What is 3-2-1 backup rule ransomware?

by
What is 3-2-1 backup rule ransomware

Ransomware is a form of malicious software that encrypts files on a device and demands payment in order to decrypt them. The 3-2-1 backup rule is an important data protection strategy to defend against ransomware attacks. This article will explain what the 3-2-1 backup rule is, why it is effective against ransomware, and provide steps on how to implement it.

What is the 3-2-1 backup rule?

The 3-2-1 backup rule states that you should always maintain at least 3 copies of your data, stored on 2 different media, with 1 copy located offsite. This provides multiple layers of protection against data loss from ransomware and other threats.

Specifically, the 3-2-1 backup rule means:

  • 3 copies of data
  • Stored on 2 different media types (e.g. hard drive and cloud storage)
  • With 1 copy located offsite (e.g. cloud storage or external hard drive stored outside your home/office)

Having multiple copies prevents data loss if one copy becomes corrupted or encrypted by ransomware. Storing copies on different media guards against media failure. And maintaining an offsite copy protects against disasters like fires or floods destroying on-premise backups.

Why the 3-2-1 rule defends against ransomware

Ransomware is only able to encrypt files that it can access. Typically, ransomware will encrypt files on local hard drives and connected external drives. However, offline and cloud backups stored outside the reach of the malware will be unaffected.

Here’s why the 3-2-1 backup methodology protects against ransomware attacks:

  • 3 copies – If one backup copy is encrypted, you have two other intact copies to restore from.
  • 2 media types – If your local hard drive backups are encrypted, you can restore from cloud backups outside the reach of the attack.
  • 1 offsite copy – Since ransomware can only access locally connected devices, offline and cloud backups provide recovery options.

In summary, EVEN multiple on-premise copies can be encrypted by ransomware. The offsite component of 3-2-1 provides the key protection against these attacks.

Steps to implement the 3-2-1 backup rule

Follow these steps to implement a 3-2-1 backup plan to protect against ransomware:

1. Choose your 3 backup copies

Determine what devices you will use to store 3 copies of your data. This commonly involves:

  • Live data – The files on your computer or server. This acts as the primary copy.
  • Local backup – An external hard drive or NAS device on-premise.
  • Offsite backup – Cloud storage or external drive outside your office.

2. Select 2 different media types

Store data on 2 of these common backup media options:

  • Internal hard drive
  • External hard drive
  • NAS device
  • Cloud storage
  • Removable media like USB drive or tape

For example, you could store live data on an internal drive, local backups on an external drive, and offsite backups in the cloud. This covers both on-premise and off-site media.

3. Send 1 copy offsite

One backup copy should be stored in a remote location not accessible to the ransomware infection. This is commonly achieved by:

  • Cloud storage – sync files to cloud services like Dropbox, OneDrive, or a backup provider.
  • External drive – store a drive offsite at another location.
  • Tape media – store removable tapes offsite in a safe or other remote facility.

Cloud backups provide an easy way to automate offsite copies. External drives can also be rotated to an offsite location on a regular basis (e.g. weekly).

4. Automate backups

Configuring automated backup jobs is highly recommended to consistently maintain multiple copies on different media. Options include:

  • Backup software for local and cloud backups
  • Cloud sync tools like Dropbox and OneDrive
  • OS built-in tools like Apple Time Machine
  • Backup scripts to automate copying files to external drives

Automated tools will regularly update your backup copies with changes to live data, maintaining the 3-2-1 setup.

Recommended 3-2-1 backup setups

Here are some common 3-2-1 backup setups to protect against ransomware for both individuals and organizations:

Individuals/home users

  • Live data: Laptop hard drive or PC internal drive
  • Local backup: External USB drive
  • Offsite backup: Cloud storage like Dropbox

Small businesses

  • Live data: Server internal drive
  • Local backup: Local NAS device
  • Offsite backup: Managed cloud backup service

Enterprises

  • Live data: Primary SAN/NAS storage
  • Local backup: Backup server storage
  • Offsite backup: Secondary DR site or cloud repository

Larger organizations may also maintain multiple offsite backup copies for increased redundancy.

Key benefits of the 3-2-1 backup rule

Adopting the 3-2-1 backup methodology provides these key advantages:

  • Ransomware protection – Offsite backups out of reach of malware encryption.
  • Faster restores – Multiple copies allow restoring from the most convenient.
  • Increased redundancy – Copies on different media guard against failure.
  • Disaster recovery – Offsite copies maintain recoverability after site disasters.
  • Ease of use – Simple 3 number system easy to remember and follow.

Challenges with the 3-2-1 backup rule

While the 3-2-1 backup strategy provides excellent protection, it does have some challenges including:

  • Increased cost – Storing 3 copies on 2 media types has storage costs.
  • Complexity – Requires more time and effort to manage multiple copies and media.
  • Synchronization – Can be difficult to keep all copies in sync as data changes.
  • Hardware purchases – May need to purchase additional external drives or cloud storage.

However, the enhanced data protection and ransomware recovery capability outweigh these challenges for most organizations.

How the 3-2-1 rule prevents ransomware data loss

The key advantage of the 3-2-1 backup rule is preventing irrecoverable data loss from ransomware encrypting files. Some examples:

Encrypts live data and local backups

If ransomware encrypts the live data and on-premise backups, the offsite cloud copies can be used to restore the data without paying the ransom.

Encrypts local storage but not cloud

If all local storage is encrypted but cloud backups are intact, data can again be restored without paying the ransom demand.

Fails to penetrate offsite backup locations

If ransomware doesn’t infect cloud storage or offsite external drives at all, these backups remain intact for recovery.

In all cases, the offsite component of the 3-2-1 rule provides the last line of defense to regain access to data without paying ransoms.

Real-world examples of the 3-2-1 rule stopping ransomware

There are many real-world instances of the 3-2-1 backup methodology successfully protecting against costly ransomware attacks. For example:

Offsite backups prevent paying $10,000 ransom

An accounting firm was infected with Ryuk ransomware that encrypted all files across their network share drives. However, the MSP provider had implemented a cloud backup solution in addition to local Network Attached Storage (NAS) backups. Even though the NAS backups were encrypted, the offsite cloud backups were intact allowing full restoration of data without paying the $10,000 ransom.

University recovers from offline backups

When the University of Calgary was attacked by ransomware, the malware spread rapidly across their network encrypting multiple shared drives. Fortunately, the university had an offline tape backup system that was not infected. They were able to fully recover all their data by restoring from these offline tape backups.

Hospital avoids $1 million ransom

Hancock Health hospital in Indiana was infected with ransomware that took down their entire IT system. But since they had offline backup copies stored on physical tapes, they were able to restore their systems without paying the $1 million ransom. Again, offline backups provided critical protection.

These real-world recoveries demonstrate why maintaining offline and offsite backups is so critical to defend against ransomware attacks.

Comparison to the backup best practice 2-3-2 rule

The 2-3-2 backup rule is another data protection strategy similar to 3-2-1. It states you should maintain:

  • 2 different backup copies
  • On 3 different media types
  • With 2 located offsite

The main difference versus 3-2-1 is that 2 copies instead of 3 are required, but 2 (instead of just 1) must be stored offsite. This also provides effective ransomware defense since multiple offsite copies exist outside the reach of malware.

However, 3-2-1 provides an extra restore option with its third copy. And requiring just one copy offsite is easier for smaller businesses to implement. Overall, both provide strong defense but 3-2-1 has wider adoption and is easier to follow.

Conclusion

The 3-2-1 backup rule provides a simple and highly effective methodology to defend against ransomware attacks. By maintaining three copies, on two different media types, with one copy offsite it protects against both data corruption and malicious encryption from malware.

Implementing the 3-2-1 rule does require more thought and effort than traditional single-copy backups. However, with the rise of ransomware, having isolated offline and offsite backups is essential to avoid paying ransoms and irrecoverable data loss. Both individuals and organizations should adopt the 3-2-1 approach for reliable ransomware protection.