Arq® Blog

Immutable Backup

Cyber threats are always evolving. Immutable, encrypted backups provide the ultimate in data protection because your data can’t be destroyed or stolen no matter what ransomware attack or other bad actor does.

That’s why we’re adding support for immutable backups to Arq 7.

[Update 20 April 2020: Arq 7 now includes support for immutable backups. Announcement here: Immutable Backups with Arq 7]

What is Ransomware and Why Should I Care?

Ransomware is a type of malware (malicious software) which criminals use to extort you. The malware encrypts your files with a key that only they have; your files are still on your computer, but they’re encrypted and you can’t read them. The criminal demands a ransom payment in exchange for decrypting your files back to their original form.

You can try decrypting the files yourself, but not all ransomware types have decryptors created for them, and some decryption tools available online have turned out to be ransomware in disguise!

Ransomware attacks are on the rise. Last year saw a huge increase in the number of attacks.

Evolving Threats and Limited Defenses

Installing an antivirus app that blocks ransomware can help, but isn’t a guarantee. The antivirus app has to block every possible attack scenario; one mistake and a new, unknown ransomware attack renders your files unreadable. Even if the antivirus app is updated to remove the new ransomware variant, it can’t bring back your files.

Ransomware attacks are constantly evolving as the attackers become more sophisticated. Some have begun encrypting backups on hard drives attached to the computer rendering the backups useless.

Humans are another risk to your data. Many ransomware attacks happen through “social engineering” — attackers use psychological manipulation to trick you into clicking on a malicious link or opening a malicious file, and you unwittingly install malware that encrypts all your files before you realize what’s happened. The attacker has the decryption key and you have to pay them to get your data back.

Backup Levels of Protection

Restoring your data from a backup is the best way to recover from a ransomware attack (after you’ve removed the ransomware from your system of course).

The first step in protecting your data is to follow the 3-2-1 rule of backup: 3 copies of your data on 2 devices and one stored off-site.

Storing a backup of your data in cloud storage is a convenient way to achieve off-site backup, and Arq Backup is compatible with many cloud providers like S3, Wasabi, B2, Google Cloud and others.

Encrypting your backups with a key that only you know is another important way to protect yourself against hackers gaining access to the backups, stealing your data, and attacking you with identity theft. Arq uses strong encryption to secure your backups from unwanted access. This is the “good” kind of encryption, where *you* have the key and can decrypt the data and get it back.

But what if the attacker gains access to your cloud storage account and deletes the backup data there?

Immutable Backups with S3 Object Lock

S3’s object-lock feature provides protection from attackers deleting or modifying your cloud backups. S3-compatible cloud providers like Wasabi and B2 also provide this feature.

Object-lock ensures that data cannot be deleted or overwritten by any user, including the “root” user or account owner. It’s known as “write once, read many” (WORM) storage.

We’re adding support for object-lock in Arq 7. When you create a backup plan in Arq 7 and you choose an object-lock-compatible cloud storage location, Arq will give an option to make your backups immutable for the time interval you choose.

Arq de-duplicates backup data to save on storage costs and quickly do subsequent backups. Each backup record points to the same data as the previous backup record except for new/modified/deleted items. Because of this, some or most of the data in your new backup record may have been uploaded a while ago. Fortunately S3 object locks can be modified in 1 respect: they can be extended. So Arq periodically refreshes the object lock’s expiration time to make sure objects are locked for at least as long as your chosen duration.

If you’d like to be notified when this feature has been added to Arq 7, please drop us a line at and we’ll keep you updated.

Need to back up your files securely to the cloud?

Set up backups in 1 minute with Arq 7:

Download Arq

30-day free trial

"Best backup solution? @arqbackup with your choice of cloud provider. Great program!! Always helpful when I have questions also. Great support!" @Tony_Simek Feb 5, 2021

"Just used @arqbackup for my first real world restore, which saved me hours of rework. Would recommend." @jonathon Nov 14, 2020