You need to see your backups the way bad actors do: an invaluable resource that can be turned against your organization if you don\u2019t protect them correctly.\nRansomware attacks focus on backup servers to either encrypt their data so they can\u2019t restore other systems or to capture company IP and use it for extortion. Neither is a good outcome, so do everything you can to protect your backup data. Here\u2019s how.\nEncrypt backups\nEncrypted backup data cannot be used to extort your company. Attackers might be able to exfiltrate it, but it will be useless without the keys. Encryption technology has evolved to a point that this can be handled with relative ease, allowing you to encrypt all backups wherever they are stored.\nUse third-party key management\nReduce the likelihood that the bad actors will get their hands on both the encrypted data and the keys necessary to decrypt it by using a third-party key management system. It will likely cost more than key management that\u2019s built into your backup system, but it\u2019s well worth considering, especially if your system stores its keys inside a database that is encrypted only with the Windows machine key. That key is far too easy for adversaries to access once they manage to escalate privileges, and once it is accessed, your encryption keys are vulnerable.\nDo not store backups as files\nThis recommendation is less obvious than the others but may be the most important. Bad actors can\u2019t encrypt, delete, or exfiltrate backups they cannot see as files, so don\u2019t give them that option. This includes locally attached disk arrays formatted as the F: drive or a deduplication appliance mounted via NFS or SMB. Instead, ask your backup-software or deduplication vendor for a more secure way to connect the two. It\u2019s best to have this conversation before you buy, but most products have a way to do this.\nStore backups on a different operating system\nMost backup systems have the concept of media servers or storage servers where backups are stored. They should be running a different operating system, especially if your main backup server is Windows, which is often a target for ransomware attacks. Storing backups on a different OS helps build an air gap to protect the backups.\nUse immutable on-premises storage\nIf your backup software supports it, use Linux\u2019s immutability flag on your backups. When it\u2019s enabled, nobody\u2014attackers included\u2014can delete backup files once they\u2019re written, so it offers some protection. One important thing to note, however, is that this feature is easily disabled by anyone with root, so a bad actor with escalated privileges can unset the flag and delete backups.\nCopy to tape or RDX\nTape is getting a resurgence in popularity because it is impervious to electronic attacks if it\u2019s offline. The same is true of RDX, the removable disk-drive technology that behaves a little like tape. If you have the time to write a copy to tape and send it offsite, a hacker is going to have a hard time getting ahold of it.\nCreate a copy on immutable cloud storage\nUnlike tape or on-premises storage with immutable features, cloud storage can be truly immutable. If you set the full immutable flag when copying backups to the cloud, even the cloud admin can\u2019t delete it; the flag will automatically delete itself once the retention period passes. You should also configure your S3 buckets so they can only be written to by your backup application.