My £12/Month “Fortress” Backup: Building a 5-2-2-1 Ransomware-Proof System

We’ve all heard the horror stories. You wake up, try to open a spreadsheet or a family photo, and you’re met with a cryptic .txt file demanding 2 Bitcoin to unlock your life. Or you leave your digital life in a bag on a bench in Australia with 3 weeks of photos and then go to the airport 👀 (because your camera can’t back itself up).
For a long time, the advice was simple: “Just follow the 3-2-1 rule.” But the reality in 2026 is that ransomware has evolved. Modern hackers don’t just encrypt your PC; they actively hunt for your connected backups and delete them before you even know you’re compromised.

I have a video available on the 321 method to get you started here!
If your backup is “visible” to your main computer, it’s a target. Here is how I built an enterprise-grade, bulletproof strategy for just £12 a month.
The Evolution of Backups
Why 3-2-1 Isn’t Enough
The traditional 3-2-1 backup rule (3 copies of data, on 2 different media types, with 1 off-site) used to be the gold standard. It protected you from hard drive failures, fires, and theft.

However, ransomware changed the game. Because modern malware spreads through your local network, it can “see” your NAS (Network Attached Storage) or your USB drives. If your backup software has permission to write to those drives, the ransomware has permission to encrypt them.
That’s why I’ve moved to the 3-2-1-1-0 method:
The +1 (Immutable/Air-gapped): A copy of your data that physically or logically cannot be changed or deleted for a set period, even if someone has your passwords.
The +0 (Zero Errors): Regular automated testing to ensure the data is actually restorable.

My 5-2-2-1 Architecture Setup
I’ve gone a bit further than the baseline. My setup is a 5-2-2-1 system, which provides five total copies of my data across different environments. The best part? Most of this uses hardware I already owned (sunk costs).
1. The Origin: Primary NAS RAID
Everything starts on my primary NAS. All my Docker containers, project files, and tech videos live here in a RAID configuration. This protects against a single drive failing, but it is **not** a backup.
2. Local Backup: The Studio PC RAID
Using automated tasks, the NAS data syncs to a dedicated RAID array inside my Studio PC. Since I bought this hardware years ago, this second local copy costs me nothing.
3. Off-site 1: The “Free” 5TB Google Drive
I use a 5TB Google Drive as my first cloud layer. Since my mobile provider (EE – In the UK) covers my Google AI subscription as part of my phone plan, this massive amount of storage is effectively free. It’s fast and great for quick file recovery.
4. Off-site 2: The Immutable Vault (Hetzner)
This is the MVP of the entire system. I pay £12 a month for a 5TB Hetzner Storage Box. While £12 is the only recurring cost in this setup, it provides the most value. I have the Immutable status data protection turned on. This means that once data is uploaded to this box, it cannot be deleted or altered by anyone—not even me—unless I turn that feature off manually outside of the storage box.

5. The immutable backup itself
As documented in number 4 the mere fact I’m using the immutable data protection mode on hetzner becomes the 5.
The Software That Glues It Together: Duplicati
To manage this flow, I use Duplicati. It’s open-source, powerful, and handles the heavy lifting of encryption and versioning.
The secret sauce here is **Version Control**. If ransomware hits my NAS today and encrypts everything, Duplicati will run its scheduled backup tonight. It will see the new “encrypted garbage” files and back them up.
In a basic “sync” setup (like Dropbox or OneDrive), this would overwrite your good files with the bad ones. But with Duplicati, it simply creates a **new version**. When I go to restore, I just tell the software to “Roll back to yesterday’s version,” and I get my clean data back.
The Ultimate Safety Net: Why Immutability Matters
You might be thinking: “What if the hacker gets your Duplicati password?” This is the ultimate edge case. If a hacker breaches your network and steals your API keys or passwords, they could theoretically log into your Google Drive or your local PC and manually delete every single backup version.

This is where the Hetzner Storage Box wins. Because the immutability is enforced at the server side by Hetzner, the “delete” command sent by a hacker (or a compromised Duplicati) will be flat-out rejected. The server effectively says, “Sorry, this file is locked until the protection is turned off manually outside of your control.” By then, you’ve realized you’ve been hacked, wiped your systems, and can still pull your clean data down from the vault.
Enterprise-level data protection doesn’t have to be a corporate expense. By leveraging the hardware you already have, taking advantage of subscription perks (like those from your mobile provider), and spending a modest £12 a month on a storage provider with immutable locking, you can achieve a level of security that even some big companies lack.
The Bottom Line
Build your vault before you need it. Because when it comes to data, “amateur” shouldn’t mean “unprotected.”
You can watch the video on the 321 method here to get you started and you can build it on from there!
You can also watch the hetzner backup video here.
And as always thanks for reading! Please don’t forget to share this post with as many of your friends as you can on as many social platforms as you can which demonstrates your appreciation for my work 🙌
