Skip to content
KOLOSALTech
FR

3-2-1 backup against ransomware: the method that works in 2026

·8 min read

Enhanced 3-2-1 backup method for ransomware-proof backups. Architecture, hardware selection, frequency, restore tests.

The 3-2-1 rule is 30 years old. It remains the foundation, but modern ransomware (2024-2026) actively targets backups. Here's the enhanced version that actually works.

Recap: the classic 3-2-1 rule

  • 3 copies of data (1 production + 2 backups)
  • 2 different media
  • 1 copy offsite

This rule protected against physical disasters (fire, theft, disk failure). It no longer protects against modern ransomware, which first targets backups to encrypt or delete them.

3-2-1-1-0: the 2026 version

The industry adds two constraints:

  • +1 immutable: at least one copy that cannot be modified or deleted during retention (S3 Object Lock, Veeam hardened Linux repository, offline LTO tapes)
  • +0 errors in monthly restore testing

Typical architecture for SME 30 workstations + 2 servers

  • Primary backup: Veeam Backup & Replication on Synology RS2423+ NAS with BTRFS snapshots (30-day retention)
  • Secondary immutable backup: copy to Wasabi Hot Cloud Storage Paris region with 90-day Object Lock
  • Tertiary offline backup: LTO-9 tapes or rotating USB disk, physically disconnected after each backup

Frequency and retention

  • Production data (DB, file server): RPO 1h, backup every hour, 7-day granular retention
  • Daily snapshots: 30 days
  • Weekly snapshots: 12 weeks
  • Monthly snapshots: 12 months
  • Annual: 7 years (compliance)

Restore testing: the criterion that separates professionals

An untested backup is not a backup. Monthly minimum:

  • Restore a random file (granular)
  • Restore a complete VM in an isolated sandbox
  • Measure actual RTO (recovery time)
  • Documentation: who tested, when, result

Veeam SureBackup automates this weekly validation — highly recommended.

Anti-patterns to avoid

  • Backup on the same AD domain as production (AD compromise = backup compromise)
  • Backup NAS joined to domain without isolation
  • Backup service account with Domain Admin privileges
  • No encryption at-rest on backup NAS
  • Cloud backup with same credentials as admin console

Estimated cost for SME 30 workstations

  • Synology RS2423+ NAS + 8× 16 TB HDD: €6,500 excl. VAT
  • Veeam Backup & Replication license: €2,500/year
  • Wasabi Hot Cloud Storage 5 TB: €35/month
  • Setup + testing + documentation: 3-5 days services

Conclusion

3-2-1-1-0 is the new standard. Immutability is no longer optional against 2026 ransomware. If you haven't tested a restore in 6 months, consider your backups as non-existent until proven otherwise.

#Backup#Ransomware#Veeam#Wasabi
Free guide · 30 pages

SME Cybersecurity 2026 — essential guide

NIS2, 3-2-1 backup, MFA, EDR, 90-day action plan.

Get the guide

An IT/ICT or export project to discuss?

Let's talk about your concrete needs. Reply within 24/48 business hours.

Request a quote