Custodia Continuity
air-gapped vault

Ransomware Proofing

Modern ransomware goes after the backups first. If your backup is on the same network, the same cloud, or accessible to the same people, it is not a backup. It is a target.

The Backup That Gets Encrypted Too

Most organisations back up to a NAS on the local network, or sync to a cloud storage service like OneDrive or Google Drive. Both feel safe. Neither is.

A NAS on your network is reachable by anything on your network — including ransomware. When the attack hits, the NAS gets encrypted along with everything else. The backup you were counting on is gone.

Cloud sync is worse. It works both ways. When ransomware encrypts your local files, the sync service helpfully copies the encrypted versions over the good ones. By the time you notice, your cloud backup contains nothing but encrypted rubbish.

Your IT Provider Cannot Save You

Your IT supplier manages your network, your servers, your cloud accounts. They hold admin credentials. Anyone who compromises them reaches everything — including your backups.

Supply chain attacks are how some of the largest UK ransomware incidents have happened. If the people who manage your infrastructure also manage your backups, a single breach takes out both.

What Critical Third Copy Actually Means

A critical third copy is a backup that cannot be reached by your IT supplier, your cloud provider, your staff, or any attacker who compromises any of them. It is held by an independent third party on infrastructure that shares nothing with your operational environment.

Your day-to-day supply chain has no access. Your staff have no access. That is what critical third copy means. If anyone in your organisation or your supply chain can reach the backup, it is not independent enough.
  • No shared credentials — nobody who has access to your network has access to the backup
  • No shared infrastructure — the backup is not on the same cloud, the same network, or the same data centre
  • No shared attack surface — compromising your IT provider does not compromise the backup
  • No internet connection — the archive vaults are air-gapped, physically disconnected from any network

The Double Vault

Custodia operates two privately owned data vaults in separate physical locations. They are shared by nobody else. They have no inbound internet connection. Data enters through an intermediate collection server where it is scanned for malware and encrypted before it goes anywhere near long-term storage.

Both vaults hold a complete copy. If one is destroyed — fire, flood, theft — the other stands alone. Two copies, two locations, zero shared infrastructure.

How Data Gets In

1. Collection — your data is transferred to our intermediate servers over an encrypted connection. This is the only internet-facing part of the process.

2. Scanning — every file is scanned for malware before it enters the archive. If ransomware has already encrypted your data, we catch it here rather than archiving the damage.

3. Encryption — data is encrypted with keys that are not stored on the same systems. Even if someone physically stole a vault drive, the data is unreadable.

4. Air-gapped archive — encrypted data moves to the offline vaults. From this point, it is unreachable from the internet, from your network, and from anyone who does not have physical access to the vault.

Cloud Providers Do Not Guarantee Your Data

Microsoft's service agreement is explicit: they recommend you back up your data using a third-party service. Google's position is the same. Their responsibility is uptime of the platform. The safety of your files is your problem.

Deleted a SharePoint site by accident? Microsoft's recycle bin gives you 93 days. After that, it is gone. A departing employee wiped their OneDrive? If you did not notice in time, the data is unrecoverable.

Our disaster recovery service takes independent daily snapshots of your Microsoft 365 and Google Workspace environments alongside your on-premise data. Point-in-time restore from any snapshot. Completely independent of your cloud provider.

What We Protect

  • On-premise servers, workstations and file shares
  • Microsoft 365 — SharePoint, OneDrive, Teams, Exchange Online
  • Google Workspace — Drive, Shared Drives, Gmail
  • Websites, databases and application data
  • Cloud infrastructure and SaaS configurations
  • Recovery available 24/7, 365 days a year

Safe Restore

Most backup providers send data straight back into your compromised network. If the attacker is still inside — and they usually are — they encrypt it again. You are back to square one, except now you have used your only recovery option and it failed.

With our approach, your data is restored to a secure, isolated environment that has no connection to your compromised network. Your team works from the clean environment while we help you verify that your own systems are safe before anything goes back.

If you need us on site, we drive to you. We bring the hardware, the data and the expertise. We stay until you are running again. That is proper disaster recovery — engineers on site, not a support ticket and a cloud portal.

Ransomware Proofing with Custodia

  • Air-gapped double vault — two copies in two locations, no internet connection
  • Zero shared access — your IT provider and your staff cannot reach the archive
  • Malware scanning — infected files caught before they enter the vault
  • Safe restore — recovery to an isolated environment, not back into the breach
  • On-site response — we come to you when remote is not enough
  • Tested regularly — we verify restores work, not just that backups complete
  • Cloud backup included — Microsoft 365 and Google Workspace independently protected

Find out how ransomware-proof your organisation really is

Get in touch with us today.

Call us on

01629 369 250

Email us at

sayhello@custodiauk.com