost modelling is also essential. Cloud immutable backup costs typically combine a per-device or per-server licence fee with storage consumption charges. As your data grows, storage costs increase, and with immutability enabled, you cannot delete data before the retention period expires — even if you no longer need it. This means storage costs can accumulate faster than expected if retention periods are set too generously. A practical approach is to start with a 30-day immutable retention for operational recovery and a 90-day retention for compliance purposes, then adjust based on actual usage patterns and regulatory requirements. Some providers offer tiered storage where older backup data is automatically moved to cheaper cold storage tiers whilst retaining immutability protection, which can significantly reduce long-term costs.

For UK data residency requirements, ensure your chosen solution stores data in UK-based data centres. AWS has data centres in London (eu-west-2), Azure operates UK South (London) and UK West (Cardiff) regions, and providers like Wasabi offer UK-based storage options.

On-Premises Immutable Storage

For businesses that prefer or require on-premises backup storage, products such as ExaGrid provide tiered backup storage with a dedicated immutability tier. The immutable tier uses a non-network-facing architecture where backup data is written once and cannot be modified or deleted through any network-accessible interface. Even if the primary backup storage is compromised, the immutable tier remains protected.

The NCSC Position on Backup Resilience

The NCSC explicitly recommends that UK organisations protect their backups against ransomware. Their guidance on mitigating ransomware attacks states that organisations should maintain offline backups that are not accessible from the network, test backup restores regularly, and ensure that backup credentials are separate from standard administrative accounts. Immutable backup technology directly addresses these recommendations by providing an additional layer of protection that remains effective even when other defences fail.

For UK businesses pursuing Cyber Essentials or Cyber Essentials Plus certification, demonstrating robust backup practices including immutability strengthens your overall security posture. Whilst Cyber Essentials does not explicitly mandate immutable backups, the scheme's emphasis on protecting against common cyber attacks aligns perfectly with the principles of immutable data protection.

Cyber Insurance and Immutable Backups

The UK cyber insurance market has undergone a significant transformation in recent years, and backup practices are now a central factor in both underwriting decisions and claims outcomes. Insurers have learnt from the wave of ransomware claims that organisations without robust, tested, and immutable backups are far more likely to pay ransoms and file larger claims. As a result, many UK cyber insurance providers now explicitly ask about immutable backup capabilities during the application process, and some will not offer coverage — or will charge significantly higher premiums — to organisations that rely solely on traditional backup methods.

When you make a cyber insurance claim following a ransomware attack, your insurer will scrutinise your backup practices in detail. If you had immutable backups in place and were able to restore operations without paying the ransom, your claim will typically cover the business interruption costs and incident response expenses — both of which are generally smaller and more predictable than claims that include ransom payments. Conversely, if your backups were compromised because they were not immutable, and you chose to pay the ransom, insurers may reduce payouts or dispute the claim on the grounds that reasonable precautions were not taken.

For UK businesses, maintaining immutable backups is increasingly not just a technical best practice but a commercial necessity. The cost of implementing immutable backup is modest compared to the potential increase in cyber insurance premiums for organisations without it, let alone the catastrophic costs of a ransomware attack with no recovery option.

The impact of immutable backups on ransomware recovery outcomes

Testing and Validating Your Immutable Backups

Immutable backups are only valuable if they can be successfully restored when needed. Regular testing is essential — not just verifying that backup jobs complete, but actually restoring data from immutable storage and confirming that applications work correctly with the restored data.

Schedule quarterly restore tests at minimum, and ideally monthly for business-critical systems. Document the test results, including restore times, data integrity verification, and any issues encountered. This documentation serves both as operational assurance and as evidence for compliance and insurance purposes — cyber insurance providers increasingly ask about backup testing practices when assessing claims.

Building a Backup Testing Programme

Effective backup testing goes beyond simply verifying that a restore job completes without errors. A comprehensive testing programme should validate multiple recovery scenarios that reflect the actual risks your business faces. Start with individual file and folder restores — these are the most common recovery requests and should be tested weekly. Progress to full system restores on a monthly basis, recovering an entire server or virtual machine from backup and confirming that all applications, services, and data are functional. At least quarterly, conduct a full disaster recovery test that simulates a complete site failure, restoring your critical systems to an alternative location and verifying that business operations can continue.

For immutable backups specifically, your testing programme should include verification that the immutability controls are functioning correctly. Attempt to delete or modify a backup that is within its immutability retention period — the operation should fail. Document this test as evidence that your immutability controls are working as intended. Additionally, test the restore process from immutable storage separately from your standard backup restores, as the restore workflow may differ depending on your backup solution and storage platform.

Document every test with a standardised report that records the date, scope, recovery time, data integrity verification results, and any issues encountered. This documentation serves multiple purposes: it provides operational confidence that your backup infrastructure is working, it satisfies audit requirements for regulated industries, it supports cyber insurance claims by demonstrating due diligence, and it identifies performance trends that might indicate emerging problems before they become critical failures. Many UK managed service providers include regular backup testing as part of their service level agreements, which can reduce the administrative burden on in-house teams whilst ensuring consistent testing discipline.