What Is Immutable Backup — And Why It's the Only Defence Ransomware Cannot Break

Immutable backup is like a vault with no key — even the owner can't open it before the time lock expires. That's exactly why ransomware is powerless against it.

Ransomware Attacks Your Backups First

Here's something that shocks most business owners when explained:

Modern ransomware does not attack immediately. After gaining access to your network, it quietly spends days or weeks:

Mapping your entire system — finding servers, NAS, network drives, cloud connections
Identifying backup software — Veeam, Acronis, Windows Backup, Synology Active Backup
Escalating privileges — searching for admin rights to delete backups
Deleting or encrypting backups — before triggering full encryption
Only then launching the final attack — encrypting all data

This is why thousands of businesses that "had a backup" still lost their data or paid ransoms — their backups had already been deleted before they even knew they'd been breached.

Immutable Backup: A Plain-Language Explanation

Imagine a book printed on special paper:

You can read it at any time
But nobody can edit or tear out any page until after 90 days
After 90 days, the book self-destructs (or the lock can be renewed)

That's how immutable backup works with digital data.

Technically: Immutable backup uses Object Lock technology (WORM — Write Once, Read Many). When a file is written to immutable storage, a "time lock" is applied. During that period:

The file cannot be modified (not even a single bit)
The file cannot be deleted (not even by someone with the highest admin rights)
The file cannot be re-encrypted by ransomware

Even the cloud provider (Wasabi, Backblaze, AWS) cannot delete the file while the lock is active — this is a technical guarantee, not just a promise.

Standard Backup vs. Immutable Backup: A Real Comparison

Feature	Standard Backup	Immutable Backup
Can be deleted by ransomware?	✅ Yes — if credentials are compromised	❌ No
Can be deleted by a disgruntled employee?	✅ Yes	❌ No (during lock period)
Can be accidentally deleted?	✅ Yes	❌ No
Cost	Lower	~10–20% higher
Suitable for long-term archiving	Not ideal	✅ Ideal
Requires special software?	No	Requires Object Lock support

Object Lock Modes: Governance vs. Compliance

Governance Mode

Users with the s3:BypassGovernanceRetention permission can delete early
Suitable for: Most SMBs — protection against ransomware and accidental deletion
More flexible when exceptions need to be handled

Compliance Mode

Absolutely no one can delete before the deadline, not even the cloud provider's admin team
Suitable for: Companies with strict legal compliance requirements (finance, healthcare, legal)
Cannot be disabled or have the lock period shortened

Cloud Storage Providers Supporting Object Lock

Provider	Object Lock Support	Notes
Wasabi Hot Cloud Storage	✅ Governance + Compliance	Fixed pricing, no egress fees — most popular for SMBs
Backblaze B2	✅ Governance + Compliance	Low cost, good performance
Amazon S3	✅ Governance + Compliance	Most widely used, higher egress fees
Viettel Cloud	✅ Yes	Servers in Vietnam, suitable for local data residency
Azure Blob Storage	✅ Immutable Blob	Good integration with Microsoft 365

Backup Software Supporting Immutable Backup

Object Lock technology needs to be supported on both sides — the storage provider AND the backup software:

Software	Object Lock Support	Notes
Veeam Backup & Replication	✅ Full	Most popular for Windows/VMware
Acronis Cyber Protect	✅ Full	Integrated anti-malware
Synology Active Backup	✅ Direct + S3	Good for Synology NAS
Commvault	✅ Full	Enterprise-scale
Nakivo	✅ Full	Competitive pricing

Configuring Immutable Backup: Key Considerations

Minimum Retention Period

Ransomware can hide for 30 days before triggering. The lock period must be a minimum of 30 days for daily backups. 60–90 days is better.

Separate Account Credentials

The bucket/container storing immutable backups must use entirely different accounts/API keys from the credentials the backup server uses. If ransomware obtains the backup job's S3 key, it cannot use that key to bypass the Object Lock.

No Persistent Mount

Never mount the immutable storage bucket as a mapped network drive. Only connect via API during the backup job — disconnect immediately afterwards.

Periodically Verify the Object Lock

Confirm the Object Lock is genuinely applied by checking object metadata. Misconfigured setups can write files but fail to apply the lock.

Verifying Object Lock configuration is an essential step to ensure immutable backup is working correctly.

Frequently Asked Questions from Business Owners

"If I accidentally delete a file, can I still recover it?" Yes — you can read and restore at any time. Object Lock prevents deletion, not reading.

"Does it cost significantly more?" Immutable cloud storage typically costs only 10–20% more than standard storage. At ~$6–7/TB/month on Wasabi, a business with 10TB of backup data pays roughly 1.5M VND per month.

"Can I set it up myself?" Technically yes — but misconfiguring Object Lock can render it non-functional. We frequently see errors like: the lock is enabled but the retention period is set to 0, or the same credentials are shared between the backup job and the storage account.

Vietify IT Deploys Immutable Backup for You

We specialise in immutable backup implementation for SMBs in Da Nang:

Assessment of your current backup environment
Design of the right immutable backup architecture
Deployment of Object Lock on Wasabi / Backblaze / Viettel Cloud
Verification that the configuration is correctly applied
24/7 monitoring with instant alerting

Book a Free Consultation. We'll explain exactly how immutable backup fits into your current infrastructure.

Call: 0914 985 772 | vietify.vn/contact

Vietify IT Services — Da Nang's Immutable Backup and Ransomware Defence Specialists.