One of the most concerning security threats presented to organizations today is malware in the form of ransomware. Ransomware is one of the most threatening tools that attackers use today to hold data hostage as well as wreak havoc on various types of infrastructure.

There are basically two options for businesses who are affected by ransomware – pay the ransom or recover from backups.

Data protection is the only sure way to make sure data is recoverable and the effects of ransomware can be reverted. Organizations today must ensure they have proper data protection plans that properly provide multiple copies of business-critical data in different locations.
In this post, we will take a look at how the 3-2-1 backup rule helps organizations to recover from ransomware attacks.

We will also look and see how organizations can effectively implement this strategy in the enterprise.

What is the 3-2-1 Backup Strategy?

Download Banner

The 3-2-1 backup strategy is known industry-wide in the data protection space.

What is the 3-2-1 backup strategy?

It is basically a best practice methodology that helps organizations to think about how data needs to be backed up in multiple locations and on different types of media for redundancy, geographic diversity, and resiliency.

The 3-2-1 backup strategy recommends have (3) copies of your data, stored on at least (2) different forms of media, with at least (1) copy stored offsite.

This satisfies the necessary requirements of having multiple copies, storing those copies safely on two different kinds of media which helps to ensure the data will be retrievable from at least one of those. Then storing at least the one copy offsite helps to ensure that if a major disaster strikes affecting a large area, most likely your offsite copy will not be affected along with the onsite production copy of both backups and production data/systems.

Use 3-2-1 Backup Strategy to Recover from Ransomware

Let’s see how you could use the 3-2-1 Backup Strategy to recovery from ransomware that has affected production infrastructure.

What are the components of a 3-2-1 backup strategy that might exist in a modern data center running virtual machines serving out production critical data and systems?

  • Backups
  • Replicas
  • Offsite Copies

3-2-1 Backup Strategy


Backups are the absolutely critical and most basic form of data protection that organizations must have in place. It forms the groundwork for a proper 3-2-1 best practice methodology backup solution. Choosing a backup solution that allows creating image-level backups of virtual machines at the hypervisor host level is the standard of backups in virtualized solutions. Whether it be VMware vSphere or a Microsoft Hyper-V, the solution needs to be able to connect to the management layer, see all the virtual machines in the infrastructure, and properly perform image-level backups of the VM.

The image-level backup provides a copy of “everything”. This includes not only the data contained in the OS installation but also any data partitions/virtual disks included with the virtual machine. Hugely important as well as obtaining the configuration for the virtual machine itself including CPU, memory, virtual devices, and disk configuration.

When an organization is hit with ransomware, there are varying degrees of restoration that may need to take place. This includes restoring files and folders, restoring entire virtual disks, or restoring an entire virtual machine. Having the ability to do all three seamlessly and efficiently is absolutely necessary for recovering from ransomware infection.


Replication is an extremely important part of the 3-2-1 backup best practice methodology in that it allows organizations to recover from an entire site-level failure. It satisfies many different aspects of the methodology including having multiple copies of your data and then also having a copy offsite.

Organizations can set up replication of virtual machines so that VMs are replicated from production at the RPO interval to the DR or secondary location outside of the production data center. The replicated VM is an exact copy of the production virtual machine at the time of replication. Additionally, the replicated VM can be failed over to in the event of a complete site failure in the primary data center. Failover involves transitioning traffic from the primary data center to the secondary datacenter after the failover operation has taken place. DNS records and other network configuration are changed to allow this transition to take place.

The great thing about replication is there is no data restore time as the VMs are up-to-date, at least from an RPO standpoint and ready to start accepting traffic without running restore operations for each VM. For organizations looking for the means to be able to withstand an entire site failure, replication is certainly going to be a part of that strategy.

A major ransomware infection could indeed take down an entire site if it spreads quickly and unnoticed for a period of time. Having the ability to failover to known good copies of VMs in a secondary location may be the best option for recovering from a massive ransomware infection of a production location.

Offsite Copies

Offsite copies are yet another copy of your backup data that is stored offsite. This provides another failsafe to ensure that you have multiple copies of data stored safely.

What if a ransomware infection had destroyed data in production and your DR environment?

The backup copy is another copy of the production data in the form of backups that could be utilized. The data would need to be restored first, however, it at least gives organizations another option to have good and recoverable data to use if need be.

Important 3-2-1 Backup Processes to Incorporate

What data protection processes and procedures need to be in place in order to protect data from ransomware in a modern, virtualized environment?

  • Verified Backups
  • Encrypted Backups
  • Network Orchestration for DR

Verified Backups

All too often, verifying backups is a component of a 3-2-1 backup strategy that gets missed.
Verifying backups is extremely important.

Having your data backups verified is a way to ensure the data that is contained in the backup is restorable. The reason that backup verification gets missed or is bypassed altogether is that it is extremely labor intensive if performed manually.

Having an automated solution for backup verification is a must, especially if there are a number of VMs that need to have backups verified. When backups are verified, the data and the contents of the backup are verified to be operational, valid, not corrupted, and VMs are tested to be bootable. Knowing your backups are good means when you need them most such as in a ransomware attack, they are verified as ready for data restoration.

Encrypted Backups

Encrypted backups are used to ensure your backup data is not readable in an unauthorized way. While ransomware encryption keeps the good guys out, backup encryption keeps the bad guys out. If backups or backup data falls into the wrong hands, encryption ensures the data is safe and unreadable without the encryption key.

Network Orchestration for DR

As mentioned, replication is the primary component of a well-architected 3-2-1 backup strategy to ensure data can be recovered in a total site-level failure. One of the particularly challenging aspects of DR when failing over virtual machine resources is network reconfiguration. The local networks including gateway, subnet, DNS servers, and other hypervisor specific configuration such as virtual switches may be different between production and DR. When replicated VMs are powered on in a failover, they “think” they are still in the production location as it is an exact copy of those VMs in their production state.

If networks and configuration settings are different from production to DR (which they probably will be), manually reconfiguring tens if not hundreds of VMs in a failover situation would be infeasible and extremely time-consuming. Having an automated way to perform this reconfiguration on a VM that is failed over to is the ideal way to handle this reconfiguration. This requires having a data protection solution that has the capability to perform the reconfiguration automatically using automation.

If ransomware disrupts the production site, you want to have this network reconfiguration automation in place to get business-critical VMs up and running as quickly as possible.

Vembu BDR Suite – Powerful Data Protection Solution for Ransomware

Vembu BDR Suite v4.0 allows organizations to have all the tools needed to implement an effective 3-2-1 backup strategy to recover from ransomware.

It allows organizations to have the following:

  • Host-level agentless backups – VMware vSphere and Hyper-V hosts/clusters
  • Granular file-level, VM, and application item restores to meet the scope of any ransomware infection
  • VM replication with both failover and failback capabilities
  • Offsite DR with the ability to copy backups to on-premises or cloud-based Vembu Offsite DR or Vembu Cloud DR servers
  • Backup verification with automated checks and tests of backups to ensure VMs are bootable with an emailed screenshot of the booted verified VM backup
  • Encryption of backups both in-flight and at-rest to thoroughly protect your data
  • Network reconfiguration including network mapping and re-IP’ing which is handled automatically

3-2-1 Backup Strategy

Automatic network and IP address reconfiguration with Vembu BDR Suite 4.0

Using Vembu’s powerful data protection solution, organizations can successfully meet the challenge of using the 3-2-1 backup strategy to recover from ransomware infection and restore access to data that has been lost. Vembu provides the tools and capabilities needed such as modern backups, replication, backup copies, and the built-in processes that go along with effective DR such as backup verification and encryption and network automation for DR.

Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.

Like what you read? Rate us