Tech Pulse

Ransomware Survival Guide: Hvorfor er 'Uforanderlighed' og 'Offline Backup' den sidste forsvarslinje for virksomheder i 2026?

Indholdet er maskineoversat. Se Ansvarsfraskrivelse for maskinoversættelse.

On this day in 2026, we must acknowledge a harsh reality: "backups" are no longer a safe haven for cybersecurity, but have become the primary target for hacker attacks.

With the weaponization of generative AI (GenAI), modern ransomware (Ransomware 3.0) is demonstrating unprecedented tactical intelligence. Although the dwell time in Networking is shorter, its destructive power has multiplied. Hackers no longer just encrypt your production environment; they now prioritize seeking out and deleting backup systems, wiping out snapshots, and even poisoning backup data, leaving enterprises in a desperate situation with no way out.

In the face of such threats, traditional backup strategies have become outdated. This article will delve into the two main pillars of building modern cyber resilience: Immutable Snapshots and Physical/Logical Air-Gapped Backups.

When backup software becomes an attack surface

According to the latest market threat report, over 90% of ransomware attacks attempt to destroy backup repositories. This has driven the storage and cybersecurity market to shift their technical paradigms, moving from the traditional RTO question of “How long will it take us to recover?” to “Are we sure our data still exists?” This is because storage systems are becoming more security-focused—they are no longer just simple data repositories, but have become critical defense points with built-in ransomware detection and prevention mechanisms. On the other hand, requirements related to Networking insurance (Cyber Insurance) have already started to list “immutable backups” as a prerequisite for underwriting or claims settlement.

In the era of AI vs. AI, even if traditional perimeter defenses (Firewall/EDR) block 99% of attacks, the remaining 1% can still be fatal. Therefore, "immutable" backups data are the key advantage for enterprises to refuse to pay ransoms at the negotiation table.

Core Technology One: Immutable Snapshots

What is "immutability"?

Simply put, it means "write once, read many" (WORM - Write Once, Read Many). Once data is written and locked, within the set retention period, no one—including System Management members, Root Permission owners, or even the QES software itself—can modify or delete these data.

In recent years, due to the widespread adoption of Object Lock, Object Lock based on the S3 API has become the standard for cloud and on-premises storage objects. Many modern high-speed storage arrays (All-Flash Arrays) model now integrate this feature directly at the underlying layer, eliminating the need for additional software layers. Furthermore, the information environment has introduced multi-factor authentication (MFA) enforced deletion. Even if a hacker obtains administrator credentials and wants to modify the immutability policy or forcibly delete snapshots, the system will trigger the "Four-eyes principle," requiring multiple people and multiple factors License before approval is granted. This ensures the undeletable characteristic of data.

Technical Core II: Physical and Logical Isolation (Air-Gapped Backups, Airgap Isolation Backup)

Traditional vs. modern Air-Gap are already very different. In the past, we thought of Air-Gap as removing the tape and locking it in a safe deposit box. Although this is effective, the recovery speed (RTO) is too slow and cannot meet modern business requirements. However, it can still serve as an offsite backup node and, in the event of Networking interruption and inability to recover, act as the last line of defense.

Modern "virtual air-gap" refers more to logical isolation and Networking layer blocking, including non-routable Networking (Non-routable Networks). We can store backups in a network segment completely isolated from the production environment, and only during the scheduled backup time will a specific secure channel be opened to transfer data for backup. Once the backup is complete, this specific secure channel is immediately closed, so hackers cannot access this isolated, unreachable golden backup area.

In addition, enterprises will also implement an isolated recovery environment (Cleanroom Recovery), using cloud resources to establish a separate secure clean area. Before restoring the backup data to the production environment, AI scanning and identification are first performed in the secure area to ensure there is no hidden malicious software.

From “Manual Disconnection” to “Intelligent Isolation”: The Evolution of Airgap+ Technology in Practice

After understanding the theory behind air-gapping, the most common practical challenge enterprises face is: “Do IT staff really have to go to the server room every day to plug and unplug Networking cables?” In an era of tight manpower, this is clearly unrealistic. Therefore, a new generation of backup protection technology has introduced the concept of “Active Air-Gap,” such as QNAP’s Airgap+ technology, which automates and smartens this concept.

The core logic of this technology lies in the concept of “Disconnected by default.” Unlike traditional firewalls that rely solely on rule-based software to block traffic, the modern Airgap+ integrates backup software (such as HBS 3) with the control layer of Networkingunit (Router or Switch). Only at the moment when a backup task is initiated will the system send a command to “wake up” the specific Networking interface (Link Up); once data transmission is complete, the Networking interface will be immediately shut down at the physical or logical layer (Link Down).

When setting up HBS backup and selecting remote NAS unit, you can conveniently enable the RTRR server. Scroll down on this page to find the Airgap+ option.

In the image, you can see that we selected a QNAP Switch supporting Airgap+. In this case, we chose the QSW-M3224-24T. You can see that the actual test speed in this case reached 1.02GB per second. The environment between the two devices is connected via 10GbE Networking, which makes the backup synchronization much more efficient.

This design creates a “time window” that is difficult for hackers to cross, because for 99% of the time, the backup server is completely invisible on Networking (Invisible), making it undetectable by scanning tools and unreachable by ransomware software. By using QNAP Router or a supported QNAP switch, you can deploy this upgraded version of Airgap+ with even higher Security isolation.

The protected NAS unit will be marked as protected in HBS 3. Even if you try to connect to this IP address, the system will not succeed, because it is hidden or blocked by Switch or Router.

QNAP NAS unit protected by Airgap+ will not be visible on the internal network. As shown in the two images below, even QNAP's Qfinder Pro cannot find this NAS after the system backup has established the Airgap+ mechanism.

In addition, for environments with high Security requirements, an advanced architecture can even adopt the "Bridge Mode," which means we can add an intermediary bridge unit (Bridge NAS) that is not storagedata between the production environment and the backup vault. The production server can only access the intermediary unit, while the actual backup vault is hidden behind the intermediary unit, forming a "deep defense" that isolates the core backup area. Even if the production environment is completely compromised, attackers still cannot find a digital path to the core of the backup, which significantly enhances the ultimate data Security of the backup domain.

In this environment, the interface of the QNAP switch QSW-M3224-24T immediately displays that the NAS unit TS-855X is connected to ports 17, 19, and 23, all of which are shown as disconnected.

Practical strategy: Upgrade the 3-2-1 backup rule to the 3-2-1-1-0 rule

The previous “3-2-1 rule” (3 copies, 2 types of media, 1 offsite) has proven insufficient in the face of targeted attacks. Many enterprises, when implementing business information and Networking environments, have already begun to promote organizational upgrades to the “3-2-1-1-0 rule.” What is this?

That is, in an information environment, you should have at least:

3 copies of data.

2 different storage media.

1 copy to be stored off-site (Offsite).

1 offline or immutable (Offline / Immutable) copy, which is currently a key focus in the market.

0 errors (automated verification ensures backup is readable and restorable).

Trust is good, but verification and locking are more important

As the global cybersecurity landscape becomes increasingly blurred, identity verification may be stolen and vulnerabilities may be exploited by zero-day attacks (Zero-day). Only Immutable Snapshots and Air-Gap Backups provide the new generation of digital gold vaults, ensuring that in an era of rampant ransomware, enterprise core data remains intact and unharmed.

På denne dag i 2026 må vi erkende en barsk realitet: "backups" er ikke længere et sikkert tilflugtssted for cybersikkerhed, men er blevet det primære mål for hackerangreb.

Med våbeniseringen af generativ AI (GenAI) demonstrerer moderne ransomware (Ransomware 3.0) hidtil uset taktisk intelligens. Selvom opholdstiden i netværket er kortere, er dens ødelæggelseskraft mangedoblet. Hackere nøjes ikke længere med blot at kryptere dit produktionsmiljø; de prioriterer nu at opspore og slette backupsystemer, slette snapshots og endda forgifte backupdata, hvilket efterlader virksomheder i en desperat situation uden udvej.

Over for sådanne trusler er traditionelle backupstrategier blevet forældede. Denne artikel vil dykke ned i de to hovedsøjler for at opbygge moderne cyberrobusthed: Uforanderlige snapshots og fysisk/logisk air-gapped backups.

Når backupsoftware bliver et angrebsmål

Ifølge den seneste markedsrapport om trusler forsøger over 90% af ransomware-angreb at ødelægge backup-repositorier. Dette har fået lagrings- og cybersikkerhedsmarkedet til at ændre deres tekniske paradigmer, fra det traditionelle RTO-spørgsmål "Hvor lang tid tager det at gendanne?" til "Er vi sikre på, at vores data stadig eksisterer?" Dette skyldes, at lagersystemer bliver mere sikkerhedsorienterede—de er ikke længere blot simple datalagre, men er blevet kritiske forsvarspunkter med indbygget ransomware-detektion og -forebyggelse. På den anden side er krav relateret til netværksforsikring (Cyber Insurance) allerede begyndt at liste "uforanderlige backups" som en forudsætning for tegning eller skadeopgørelse.

I AI mod AI-æraen, selv hvis traditionelle perimeterforsvar (Firewall/EDR) blokerer 99% af angrebene, kan de resterende 1% stadig være fatale. Derfor er "uforanderlige" backupdata den afgørende fordel for virksomheder, der nægter at betale løsesum ved forhandlingsbordet.

Kerne teknologi et: Uforanderlige snapshots

Hvad er "uforanderlighed"?

Kort sagt betyder det "skriv én gang, læs mange" (WORM - Write Once, Read Many). Når data først er skrevet og låst, kan ingen—inklusive systemadministratorer, root-brugere eller endda QES-softwaren selv—ændre eller slette disse data inden for den fastsatte opbevaringsperiode.

I de senere år, på grund af den udbredte anvendelse af Object Lock, er Object Lock baseret på S3 API blevet standard for cloud- og on-premises-lagringsobjekter. Mange moderne højhastigheds-lagringsarrays (All-Flash Arrays) integrerer nu denne funktion direkte på det underliggende lag, hvilket eliminerer behovet for ekstra softwarelag. Desuden har informationsmiljøet indført multifaktorautentificeret (MFA) sletning. Selv hvis en hacker får administratorrettigheder og ønsker at ændre uforanderlighedspolitikken eller tvinge sletning af snapshots, vil systemet udløse "fire-øjne-princippet", der kræver flere personer og flere faktorer License før godkendelse gives. Dette sikrer dataenes uudslettelige karakter.

Teknisk kerne II: Fysisk og logisk isolation (Air-Gapped Backups, Airgap Isolation Backup)

Traditionel vs. moderne Air-Gap er allerede meget forskellige. Tidligere tænkte vi på Air-Gap som at fjerne båndet og låse det i en bankboks. Selvom dette er effektivt, er gendannelseshastigheden (RTO) for langsom og kan ikke opfylde moderne forretningskrav. Dog kan det stadig fungere som en offsite backup-node og, i tilfælde af netværksafbrydelse og manglende mulighed for gendannelse, agere som sidste forsvarslinje.

Moderne "virtuel air-gap" refererer mere til logisk isolation og netværkslagsblokering, herunder ikke-routbare netværk (Non-routable Networks). Vi kan gemme backups i et netværkssegment, der er fuldstændig isoleret fra produktionsmiljøet, og kun under det planlagte backup-tidspunkt åbnes en specifik sikker kanal for at overføre data til backup. Når backup er færdig, lukkes denne specifikke sikre kanal straks, så hackere ikke kan få adgang til dette isolerede, utilgængelige gyldne backupområde.

Derudover vil virksomheder også implementere et isoleret gendannelsesmiljø (Cleanroom Recovery), hvor cloud-ressourcer bruges til at etablere et separat sikkert rent område. Før backupdata gendannes til produktionsmiljøet, udføres AI-scanning og identifikation først i det sikre område for at sikre, at der ikke er skjult skadelig software.

Fra "manuel afbrydelse" til "intelligent isolation": Udviklingen af Airgap+ teknologi i praksis

Efter at have forstået teorien bag air-gapping, er den mest almindelige praktiske udfordring for virksomheder: "Skal IT-personale virkelig gå til serverrummet hver dag for at til- og frakoble netværkskabler?" I en tid med stram bemanding er dette klart urealistisk. Derfor har en ny generation af backupbeskyttelsesteknologi introduceret konceptet "Active Air-Gap", såsom QNAP's Airgap+ teknologi, der automatiserer og intelligentgør dette koncept.

Kernelogikken i denne teknologi ligger i konceptet "afbrudt som standard". I modsætning til traditionelle firewalls, der udelukkende er afhængige af regelbaseret software til at blokere trafik, integrerer den moderne Airgap+ backupsoftware (såsom HBS 3) med kontrolaget af netværksenheden (Router eller Switch). Kun i det øjeblik, hvor en backupopgave startes, sender systemet en kommando om at "vække" det specifikke netværksinterface (Link Up); når datatransmissionen er færdig, lukkes netværksinterfacet straks på det fysiske eller logiske lag (Link Down).

Når du opsætter HBS-backup og vælger fjern-NAS-enhed, kan du nemt aktivere RTRR-serveren. Rul ned på denne side for at finde Airgap+-muligheden.

På billedet kan du se, at vi har valgt en QNAP Switch, der understøtter Airgap+. I dette tilfælde valgte vi QSW-M3224-24T. Du kan se, at den faktiske testhastighed i dette tilfælde nåede 1,02 GB pr. sekund. Miljøet mellem de to enheder er forbundet via 10GbE netværk, hvilket gør backup-synkroniseringen meget mere effektiv.

Dette design skaber et "tidsvindue", der er svært for hackere at krydse, fordi backupserveren i 99% af tiden er fuldstændig usynlig på netværket (Invisible), hvilket gør den uopdagelig for scanningværktøjer og utilgængelig for ransomware-software. Ved at bruge QNAP Router eller en understøttet QNAP switch kan du implementere denne opgraderede version af Airgap+ med endnu højere sikkerhedsisolation.

Den beskyttede NAS-enhed vil blive markeret som beskyttet i HBS 3. Selv hvis du forsøger at oprette forbindelse til denne IP-adresse, vil systemet ikke lykkes, fordi den er skjult eller blokeret af Switch eller Router.

QNAP NAS-enhed beskyttet af Airgap+ vil ikke være synlig på det interne netværk. Som vist på de to billeder nedenfor, kan selv QNAP's Qfinder Pro ikke finde denne NAS, efter at systembackup har etableret Airgap+-mekanismen.

Derudover kan et avanceret arkitekturdesign for miljøer med høje sikkerhedskrav endda anvende "Bridge Mode", hvilket betyder, at vi kan tilføje en mellemliggende broenhed (Bridge NAS), der ikke lagrer data mellem produktionsmiljøet og backup-hvælvet. Produktionsserveren kan kun få adgang til mellemenheden, mens det egentlige backup-hvælv er skjult bag mellemenheden, hvilket danner et "dybt forsvar", der isolerer kernebackupområdet. Selv hvis produktionsmiljøet er fuldstændig kompromitteret, kan angribere stadig ikke finde en digital vej til kernen af backupen, hvilket markant øger den ultimative datasikkerhed i backupdomænet.

I dette miljø viser interfacet på QNAP-switchen QSW-M3224-24T straks, at NAS-enheden TS-855X er forbundet til portene 17, 19 og 23, som alle vises som afbrudt.

Praktisk strategi: Opgrader 3-2-1-backupreglen til 3-2-1-1-0-reglen

Den tidligere "3-2-1-regel" (3 kopier, 2 typer medier, 1 offsite) har vist sig utilstrækkelig over for målrettede angreb. Mange virksomheder, når de implementerer forretningsinformation og netværksmiljøer, er allerede begyndt at fremme organisatoriske opgraderinger til "3-2-1-1-0-reglen". Hvad er det?

Det vil sige, at du i et informationsmiljø bør have mindst:

3 kopier af data.

2 forskellige lagringsmedier.

1 kopi opbevaret offsite (Offsite).

1 offline eller uforanderlig (Offline / Immutable) kopi, hvilket i øjeblikket er et nøglefokus på markedet.

0 fejl (automatisk verifikation sikrer, at backup er læsbar og kan gendannes).

Tillid er godt, men verifikation og låsning er vigtigere

Efterhånden som det globale cybersikkerhedslandskab bliver stadig mere uklart, kan identitetsverifikation blive stjålet og sårbarheder udnyttet af zero-day-angreb (Zero-day). Kun uforanderlige snapshots og Air-Gap Backups leverer den nye generation af digitale guldhvælvinger, der sikrer, at virksomhedens kerndata forbliver intakte og ubeskadigede i en tid med udbredt ransomware.

QNAP Marketing Team

Was this article helpful?

If you want to provide additional feedback, please include it below.

Når backupsoftware bliver et angrebsmål
- Kerne teknologi et: Uforanderlige snapshots
- Teknisk kerne II: Fysisk og logisk isolation (Air-Gapped Backups, Airgap Isolation Backup)
Fra "manuel afbrydelse" til "intelligent isolation": Udviklingen af Airgap+ teknologi i praksis
Praktisk strategi: Opgrader 3-2-1-backupreglen til 3-2-1-1-0-reglen
Tillid er godt, men verifikation og låsning er vigtigere