Best Ransomware-Proof Cloud Backup: Versioning, Immutability, and the 3-2-1 Rule
Table of Contents
“I had backups. The ransomware encrypted those too.”
This is the most common horror story in ransomware recovery. Someone thinks their Dropbox or Google Drive protects them. Then ransomware hits, encrypts their files, and the “backup” dutifully syncs the encrypted versions to the cloud.
Game over.
What you’ll learn in this guide:
- Why cloud sync ≠ backup (the critical difference)
- What makes a backup actually ransomware-proof
- The best backup solutions with versioning and immutability
- The 3-2-1 backup rule that actually works
Commission disclosure:
- Backblaze: Commission (affiliate program)
- IDrive: Commission (affiliate program)
- Duplicati, Arq, restic: $0 (open source, no affiliate programs)
⚡ Quick Summary: Ransomware-Proof Backup Solutions
| Solution | Type | Versioning | Immutability | Price | Best For |
|---|---|---|---|---|---|
| Backblaze B2 + Object Lock | Cloud | Unlimited | Yes | $6/TB/mo | Immutable backups |
| IDrive | Cloud + Local | 30 versions | No | $80/yr (5TB) | Simplicity |
| Arq + Backblaze B2 | Software + Cloud | Unlimited | Yes | $50 + storage | Power users |
| Duplicati | Software (free) | Unlimited | Depends | Free + storage | Budget |
| Acronis Cyber Protect | All-in-one | Unlimited | Yes | $50/yr | Enterprise |
Quick winner:
- Best overall: Backblaze B2 with Object Lock — True immutability
- Easiest setup: IDrive — Set and forget with good versioning
- Best free: Duplicati — Open source, unlimited versions, you control everything
Why Your Current “Backup” Won’t Save You
Cloud Sync Is Not Backup
What Dropbox/Google Drive/OneDrive actually do:
- Mirror your local files to the cloud
- Sync changes in near real-time
- When ransomware encrypts your files, those encrypted files sync to the cloud
- Your “backup” is now encrypted too
The ransomware attack timeline:
- T+0: Ransomware encrypts local files
- T+5 minutes: Sync client detects changes
- T+10 minutes: Encrypted files uploaded to cloud
- T+15 minutes: You notice something is wrong
- T+20 minutes: Your cloud “backup” is fully encrypted
The horror story pattern:
“I thought I was safe. I had everything in Dropbox. Ransomware hit on a Friday, I noticed Sunday. By then, Dropbox had synced all the encrypted files and my free account only kept 30 days of versions—which were all encrypted versions.” — r/sysadmin
What Actually Protects Against Ransomware
A real backup needs:
- Versioning — Keep multiple versions of files over time
- Retention — Keep old versions long enough to recover from attacks you notice late
- Immutability — Prevent deletion or modification of backups, even with admin credentials
- Air gap — Physical or logical separation from your main system
- Delayed sync — Don’t immediately overwrite backups with potentially compromised files
The Ransomware Protection Hierarchy
| Protection Level | What It Means | Example |
|---|---|---|
| None | Sync only, no versions | Basic cloud sync |
| Basic | Limited versioning (30 days) | Dropbox Plus |
| Good | Extended versioning (180+ days) | IDrive, Backblaze Personal |
| Strong | Immutable backups + versioning | Backblaze B2 + Object Lock |
| Maximum | Immutable + air-gapped + 3-2-1 | B2 + local NAS + offline drive |
The 3-2-1 Backup Rule
This is the gold standard for data protection:
- 3 copies of your data
- 2 different storage types
- 1 copy offsite
Example implementation:
- Copy 1: Original files on your computer
- Copy 2: Local NAS or external drive
- Copy 3: Cloud backup (Backblaze B2, IDrive, etc.)
Why it works against ransomware:
- Ransomware can encrypt Copy 1 and possibly Copy 2 if connected
- Copy 3 in the cloud with immutability can’t be touched
- With versioning, you can roll back to pre-infection versions
Best Ransomware-Proof Backup Solutions
1. Backblaze B2 + Object Lock — Best Immutable Backup
Price: $6/TB/month storage + $0.01/GB egress Versioning: Unlimited (you control retention) Immutability: Yes (Object Lock) Setup difficulty: Medium
Why Backblaze B2 wins:
Object Lock is the killer feature. Once enabled, files literally cannot be deleted or modified—not by you, not by ransomware, not by an attacker with your credentials.
How Object Lock works:
- Set a retention period (e.g., 30 days, 1 year)
- Files cannot be deleted until retention expires
- Even Backblaze support can’t delete them
- Ransomware with your credentials still can’t touch them
Key features:
- S3-compatible API (works with many backup tools)
- Object Lock for true immutability
- No minimum file sizes or charges
- 10GB free tier
- Pay only for what you use
Recommended backup software with B2:
- Arq ($50 one-time) — Mac/Windows, great UI
- Duplicati (free) — Cross-platform, open source
- restic (free) — Command line, fast, deduplication
- rclone (free) — Command line, powerful
Cost example (1TB with Object Lock):
- Storage: $6/month
- Annual: $72
- Restoring 100GB: $1
When to choose B2:
- You want true immutable backups
- You’re comfortable with slightly more setup
- You want pay-as-you-go pricing
- You’re backing up servers or NAS devices
2. IDrive — Easiest Setup with Good Protection
Price: $80/year for 5TB (first year often $10-20) Versioning: 30 versions per file Immutability: No (but good versioning) Setup difficulty: Easy
Why IDrive:
IDrive is the “set it and forget it” option. Install the app, select folders, and you’re protected. The 30-version history is enough for most ransomware scenarios.
Key features:
- 30 versions of every file
- Local backup option (backup to external drive too)
- Snapshot feature for point-in-time recovery
- Mobile backup included
- Express recovery (they ship you a drive)
- Multi-device (unlimited devices on one plan)
Ransomware protection:
- 30 versions means you can roll back to pre-encryption
- Snapshots let you restore entire folder states
- Local + cloud = pseudo 3-2-1 in one product
Cost for 5TB:
- First year: Often $10-20 (promotional)
- Regular price: $80/year
- 5-year total: ~$340
When to choose IDrive:
- You want simple setup
- 30 versions is enough (it usually is)
- You like the local + cloud combo
- Budget is a concern
3. Arq + Cloud Storage — Best for Power Users
Price: $50 one-time + cloud storage costs Versioning: Unlimited (you configure) Immutability: Depends on backend (B2 Object Lock = yes) Setup difficulty: Medium
Why Arq:
Arq is backup software that YOU control. It encrypts locally before upload, works with multiple cloud backends, and gives you complete control over retention.
Key features:
- Client-side encryption (Arq never sees your data)
- Works with B2, S3, Google Cloud, Wasabi, local drives
- Unlimited versioning
- Deduplication saves storage
- Schedule and retention rules
- One-time purchase (no subscription for software)
Arq + B2 with Object Lock: This is my recommended setup for serious ransomware protection:
- Arq encrypts files locally
- Uploads to B2 with Object Lock enabled
- Immutable backups that can’t be deleted
- Unlimited version history
- Total control over retention
Cost example (Arq + B2, 1TB):
- Arq: $50 one-time
- B2 storage: $72/year
- Year 1: $122
- Year 2-5: $72/year
- 5-year total: $410
When to choose Arq:
- You want maximum control
- You understand the value of immutability
- You want one-time software cost
- You’re comfortable with slightly more setup
4. Duplicati — Best Free Option
Price: Free (open source) + cloud storage costs Versioning: Unlimited Immutability: Depends on backend Setup difficulty: Medium
Why Duplicati:
Duplicati is free, open-source backup software that works with almost any cloud storage. It’s not as polished as paid options, but it’s powerful and costs nothing.
Key features:
- Free and open source
- AES-256 encryption
- Works with B2, S3, Google Drive, OneDrive, local drives
- Incremental backups (only uploads changes)
- Web-based interface
- Scheduled backups
- Deduplication
Duplicati + B2 Object Lock: Same immutable protection as Arq, but free software.
Cost example (Duplicati + B2, 1TB):
- Duplicati: Free
- B2 storage: $72/year
- 5-year total: $360
Limitations:
- Interface is functional but not beautiful
- Occasional bugs (it’s community-developed)
- Less hand-holding than commercial options
- No official support (community forums only)
When to choose Duplicati:
- Budget is $0 for software
- You’re technical enough to troubleshoot
- You want open-source transparency
- You’ll pair it with immutable storage
5. Acronis Cyber Protect — Enterprise-Grade
Price: $50-90/year for home; enterprise pricing varies Versioning: Unlimited Immutability: Yes (Acronis Cloud) Setup difficulty: Easy
Why Acronis:
Acronis is the all-in-one solution: backup, antivirus, and ransomware protection in one package. It’s more expensive but includes active protection.
Key features:
- Active ransomware protection (blocks encryption attempts)
- Immutable cloud backups
- Full disk imaging
- Anti-malware included
- Blockchain-based file verification
- Automatic recovery
The active protection difference:
Unlike pure backup solutions, Acronis actively monitors for ransomware behavior and can stop encryption in progress. It’s defense + recovery in one.
Cost (Acronis Cyber Protect Home):
- Essential: $50/year
- Advanced: $90/year (more cloud storage)
- Enterprise: Custom pricing
When to choose Acronis:
- You want active ransomware blocking
- All-in-one solution appeals to you
- Budget isn’t the primary concern
- You’re protecting a business
Feature Comparison: All Solutions
| Feature | B2 + Object Lock | IDrive | Arq + B2 | Duplicati + B2 | Acronis |
|---|---|---|---|---|---|
| Immutability | ✅ Yes | ❌ No | ✅ Yes | ✅ Yes | ✅ Yes |
| Versioning | Unlimited | 30 versions | Unlimited | Unlimited | Unlimited |
| Local encryption | Via software | Yes | Yes | Yes | Yes |
| Local + Cloud | Via software | Yes | Yes | Yes | Yes |
| Active protection | ❌ No | ❌ No | ❌ No | ❌ No | ✅ Yes |
| Ease of setup | Medium | Easy | Medium | Medium | Easy |
| Open source | ❌ No | ❌ No | ❌ No | ✅ Yes | ❌ No |
| Mobile backup | ❌ No | ✅ Yes | ❌ No | ❌ No | ✅ Yes |
What Makes a Backup Truly Ransomware-Proof
1. Immutability (Most Important)
What it means: Files cannot be modified or deleted, even with admin credentials.
Why it matters: Ransomware with your credentials can delete regular backups. Immutable backups cannot be touched.
How to get it:
- Backblaze B2 Object Lock
- AWS S3 Object Lock
- Wasabi Object Lock
- Azure Immutable Blob Storage
2. Versioning with Long Retention
What it means: Keep multiple versions of files over extended periods.
Why it matters: You might not notice ransomware for days or weeks. You need versions from before the infection.
Recommended retention:
- Minimum: 30 days
- Better: 90 days
- Best: 1 year or more
3. Air Gap (Physical or Logical)
What it means: Backup storage that’s not continuously connected to your system.
Why it matters: Ransomware can’t encrypt what it can’t reach.
Options:
- Offline external drive (rotate weekly)
- Cloud backup (only connected during backup windows)
- Separate network segment
4. Delayed Sync / Verification
What it means: Don’t immediately trust changes; verify before overwriting backups.
Why it matters: Gives you a window to catch ransomware before it corrupts backups.
Implementation:
- Backup to staging area first
- Run integrity checks
- Only promote to main backup after verification
- Some enterprise tools do this automatically
Implementation Guide: Setting Up Ransomware-Proof Backups
Option A: Backblaze B2 + Arq (Recommended)
Time required: 1-2 hours Cost: $50 + ~$6/TB/month
Step 1: Create Backblaze B2 account
- Go to backblaze.com
- Create account
- Create a new bucket
- Enable Object Lock on the bucket
- Set retention period (recommend 30-90 days minimum)
- Create application key for Arq
Step 2: Install and configure Arq
- Download Arq from arqbackup.com
- Add B2 as destination (use application key)
- Select folders to backup
- Set schedule (daily recommended)
- Configure retention (keep all versions, or set policy)
Step 3: Verify
- Run initial backup
- Verify files appear in B2
- Test restore of a single file
- Confirm Object Lock is working (try to delete a file—it should fail)
Option B: IDrive (Simplest)
Time required: 30 minutes Cost: $80/year for 5TB
Step 1: Sign up and install
- Go to idrive.com
- Create account
- Download and install desktop app
Step 2: Configure backup
- Select folders to back up
- Enable continuous backup or set schedule
- Optionally enable local backup to external drive
- Set up mobile backup if desired
Step 3: Verify
- Check that files are uploading
- Test version history (edit a file, check you can see old versions)
- Test restore
Option C: Duplicati + B2 (Free Software)
Time required: 1-2 hours Cost: ~$6/TB/month (storage only)
Step 1: Create B2 bucket with Object Lock (Same as Option A, Step 1)
Step 2: Install Duplicati
- Download from duplicati.com
- Install and start web interface
Step 3: Configure backup job
- Add backup → B2 Cloud Storage
- Enter B2 credentials
- Select source folders
- Set encryption passphrase (important: save this!)
- Configure schedule
- Set retention policy
Step 4: Verify
- Run backup
- Check B2 console for files
- Test restore
Cost Comparison: 5 Years, 1TB
| Solution | Year 1 | Years 2-5 | Total 5 Years |
|---|---|---|---|
| B2 + Arq | $122 | $72/yr | $410 |
| B2 + Duplicati | $72 | $72/yr | $360 |
| IDrive 5TB | $80 | $80/yr | $400 |
| Acronis Essential | $50 | $50/yr | $250 |
| Dropbox Plus (2TB) | $120 | $120/yr | $600 |
Note: Dropbox is included for comparison—it’s NOT ransomware-proof without additional measures.
The Ransomware Recovery Test
Before you need it, test your recovery process:
-
Simulate an attack:
- Create a test folder with files
- Back it up
- “Encrypt” the files (rename them or replace content)
- Let backup run again
-
Attempt recovery:
- Restore previous versions
- Verify files are intact
- Document the process
-
Verify immutability:
- Try to delete a backup file directly from cloud console
- With Object Lock, this should fail
- If it succeeds, your backups aren’t truly immutable
Verify This Yourself
Want to see the raw data behind my claims? Check out the data spreadsheets - technical details, ownership records, and more.
Don’t trust me. Verify everything:
Backblaze B2 Object Lock:
IDrive:
Duplicati:
3-2-1 Backup Rule:
The Bottom Line
Sync is not backup. Dropbox, Google Drive, and OneDrive will happily sync your encrypted ransomware files to the cloud.
True ransomware protection requires:
- Versioning — Keep old versions to roll back
- Immutability — Backups that can’t be deleted, even with credentials
- Separation — Backups not continuously connected to your system
My recommendation hierarchy:
- Backblaze B2 + Object Lock — True immutability, pay for what you use
- IDrive — Easiest setup, good versioning, great value
- Duplicati + B2 — Free software, same protection as Arq
The 3-2-1 rule works: 3 copies, 2 storage types, 1 offsite. With immutable cloud storage as your offsite copy, ransomware can’t touch your recovery option.
Test your backups. A backup you’ve never tested is just a hope, not a plan.
Legal Note: This guide provides general backup recommendations. For business-critical data or compliance requirements, consult with IT security professionals.
Affiliate disclosure: I earn commissions from Backblaze and IDrive. I earn $0 from Duplicati, Arq, and restic (open source). I recommend B2 + Object Lock as the best technical solution regardless of commission.
