What is immutable backup?
An immutable backup is a copy that cannot be altered, encrypted or deleted by anyone once created, not by an administrator with the password, and not by ransomware already inside the network. It is a read-only copy, isolated by architecture, built to survive the very attack that destroys ordinary backups.
How immutability works
Immutability is not a setting you turn on and off. It is a property of how the copy is written and stored, designed so that not even stolen credentials can touch it.
Write once, read many
The copy is written in a read-only format. There is no command to “edit” or “delete” that point in time until the retention period expires.
Isolated from the production network
The copy stays out of reach of the compromised environment, without depending on the same credentials or the same network the attacker controls.
Reinforced by identity and time
Changing the policy requires strong verification and a grace period, so a hijacked account cannot simply cut retention and destroy everything.
Multiple points in time
Several immutable points coexist, so you can recover from before the infection, even if the attack lay dormant for days.
Sources: Sophos, The Impact of Compromised Backups on Ransomware Outcomes (2024), and cyber resilience vocabulary (fortified copies).
How ransomware tries to destroy the backup
- Deleting or encrypting the backup files along with the production ones
- Using stolen administrator credentials to shut down the backup jobs
- Cutting retention so the older, clean points expire early
- Attacking the backup server on the same network, treating it like any other target
- Silently corrupting the copies and hoping no one tests recovery
Why the backup became the attack's first target
Ransomware groups learned that a company with an intact backup does not pay the ransom. So they changed the order of the attack: first they find and destroy the copies, then they encrypt production. In 94% of attacks the criminals tried to compromise the backups as well (Sophos, 2024). And it works: when the backup is hit, a company is almost twice as likely to pay the ransom, and the total recovery cost runs up to eight times higher, US$ 3 million versus US$ 375,000 (Sophos). Immutability exists to break that logic: if the copy cannot be touched, an attack on your network is not an attack on your backups.
What makes a backup truly immutable
Not every backup that calls itself “protected” survives a compromised administrator. Look for these attributes:
- Genuinely read-onlyNo account, not even the administrator, can alter or delete the point in time before its term. Immutable by default, not by option.
- Isolation by architectureThe copy does not live on the production network. The attacker who owns the environment cannot reach the backup.
- Retention policy protectionCutting retention requires strong verification and a grace period, so an account takeover cannot erase the history.
- Independent of credentialsThe backup does not depend on the same login the attack stole. A second factor separates the vault from the rest.
- Proof of recoveryImmutable and tested. An intact copy only counts if it still restores, and that is confirmed with automated testing.
In practice
Immutable means that not even you, with every password, can delete that point in time before its term. That is exactly why the attack cannot either.
How Zamak handles immutability
Zamak Technologies keeps immutable copies isolated from the environment, so an attack on the network does not become an attack on your backups, with recovery testing that confirms the intact copy still restores. A good starting point is the ransomware readiness check, which measures your recovery line. It is part of Continuity in the Zamak Method.