Ransomware is malicious software that encrypts every file it can reach on your computer and network — documents, client records, financial data, photos, everything — and then demands payment, typically in cryptocurrency, in exchange for the decryption key. The businesses that survive ransomware attacks without paying a cent all have one thing in common: they had a clean backup they could restore from. The businesses that do not have that backup face a choice between paying tens or hundreds of thousands of dollars with no guarantee of recovery, or losing everything.
Ransomware does not arrive through some exotic, sophisticated attack. In the vast majority of cases, it enters through one of three doors: a phishing email that an employee clicks, a compromised remote access connection with a weak password, or an unpatched vulnerability in outdated software. Once inside one machine, modern ransomware spreads automatically across the network, encrypting everything it can reach as quickly as possible.
By the time most businesses notice what is happening, the encryption is already spreading — or complete. The machine that was clicked on first is not the only casualty. Every shared drive, networked server, and connected backup that the infected machine could reach may be encrypted as well.
That last point is the critical one: connected backups get encrypted too. A backup drive that is plugged in when ransomware runs is not a backup — it is another victim.
The 3-2-1 rule is the industry standard for backup strategy that can actually survive a ransomware attack. It is simple enough to implement without technical expertise:
The key insight is the offsite, disconnected copy. A backup that is always connected to your network can be encrypted along with everything else. A backup that is disconnected — an external drive that is unplugged after each backup, or a cloud service that retains versioned history — cannot be reached by ransomware running on your local network.
Ransomware attackers increasingly target backup systems first, before encrypting primary files. They know that businesses with clean backups will not pay. If your backups are networked and always connected, they are not protected. The disconnected, offsite copy is what makes the 3-2-1 rule work.
This is one of the most common misconceptions. Services like Google Drive, Dropbox, and OneDrive sync your files continuously — which means when ransomware encrypts a file on your computer, the encrypted version syncs to the cloud and overwrites the original within seconds. Your cloud storage now contains encrypted files.
What saves you in this scenario is version history — the ability to restore a file to an earlier version before it was encrypted. Most cloud storage services retain version history, but for a limited time (often 30 days), and the feature needs to be enabled and understood before you need it.
Cloud storage with version history is a useful component of a backup strategy. It is not a complete backup strategy on its own. You still need a separate, independent backup that is not continuously synchronized with your primary systems.
For businesses that need reliable, tested backup capability, dedicated backup software goes beyond what file sync services provide. These solutions create full snapshots of your systems on a schedule, retain multiple historical versions, and can restore an entire machine — not just individual files — to its state from a specific point in time.
Some backup solutions also support immutable backups, where files that have been written cannot be modified or deleted — even by ransomware that gains access to the backup storage. This is the most robust protection available for backup data.
The right backup frequency depends on how much data loss your business can tolerate. If you generate or modify significant client files every day, a daily backup means you might lose up to 24 hours of work in the worst case. If that is unacceptable, backup more frequently. For most small businesses, daily automated backups to cloud storage plus a weekly rotation of a disconnected external drive covers the risk well.
Whatever schedule you choose, automate it. Manual backups that depend on someone remembering to do them will fail. The question is not whether they will miss a day — it is whether that will be the day you need the backup.
A backup that has never been tested is not a backup — it is a hope. Drives fail silently. Backup software has configuration errors. Cloud services run into sync problems. The only way to know your backup works is to test a restore before you need it.
At least once or twice a year, pick a few random files from your backup and restore them. Confirm they open correctly and contain the right content. If you have the ability to do a full system restore test in a controlled environment, even better. The five minutes this takes is nothing compared to discovering during a crisis that your backup was not actually working.
We set up and verify backup systems for small businesses — automated, tested, and configured so that a ransomware attack becomes a recovery, not a catastrophe.