Resilient backup strategies: Understand the 3‑2‑1‑1‑0 rule and its evolutions in 2025

In 2025, digital threats have not only evolved—they have become faster, more destructive, and highly targeted. Ransomware, in particular, is no longer an isolated risk but a central component of the attack strategies used by sophisticated cybercriminal groups such as LockBit, Qilin, and Akira. And the harshest reality? Even companies with active backups are being forced to shut down.

The truth is that having a backup is not enough. It must be resilient, tested, immutable, and ready for immediate restoration. This is where the 3-2-1-1-0 strategy comes in — an evolution of the traditional 3-2-1 rule, now adapted to modern cyber challenges.

This article explains how to implement this approach and how it can save your company from million-dollar losses, even in extreme scenarios. If your organization still relies on local backups or improvised strategies, it may be time to rethink before the next attack.

What Is Resilient Backup?

Resilient backup goes far beyond simply keeping a copy of your data. It represents a robust, tested, and fail-proof structure designed to withstand the worst-case scenarios, including targeted ransomware attacks.

Unlike traditional backups, which can be easily deleted, encrypted, or corrupted by an attacker with system access, resilient backup is designed to survive even when the entire production environment is compromised.

According to the SonicWall 2025 Report, more than half of the companies attacked lost access to their backups during the incident, highlighting a serious problem: current backup solutions are failing against modern ransomware.

Characteristics of a Truly Resilient Backup:

• Strategic redundancy (multiple copies and media);
• Physical or logical isolation (to prevent attack spread);
• Data immutability (no possibility of alteration or deletion);
• Periodic integrity checks (real restoration tests);
• Baixo tempo de recuperação (RTO) e alta confiabilidade.

In summary, resilient backup is not just technology, it is a mindset of proactive preparation. It is knowing that disaster can happen and still being ready to restore everything quickly and confidently.

The Evolution from the 3-2-1 Rule to 3-2-1-1-0

For many years, the 3-2-1 rule was considered the gold standard for backup strategies. It guided companies to keep 3 copies of their data, stored on 2 different types of media (for example: disk + cloud), with 1 copy kept off-site (outside the local infrastructure).

This approach is still valid, but it has become insufficient in the face of modern threats, especially advanced ransomware that directly targets backup systems. Groups such as LockBit, Akira, and Medusa not only encrypt production data, they also attempt to corrupt, delete, or encrypt accessible backups.

It was in this scenario that cybersecurity and business continuity experts began adopting a new approach: the 3-2-1-1-0 rule.

What Is the 3-2-1-1-0 Rule?

This evolution adds two crucial layers:

• Immutability/offline: ensures that backups cannot be overwritten or deleted, not even by compromised administrators.
• Regular testing: because a backup that has never been tested cannot be considered secure.

Comparison Between Backup Strategies: Which One Ensures Greater Security?

To understand the true impact of the 3-2-1-1-0 strategy, it is worth comparing its level of resilience with other backup approaches still adopted in the market:

Interpretation:

• The traditional 3-2-1 rule already offers some protection, but fails by not fully isolating the data from modern attacks.
• The 3-2-1-1-0 rule, on the other hand, introduces real redundancy and immutability, preventing data from being altered or deleted, even if the attacker has administrative privileges.
• Moreover, the last “0” in the rule ensures that backups not only exist, but are proven to be restorable.

Moreover, the last “0” in the rule ensures that backups not only exist, but are proven to be restorable.

Modern ransomware attacks are no longer limited to encrypting production data. They aim to cripple the company’s entire recovery capability, also targeting backups. This includes:

• Targeted attacks on NAS and network-connected storage;
• Exploitation of administrative credentials to delete backups;
• Encriptação de repositórios de backup em cloud pública mal configurada;
• Deletion of snapshots and restore points.

The 3-2-1-1-0 strategy provides technical and operational barriers against this type of threat at multiple levels.

Layered protection

1. Multiple copies (3): Reduces the risk of total loss by distributing data across different locations.
2. Distinct media (2): Prevents a specific failure (such as disk corruption or controller failure) from affecting all copies.
3. Off-site copy (1): Protects against physical attacks, insider sabotage, or local infrastructure failures.
4. Immutable/offline copy (1): Ensures that even with privileged access, the attacker cannot delete, overwrite, or encrypt the backup data.
5. Recovery testing (0): Eliminates the false sense of security. A backup is only useful if it can be restored.

Realistic example

Imagine a DeadBolt ransomware attack in an environment with a Synology NAS exposed to the internet. The attacker encrypts the data and deletes the configured snapshots. If the company had an immutable cloud copy with active integrity verification, it would be possible to restore everything within a few hours — without depending on the criminals or paying ransom.

Recommended Solutions

Implementing a 3-2-1-1-0 strategy requires more than just good intentions — it demands reliable technologies and an architecture tailored to each company’s reality. Below are recommended solutions that combine resilience, automation, and ransomware protection, including for hybrid or critical environments.

1. Immutable Backup with Datto SIRIS

The cyber-resilient backup solution from Datto (resold by Digital Recovery) integrates:

• Immutable copies by default;
• Automated and frequently verified snapshots;
• Restauração instantânea com boot de VMs direto no appliance;
• Integration with private cloud for retention beyond the reach of ransomware.

Discover the Cyber-Resilient Backup with Datto SIRIS

2. Snapshots with Locked Retention

• Solutions such as ZFS + Btrfs with WORM (Write Once Read Many) features;
• Application of snapshots protected against deletion even by compromised administrators;
• Excellent for on-premises environments with NAS, such as Synology and QNAP.

Recover NAS Storage

3. Backups with Physical Isolation

• LTO tapes, USB drives, and air-gapped storage are still highly effective when used correctly.
• Ideal for monthly or biweekly offline backups with physical transport.

Recover Magnetic Tapes

4. Monitoring and Auditing of Recovery

• Tools that perform automated integrity verification;
• Recovery simulations;
• Auditable recovery logs (essential for compliance with LOPDGDD, GDPR, ISO 27001, SOC 2).

Conclusion

In times when cyberattacks are capable of taking companies down in a matter of minutes, the backup strategy adopted can no longer be based solely on “having a copy of the data.”

The 3-2-1-1-0 rule represents a new standard of excellence in business continuity. It combines smart redundancy, immutable protection, strategic isolation, and constant verification, creating a resilient structure even against advanced ransomware.

The implementation of this strategy is a strategic decision for security and business survival, not just an IT practice.

If your company has been the victim of an attack, lost access to backups, or needs consulting to structure a resilient backup, the Digital Recovery team is ready to help.

Talk to our specialists and ensure your company never becomes a hostage to its own data.

Request consulting or data recovery