Ransomware doesn't just encrypt your local files - it often targets backup destinations too. If your NAS backup to the cloud uses credentials stored on the NAS itself, ransomware that compromises your NAS can use those same credentials to delete or encrypt your cloud backup. Immutable backups solve this by making stored objects permanently undeletable and unmodifiable for a defined period, regardless of what access credentials are used. Even if ransomware obtains full admin access to your backup account, it cannot alter locked objects.
In short: Immutable backups use S3 Object Lock (or vendor equivalents) to prevent deletion or modification of backup data for a set retention period. They add genuine ransomware protection beyond standard cloud backup. The main cost is slightly higher storage fees (no deletion = no cleanup) and added configuration complexity. For home users with irreplaceable data and any cloud backup already running, it is worth setting up. For business users with ransomware exposure, it should be standard practice.
What Makes a Backup Immutable
Standard cloud backup is mutable: the backup application has credentials that allow it to write, overwrite, and delete objects in the cloud storage bucket. Ransomware that gains access to the NAS can use those same stored credentials to connect to the cloud provider and delete the backup, defeating the entire purpose of offsite storage.
S3 Object Lock is an AWS-originated standard that changes this relationship at the storage layer. When Object Lock is enabled on a bucket and applied to an object, that object cannot be deleted or modified for the duration of the lock period, regardless of what credentials are presented. Not the bucket owner. Not the root account. Not ransomware using stolen credentials. The lock is enforced by the storage provider, not by the client application.
There are two Object Lock modes:
- Compliance mode: The object cannot be deleted or modified by anyone, including the account owner, for the retention period. This is the strongest protection and is required for regulatory compliance in many industries.
- Governance mode: The object cannot be deleted or modified by standard users, but privileged users with a specific IAM permission can override the lock. Slightly more flexible, but still provides strong protection against ransomware.
For home users, Governance mode is sufficient and slightly easier to manage if a genuine deletion is needed.
Which Cloud Providers Support Object Lock
S3 Object Lock was introduced by AWS S3 and has since been implemented by several S3-compatible providers. Support varies by provider and pricing tier:
Object Lock Support by Cloud Provider
| Backblaze B2 | Wasabi | Cloudflare R2 | AWS S3 | |
|---|---|---|---|---|
| Object Lock supported | Yes | Yes | Yes (limited) | Yes |
| Lock modes | Compliance + Governance | Compliance + Governance | Governance only | Compliance + Governance |
| Storage cost (approx) | USD $6/TB/mo | USD $6.99/TB/mo | USD $15/TB/mo | USD $23/TB/mo |
| Egress fees | None (1GB free/day) | None | None | Yes (USD $90/TB) |
| AU infrastructure | No (US/EU) | No (US/EU) | No (global edge) | Sydney region |
| NAS app support | Hyper Backup, HBS3 | Hyper Backup, HBS3 | Limited | Hyper Backup, HBS3 |
For Australian NAS users, Backblaze B2 and Wasabi are the two practical choices. Both support S3 Object Lock in both Compliance and Governance modes, integrate with Synology Hyper Backup and QNAP HBS3, and do not charge egress fees for Australian restores. AWS S3 is technically capable but costs 3-4x more per GB stored and adds significant egress fees for large restores. Cloudflare R2 has limited Object Lock support and limited NAS application compatibility as of mid-2026.
NAS Application Support for Immutable Backups
Synology Hyper Backup
Synology Hyper Backup supports S3 Object Lock when backing up to compatible S3 destinations including Backblaze B2 and Wasabi. The lock period is configured at the Hyper Backup task level, not in the cloud console. Hyper Backup must be updated to a version that supports Object Lock (check DSM Package Center for the latest). When enabled, each backup version is locked for the configured period. Backup rotation and deletion of old versions still works within the lock framework - Hyper Backup does not attempt to delete versions still within their lock period.
QNAP HBS3 (Hybrid Backup Sync)
QNAP HBS3 supports S3 Object Lock for compatible destinations. Configuration is similar to Hyper Backup - set the retention period in the job settings and ensure the destination bucket has Object Lock enabled. QNAP's implementation works with Backblaze B2 and Wasabi. Check the HBS3 release notes for the version that introduced Object Lock support before configuring.
Setting Up Object Lock: Configuration Steps
Object Lock must be enabled at bucket creation time. You cannot enable it on an existing bucket. This is the most common configuration mistake. The setup sequence is:
- Create a new bucket with Object Lock enabled. For Backblaze B2, toggle Object Lock during bucket creation in the web console. For Wasabi, the same option appears during bucket creation.
- Set the default retention in the bucket settings. A 30-day retention is a common starting point for home users - long enough to detect a ransomware event, short enough that storage costs from locked (undeleted) old versions are contained.
- Create a dedicated application key with write permissions to only this bucket. Do not use your master account key. The application key used by the NAS should have minimal permissions - write objects, list bucket, read objects. It should not have permission to modify Object Lock settings.
- Configure the backup application (Hyper Backup or HBS3) to use the new bucket and the restricted application key. Enable Object Lock in the task settings and confirm the retention period matches the bucket default.
- Run an initial backup and verify locked objects appear in the cloud console.
Key security insight: The application key used by your NAS should not have permission to modify Object Lock settings or manage bucket-level configurations. This means even if ransomware fully compromises your NAS and uses the stored application key, it cannot remove or shorten the Object Lock on existing backup versions. Lock management should only be possible from the cloud provider's web console using your master account credentials, which should not be stored on the NAS.
The Storage Cost Reality
Immutable backups cost more than standard cloud backup because locked objects cannot be deleted on schedule. Standard backup rotation deletes old backup versions to control storage costs. With Object Lock, old versions stay in storage until the lock expires. The cost impact depends on your retention period and how frequently your backup application creates new versions.
A practical example with Backblaze B2 at USD $6/TB/month:
- 500GB backup dataset, daily incrementals, 30-day retention: approximately 700-800GB total storage at any time. Cost: roughly USD $4.50/month (about AUD $7/month at current exchange rates).
- 2TB backup dataset, daily incrementals, 30-day retention: approximately 2.5-3TB total storage. Cost: roughly USD $16-18/month (about AUD $25-28/month).
The difference between standard backup and immutable backup storage costs is typically 20-40% higher, depending on change rate and retention period. For most home users, this is a modest cost for meaningful additional protection.
Is It Worth It for Home Users?
Immutable backups add real protection but also real complexity. A practical assessment:
Pros
- Protects against ransomware using stolen NAS credentials to delete cloud backups
- Compliance mode provides protection even against accidental deletion by the account owner
- Standard S3 protocol - works with existing Synology and QNAP backup applications
- Relatively low cost premium over standard cloud backup (20-40% more storage)
- Set-and-forget once configured - no ongoing management required
Cons
- Bucket must be created with Object Lock from the start - no retroactive enable
- Slightly higher storage costs due to locked old versions accumulating
- Adds configuration complexity - two-key setup required for proper security
- Does not protect against ransomware that encrypts data before backup runs (only protects the backup copy, not the source)
- Compliance mode locks are irreversible - test carefully before using in production
For home users who already have cloud backup running and have irreplaceable data (family photos, financial records, business documents), setting up Object Lock on a new bucket is worthwhile. The setup takes 30-60 minutes. The ongoing cost premium is modest. The protection is genuine.
For users who do not yet have cloud backup running at all, start with standard cloud backup first and add Object Lock once the basic backup is working reliably. Complexity during initial setup can delay getting any backup in place at all.
For small business users with any ransomware exposure, immutable cloud backup should be standard practice alongside local backup and tested restore procedures. The cost is easily justified by the protection value.
Related reading: our NAS buyer's guide.
Free tools: Backup Storage Calculator and UPS Sizing Calculator. No signup required.
Can I enable Object Lock on an existing cloud backup bucket?
No. S3 Object Lock must be enabled at bucket creation time. You cannot add it to an existing bucket. To switch to immutable backup, create a new bucket with Object Lock enabled, run a fresh initial backup to the new bucket, then decommission the old bucket once you are satisfied the new backup is working correctly.
What retention period should I set for home backups?
30 days is a common starting point for home users. This gives enough time to detect a ransomware event (most are discovered within days) and recover from a pre-infection backup version. Longer periods (60-90 days) provide more recovery options at higher storage cost. Shorter periods (7-14 days) reduce cost but may not provide enough window to detect slow-moving ransomware before the oldest clean backup expires.
Does Synology Hyper Backup support Object Lock?
Yes. Synology Hyper Backup supports S3 Object Lock when backing up to compatible destinations including Backblaze B2 and Wasabi. Object Lock is configured in the Hyper Backup task settings. Ensure you are running a recent version of Hyper Backup from the DSM Package Center, as Object Lock support was added in a relatively recent release.
Will immutable backup stop ransomware from encrypting my NAS data?
No. Immutable backup protects the backup copy in the cloud from being deleted or modified by ransomware using your NAS credentials. It does not protect the data on the NAS itself. If ransomware encrypts files on your NAS before the next backup runs, those encrypted files may be backed up on top of your clean versions, depending on your backup schedule and retention. The protection is that locked older versions cannot be deleted, giving you a clean restore point to return to after recovery.
How much more does immutable backup cost compared to standard cloud backup?
Typically 20-40% more in storage costs, depending on your retention period and data change rate. With Object Lock, backup rotation cannot delete versions still within the lock period, so more versions accumulate in storage at any given time. For Backblaze B2 at USD $6/TB/month, a home user with 500GB of backup data might pay USD $4-5/month instead of USD $3-4/month for standard backup. The premium is modest for meaningful additional protection.
Immutable backup is one layer of a complete backup strategy. For the full picture on 3-2-1 backup design including local, onsite, and offsite approaches for Australian NAS users, read the complete guide.
Read the 3-2-1 Backup Strategy Guide