The hard lesson of modern ransomware is that ordinary backups are not enough — attackers delete them first. The answer is immutability: a backup that physically cannot be altered or erased for its retention period. Here is how it works and why it has become essential.
- An immutable backup cannot be modified or deleted until its retention period expires.
- WORM — write once, read many — is the storage model that enforces this.
- Immutability defeats the attacker tactic of destroying backups before encrypting.
- Combined with isolation, it turns recovery from a hope into a guarantee.
The problem immutability solves
Attackers know that a victim with good backups will simply restore. So before they trigger encryption, they hunt for and delete every backup they can reach. If your backups can be deleted by whoever controls your environment, they can be deleted by an intruder who has taken it over. Ordinary backups share the fate of the systems they protect.
What immutable means
An immutable backup is one that, once written, cannot be changed or deleted until a defined retention period passes — not by an administrator, not by ransomware, not by anyone. The data is locked for a set time. Even with full credentials, an attacker cannot tamper with it.
WORM storage
WORM stands for write once, read many. It is the storage model that enforces immutability: data can be written and read freely, but never overwritten or erased before its lock expires. Many cloud object stores offer WORM-style object locking, and it underpins compliant archival across regulated industries.
A backup that can be deleted by whoever compromises your systems is not really a backup at all.
Immutability plus isolation
Immutability is most powerful alongside isolation — keeping backups outside the credentials, network and admin console of production. The Essential Eight backup strategy effectively asks for both: unprivileged users should not be able to reach or destroy backups. Together, isolation and immutability ensure a clean copy is always waiting, no matter what happens to production.
What it means for your data
For cloud accounting, immutability means your daily Xero snapshots are sealed for their retention period and cannot be wiped by a compromised login or a rogue user. That is the difference between a ransomware incident being a costly disaster or a manageable restore. When backups are immutable, retained and tested, your recovery objectives become realistic promises rather than aspirations.