Ransomware attacks surged 126% in early 2025, and attackers routinely target backup systems first. According to industry research, over 90% of ransomware incidents attempt to compromise or delete backups—leaving organisations with no clean recovery point. For New Zealand businesses, immutable backup NZ solutions offer a critical defence: once written, backup data cannot be modified or encrypted, even if attackers gain full access. This guide explains how immutable backups work, why they matter for Kiwi IT teams, and how to choose the right approach for your organisation in 2026.
What Are Immutable Backups and Why Do They Matter for NZ Businesses?
Immutable backups are copies of your data that cannot be changed, deleted, or encrypted for a defined retention period—not even by administrators. They use a WORM (Write Once, Read Many) model: once data is written, it becomes read-only until the retention window expires. Think of it as a one-way door: data goes in, but nothing can alter or remove it until the retention period ends.
For NZ businesses, immutability matters for several reasons. First, ransomware actors deliberately target backup systems; if they can encrypt or delete your backups, your only option is often to pay the ransom. Second, New Zealand’s Privacy Act 2020 and sector-specific rules (including NZISM for government agencies) emphasise data protection and recovery capability—immutable backups support compliance and demonstrate due diligence. Third, Kiwi organisations often operate with tighter IT budgets than multinationals; immutable storage is a high-impact, relatively affordable control that significantly improves resilience. Fourth, insurers and auditors increasingly expect evidence of backup protection; immutable storage provides a clear, defensible control.
Small and mid-size businesses in Aotearoa are no longer off the radar. Ransomware-as-a-service has lowered the barrier for attackers, and automated campaigns target any organisation with exposed systems. Immutable backup NZ solutions give you a recovery option even when primary systems and conventional backups are compromised.
How Ransomware Targets Backups (and How Immutable Backup NZ Stops It)
Attackers follow a predictable playbook. They gain initial access (often via phishing or unpatched vulnerabilities), move laterally across your network, and—before encrypting production systems—they target your backup infrastructure. That means backup servers, backup storage, and any management interfaces. In many incidents, attackers spend days or weeks mapping the environment so they can disable or corrupt backups at the right moment. If they compromise admin credentials, they can delete or corrupt conventional backups. Immutable backup NZ storage prevents this: even with full domain control, attackers cannot modify WORM-protected data. The backup remains a read-only copy that survives the attack.
Sophos research from 2025 shows that 97% of organisations with encrypted data were able to recover—but only when they had intact backups. Where backups were compromised, recovery rates plummeted and organisations faced extended downtime or ransom payments. Another sobering finding: backup usage for recovery hit a six-year low, with only 54% of affected organisations using backups to restore. That suggests many Kiwi businesses may be underprepared. Immutable storage keeps a clean copy beyond the reach of encryption malware and closes the gap that attackers exploit most often. Industry guidance increasingly recommends immutable backups as a baseline control—alongside tested restore procedures—for any organisation that cannot afford prolonged downtime or ransom payments. It is not a replacement for other controls—patching, network segmentation, multi-factor authentication—but it addresses the most dangerous weakness in many backup strategies.
WORM Storage and the Technical Basics
WORM (Write Once, Read Many) is the underlying technology. Data is written once and cannot be overwritten or deleted until the retention period ends. Implementations vary:
- Object lock (S3-compatible storage): Objects are locked for a specified retention period. APIs that would modify or delete the object are blocked at the storage layer. This is the most common model for modern backup tools that support object storage.
- Snapshot immutability: Some platforms mark snapshots as immutable; they cannot be deleted before the retention window. Useful for primary backup tiers but often less flexible than object-based lock.
- Appliance-based WORM: Dedicated backup appliances enforce immutability at the hardware or firmware level. Effective but can be harder to scale and may lock you into a single vendor.
For Veeam Backup & Replication and similar tools, S3-compatible object storage with Object Lock is the most common approach. You configure a capacity tier or archive tier pointing to an object storage bucket with Object Lock enabled; the backup software writes blocks that are then locked for your chosen retention (e.g. 30, 90, or 365 days). Look for providers that support S3 Object Lock (or equivalent) and host data in New Zealand if you need data sovereignty for NZISM, Privacy Act, or sector requirements. Performance matters less for backup than for primary workloads, but verify that restore times meet your recovery time objectives (RTO). During a ransomware incident, every hour of downtime costs money and reputation; you want confidence that restores from immutable storage will complete within your acceptable window. Run a full restore test at least annually.
Choosing Immutable Backup NZ Storage
When evaluating immutable backup NZ options, consider:
| Criterion | What to check |
|---|---|
| Object Lock support | Does the storage support S3 Object Lock (or equivalent) for your backup software? |
| Data residency | Is data stored in NZ data centres? Critical for government, health, finance, and regulated sectors. |
| Retention flexibility | Can you set retention periods that match your recovery objectives (30, 90, 365 days)? |
| Integration | Does your backup tool (Veeam, Commvault, etc.) natively support the storage without custom scripting? |
| Cost predictability | Are there hidden egress or API charges? Restore operations can move large volumes; surprise fees hurt when you need recovery most. |
| Support and SLAs | Can you get local support during an incident? A 24/7 NZ-based team matters when systems are down. |
NZ-hosted, S3-compatible object storage with Object Lock is available from several providers. Compare not just list price per TB but total cost of ownership: egress fees, API costs, and support tiers. ASI Solutions InfiniStor, for example, offers immutable backup storage with data held in New Zealand, native Veeam and Commvault integration, transparent pricing (hot at $15/TB/month, cold at $5/TB/month) with no egress fees, and 24/7 local support. That addresses a common pain point: when recovery requires large data restores, egress charges from hyperscaler object storage can multiply quickly. With flat NZ pricing, you know what restore will cost before you need it.
Practical Next Steps for NZ IT Teams
- Assess your current backup protection. Could an attacker with admin rights delete or encrypt your backups? If yes, you have a critical gap. Walk through the scenario: assume domain compromise and ask whether your backups would still be recoverable.
- Identify retention requirements. Match retention to your recovery point objective (RPO) and compliance needs. Many NZ businesses start with 30–90 days; regulated sectors may require 365 days or more. Align retention with any NZISM, Privacy Act, or sector-specific expectations.
- Test restore from immutable storage. Do not assume it works. Run a test restore from the immutable tier to verify that your backup software can read and recover data. Document the process so that during an incident, your team knows exactly what to do.
- Document the control. Include immutable backups in your security and resilience documentation. Auditors and insurers increasingly ask about backup protection; clear documentation speeds reviews and can support insurance renewals.
- Review backup architecture. Ensure backup jobs write to immutable storage—either as a primary tier or a copy. Some organisations use a 3-2-1 rule: three copies of data, on two different media types, with one copy offsite and immutable.
If you are reviewing your backup strategy for 2026, ASI Solutions can help. With 40+ years supporting Kiwi businesses and backup solutions that keep data onshore, we can guide you through design and deployment. Book a Meeting to discuss your requirements and explore how immutable backup NZ fits your environment.