Tape is definitely not the best choice for primary recovery, but it does have features that make it a credible option for restoring systems and data that have fallen victim to ransomware without having to pay the ransom.\nThe cloud has many more upsides than tape as a recovery tool in general, but there are circumstances where tape should be seriously considerd, and ransomware recovery is one of them.\n\nWhen cloud\u2019s not good enough\nUsing the cloud for ransomware recovery\u2014or not\u2014has become somewhat of a religious discussion in many circles. Choosing the cloud offers many positive things, including cost, speed, and immediate availability\u2014all great advantages when responding to a ransomware attack.\nBut perhaps you work in an industry that does not yet trust the cloud. Some companies, and especially some governmental entities, really frown on relinquishing physical control over their data. They want a copy in their hands that they can manage both electronically and physically. They what to be able to put it in a box or cage that they can see and know that it is physically protected. They can\u2019t see the cloud, so they regard it as unsafe.\nOther organizations are fine with using the cloud for some applications but just don\u2019t think of it as suitable for data protection.\nThe risk of disk\n\u201cIf it\u2019s on disk it\u2019s at risk\u201d was the marketing slogan for a tape company years ago. Perhaps that was in response to a disk vendor\u2019s \u201cTape sucks, move on\u201d campaign, but there was also some truth to the disk and risk claim.\nIf your backups are sitting on a disk drive in your data center that is accessible as a file system from the operating system of your backup server, it can indeed be attacked by the same ransomware you\u2019re trying to defend against.\nEven filesystems with immutability built into them can be overwritten if a hacker executes privilege-escalation to gain status as root or administrator. So the tape vendor\u2019s claim about disks and risks was true: If your data is on a disk in your data center, it can be attacked.\nTape is the only true airgap\nA lot of backup vendors market their products as having an airgap between the backed-up data and the backup data. The truth is that all vendors that use disk as their storage mechanism can at best say they have an electronic or virtual airgap. Since everything is still on disk somewhere, even if that somewhere is in the cloud, there is a risk that something could happen to the backup copy.\nIt is also true that if you put enough separation between the primary copy and the backup-disk copy, you can reduce that risk to virtually zero. You do this by changing as many things as you can between the two copies. Don\u2019t use the same OS, the same storage, the same authentication systems, or the same LAN\u2014and use the best available security practices to keep your backup data safe.\nTape, on the other hand, offers a true physical gap between the protected system and the backup copy. It doesn\u2019t need to be turned on or connected to a backup system. In fact, the thing that tape is best at is being put in a vault that is nowhere near electronics. Instead of being worried about electronic security, you only need to worry about the physical security, which is much easier to manage, despite what you may have seen in the \u201cOcean\u2019s 11\u201d movies. Tape on a shelf in a vault can\u2019t be touched by ransomware, and that\u2019s why many people are reconsidering it.\nTape myths\nYou may have heard that tape is both slow and unreliable, but neither is true. As long as you address tape\u2019s limitations, tape can be an effective part of your ransomware-recovery strategy. It has an excellent uncorrected bit error rate (UBER) and coercivity rate. UBER measures how often your magnetic device writes a \u201cone\u201d when it should write a \u201czero\u201d. Coercivity is how likely a bit is to flip its polarity over time, a.k.a. bit rot. As long as you address these limitations, tape is a good place to store data.\nTape strategies vs. ransomware\nIf you are considering tape as part of your ransomware strategy, don\u2019t send backups directly to tape. Tape drives write data at a certain speed and no slower. If the incoming transfer rate is slower than the speed at which a tape drive writes, the drive has to stop, reposition, and start again\u2014back and forth, back and forth. So tape drives are essentially incompatible with incremental backup, and most backups are incremental.\nA way around this problem is to send the backups to disk first. Because a disk is a random-access device, it can write data as it comes in, pause, and write the next chunk of data as it comes in without suffering performance loss. Once it has received a significant number of backups, they can be copied from the disk to tape at high speed, overcoming the mismatch between backup and tape.\nAlso don\u2019t be obsessed about getting the latest and greatest tape drive, because chances are you\u2019re not going to be able to supply data at their advertised speed. Buying older and slower tape drives will make the job easier, and your restore process probably will not suffer much because throughput speed is rarely the problem during a large recovery.\nThere are many steps you should take to protect backups from ransomware that don't necessarily include tape, but the bottom line is that tape should definitely not be off the table in a ransomware discussion. If you don\u2019t like any of the other options, tape can be a viable so long as you\u2019re willing to accept its shortcomings. Make sure to backup to disk first and then copy to tape. And for goodness sake send that tape off-site, and put it in a vault managed by a professional organization that will keep it safe. Hopefully you will never need to use it, but if you do, you know it will be there.