Criminals skip the appetizer and go straight for your backup buffet. Don’t let them.
Ransomware remains among the most destructive security threats organizations face. A 2025 Enterprise Strategy Group (ESG) survey of 200 IT decision makers across North America and Western Europe found two-thirds of organizations experienced ransomware attacks in the past two years, many suffering multiple attacks. When ransomware hits, it hits hard. Only nine percent of victims recovered within a day, while many took weeks. And recovery doesn’t mean getting all of your data back. The survey found 43% of companies recovering less than three quarters of their data.
Not only are attacks mounting in volume and severity with expanding target variety, but perpetrators’ tactics are evolving alarmingly. Threat actors now make backup data their primary objective, knowing victims are less likely to pay ransoms if they can restore from clean backup copies. Without restoration capability, organizations face existential threats and may have no choice but to pay.
The problem spans all sectors and sizes. Even healthcare organizations, where lives are at stake, aren’t immune. Backup is the last line of defense. If criminals breach and threaten to delete it, all may be lost.
According to ESG, 96 percent of ransomware victims who were hit in the last two years report backup data was targeted. Eleven percent say every attack focused solely on backups. Forty-four percent of backup attacks resulted in RTO difficulties, while 35 percent were left with missing or incomplete data.
When good defenses go bad
Traditional policy-based safeguards provide foundational protection but fall short against sophisticated criminal methods. Even modern multi-layered cybersecurity strategies grounded in zero trust can fail to prevent attacks. Successful intruders can compromise data, exfiltrate information, and seize administrative control to alter settings and delete assets.
No IT system is impenetrable. The pragmatic approach assumes breaches will happen and prepares for recovery. This underlines backup’s centrality in recovery strategy. It may provide the critical difference between survival and extinction.
The optimal backup protection is immutable data storage. Based on the write once, read many (WORM) principle, immutability makes data undeletable and unalterable for set periods once written. When created, a window of immutability ensures complete safety from attack.
Protected digital data capsules guard against ransomware, human error, and unauthorized changes, ensuring speedy reset even when primary systems are compromised. ESG’s research found 81 percent of organizations view backup storage immutability as crucial defense.
However, basic immutability versions can be compromised through hidden exceptions and exploitable loopholes. Even small cracks make granite walls porous. One example here is bolt-in immutability that is only applied after an initial backup, which leaves a vulnerability window for attackers to tamper with data. Another is snapshot immutability, which suffers from the same problem: data is vulnerable until the snapshot is created.
The absolute truth about data immutability
Only ‘Absolute Immutability’ – ensures data cannot be altered or deleted under any circumstances, rendering it safe even if production and backup systems are breached. It’s a term coined by Object First for a model in which neither a privileged admin nor an attacker has the power to modify or delete backed up data. It requires backup storage that’s secure by design, with zero access to destructive actions.
According to Object First’s research, 93 percent of respondents agreed immutable backup storage built on zero-trust principles is essential, while 97 percent plan to invest in secure, immutable backup storage.
Many organizations adopt Veeam for its backup, disaster recovery, and data protection capabilities. Object First created Ootbi (Out-of-the-Box Immutability)for this community. It’s an S3-native backup storage appliance providing immutable primary object storage for on-premises Veeam backups.
Ootbi is purpose-built for Veeam environments. Other solutions work with various backup software types, requiring under-the-hood adaptations that leave openings for intruders. With such loopholes, anyone with genuine or stolen admin rights can perform factory resets. Anyone accessing the operating system can make a backup mutable. Absolute Immutability means credentials such as user names, passwords, and even administrator rights don’t grant access for disruptive actions.
Three pillars of unbreakable backup
Ootbi provides immutability without sacrificing performance through three principles. The first is S3 Object Storage. This is a fully documented open standard with native immutability enabling independent penetration testing and verification.
Second is zero time to immutability. Backup data is immutable the moment it’s written.
Third comes a target storage appliance. This dedicated appliance segments storage from backup software, removing DIY risks during operations, setup, updates, and maintenance.
Deploying Ootbi helps ensure that whatever happens, from ransomware through to insider threats or credential breaches, backup data remains protected and recoverable. It requires minimal security expertise, shifting responsibility to the vendor.
Because Ootbi protects only Veeam, deployment is straightforward. Customers can be operational from a standing start typically within 15 minutes. It uses Veeam defaults and best practices for end-to-end encryption.
Scaling is similarly straightforward. Setting up the first appliance cluster takes 15 minutes, while adding a second node takes even less. More nodes equal faster performance, unlike other solutions where performance can decrease with additional nodes.
Performance and capacity scale linearly, but management overhead remains constant. Managing four nodes is as easy as managing one. Other vendors typically increase management overhead with more nodes.
Size doesn’t matter (but speed does)
Use cases span mid- to large enterprise, remote office/back office (ROBO) and SMB scenarios, including regulated industries and MSPs. Object First introduced consumption-based models offering greater deployment flexibility, removing upfront capital investment and aligning costs with usage.
Ransomware intruders target any size organization. Object First offers appliances with a range of capacities starting at 8 TB and scaling up to 7 PB, and data ingest speeds of up to 8GB/s. Users can mix, match, and scale nodes within clusters. It recently introduced the Ootbi Mini, a desktop tower form factor that can be deployed outside the data center to protect remote offices, branch offices and small businesses with the same security as other Ootbi appliances.
S3 Versioning ensures every write creates new object versions with unique numbers, guaranteeing traceability and recovery. S3 Object Lock ensures individual versions cannot be modified or deleted. It operates in Compliance Mode, which renders the appliance sealed with no entry for anyone. Ootbi doesn’t use Governance Mode, which allows admin fine-tuning and potential interference.
Cyber-resilience is increasingly a regulatory issue in scrutinized sectors. Financial services face FINRA scrutiny in the US and DORA in the EU, mandating resilience levels. S3 Object Lock helps organizations meet these requirements by guaranteeing that data cannot be altered or deleted once written. Consulting company Cohasset Associates declared Object First and Veeam as compliant with key financial services frameworks.
Trust but verify (especially the verify part)
Absolute Immutability requires third-party verification. Marketing claims unsupported by independent scrutiny may paper over partial or unverified immutability. Object First engages independent testing firms for validation.
NCC Group conducted comprehensive penetration tests on Ootbi and concluded: “Even if all customer secrets, including administrator and bucket credentials, are known to intruders, they still cannot modify data within Ootbi appliances.”
Veeam Version 12, released in February 2023, introduced the Smart Object Storage API based on the S3 standard. Ootbi was built around this API through partnership with Veeam, and continues to keep up with Veeam releases. The API segments backup jobs into smart entities, enabling traffic management. Veeam maintains metadata about data locations, enabling sSupercharged Instant Recovery and optimized network path selection for the fastest restore performance.
Veeam’s best practice extends zero trust to backup, securely separating backup software from storage. Even if someone accesses backup software, they need separate storage access to cause damage. The secure native immutability in the S3 protocol enables this separation.
Real-world resilience
Object First’s proposition has been delivering provable results with customers. Argus Research, an independent financial market research outfit, needed future-proof IT with ransomware-proof backups featuring immutability and Veeam integration. Previously relying on a standard SAN with off-site disaster recovery, Argus became concerned about ransomware preparedness.
“Modern problems require modern solutions,” says Tyler Jacobson, network and security analyst. “We wanted preparation for the inevitable.”
Deploying Ootbi provided the ransomware-proof backups and scalable disaster recovery Argus needed. “Sharing Veeam’s founders brought integration assurance. The repository was easy to install,” Jacobson notes. The solution delivers immutability keeping backup data protected, solid performance through Veeam integration, and proactive threat response through regular updates.
Similarly, Newnham College, a Cambridge University constituent college with 200 staff and 700 students, realized its backup storage wasn’t fit for purpose due to ransomware concerns, compliance requirements, and system complexity. Traditional NAS devices lacked advanced security features. Restore times stretched hours, backup failures required manual intervention, and recovery testing revealed inconsistencies, risking regulation violations.
“We prioritized solutions with class-leading support and seamless Veeam alignment,” says Rebecca Woollard, IT manager at the college. The college now has immutable storage ensuring tamper-proof backups, robust security with effective incident response, and streamlined processes freeing IT staff for strategic initiatives.
Ransomware attacks can take critical systems offline for extended periods. Data loss consequences extend beyond ransom payments to lasting reputational damage with customers and partners.
While ransomware remains the major cyberthreat targeting critical digital infrastructure, backup solutions offering Absolute Immutability become essential to avoid these consequences. Even with solid defense technologies deployed, a sound recovery strategy based on strong immutability remains vital.
Ootbi provides S3-enabled out-of-the-box immutability with hardened storage featuring zero access to destructive actions. Security comes through separation of backup software and storage layers following zero-trust practices. The system deploys in 15 minutes and scales easily, with automatic updates and optimization. It delivers backup speeds up to 8 GB/s, automatic load balancing, and linear capacity and performance scaling to multiple petabytes, benefiting from standard Veeam block size and encryption.
For Veeam users seeking practical, verifiable ransomware-proof backup protection, the combination of secure-by-design architecture, straightforward deployment, and third-party validation offers a path to genuine data resilience.
Sponsored by Object First.
