The Attack Scenario Nobody Talks About Honestly

Most discussions of ransomware focus on the moment of discovery — the ransom note, the encrypted files, the locked screens. That moment is dramatic and easy to write about. What's harder to talk about is the timeline before that moment, because it's where the real damage happens and where most backup strategies quietly fail.

Modern ransomware doesn't detonate immediately. It moves slowly and deliberately. The typical attack follows a pattern that looks like this:

Day 0
Initial access
A phishing email, an exposed RDP port, a compromised credential. The attacker is inside your network. Nothing looks wrong yet. Your backup runs at 2am and captures a clean image.
Days 1–14
Reconnaissance & lateral movement
The attacker maps your network, escalates privileges, identifies your most valuable data, and locates your backup systems. Your nightly backup runs every day. Every backup is now potentially contaminated.
Day 14–21
Backup systems targeted
The attacker disables or corrupts your backup agent, deletes snapshots, or begins slowly overwriting backup files with encrypted versions. You don't know this is happening.
Day 21+
Detonation
Encryption begins. The ransom note appears. You call your IT team. Someone says "we have backups" — and then you discover how many of those backups are clean, and how far back you'd have to go to find one that is.
Recovery
The question that matters
How far back is your last clean backup? Hours? Days? Weeks? The answer determines how much work is lost forever — and whether your backup strategy actually worked.

The uncomfortable truth is that a nightly backup schedule means your maximum guaranteed data loss is 24 hours — but in a slow-moving attack, it's often far worse. If the attacker spent two weeks corrupting your backup chain before detonating, you may be recovering from a snapshot that's weeks old. Every nightly backup run during that window made the situation worse.

What Traditional Backups Actually Give You

Before getting into what HuskHoard does differently, it's worth being honest about the landscape. Backup software has improved enormously. Modern solutions offer incremental-forever, deduplication, versioning, and cloud replication. None of that is nothing. But there are structural limitations that no amount of feature development resolves.

Backup Approach Typical RPO Attack-Aware? Air-Gapped? Immutable by Default?
Nightly full to NAS 24 hours No No — NAS is on the network No — files can be overwritten
Cloud backup (S3, Backblaze) Hours–1 day No No — reachable via API Optional (Object Lock)
Versioned snapshots (ZFS, Veeam) Minutes–hours No No — snapshots live on same system No — snapshots can be deleted
Tape with nightly job (LTFS) 24 hours No Yes — when ejected Optional (WORM cartridges)
HuskHoard active archive Near-zero (file-event level) Yes — event log detects anomalies Yes — by design Yes — WORM by policy

The row that usually surprises people is cloud backup. S3 and similar services feel safe because they're "offsite." But they are reachable over the network using credentials that live on your compromised machine. Ransomware groups routinely target cloud backup credentials specifically because victims assume they're untouchable. Object Lock (immutable storage) helps, but it has to be configured correctly, and most small deployments don't.

The NAS problem

A NAS device attached to your network is not an air gap. It is a network share. Ransomware can and does encrypt NAS shares — they show up as mapped drives to the malware, and the malware doesn't distinguish them from local storage. "Connected backup" is not the same as "protected backup."

Version History: Surviving the Ransomware Write

Traditional recovery means: "restore to the state of your last nightly snapshot." If your snapshot runs every 24 hours, your worst case is 24 hours of lost data. That's the Recovery Point Objective (RPO), and most backup marketing leads with this number.

HuskHoard’s approach is fundamentally different. Because it sits in the Linux kernel via fanotify, it intercepts every file read and write. When files age out of the hot tier, HuskHoard archives them to tape and leaves a small "stub" on the live server.

Ransomware usually targets your oldest, unmonitored files first. When it tries to read these archived files, HuskHoard intercepts the read via fanotify.

If it's a slow "low and slow" attack, HuskHoard streams the file from tape and the ransomware encrypts the local SSD copy, saving it as "Version 2". You lose nothing, because Version 1 is already permanently burned onto an immutable WORM tape. Furthermore, if the ransomware tries a brute-force mass encryption, HuskHoard spots the impossible spike in I/O restore requests. It can act as a circuit breaker, severing access before the tape drive ever spins up.

To recover, your incident response team relies on your index. As long as you follow best practices and continuously replicate the lightweight husk_catalog.db to an offsite S3 bucket, you don't need proprietary forensic tools. Because the catalog is fully open, you simply query it with standard SQL to instantly map the exact blast radius and roll back to the clean versions.

# 1. Query the open SQLite catalog to find the ransomware blast radius $ sqlite3 husk_catalog.db "SELECT file_path, version FROM catalog WHERE file_path LIKE '%.locked';" /archive/docs/contract_2026.docx.locked|2 /archive/financials/Q3_report.xlsx.locked|2 # 2. Surgically roll back to the historic Version 1 (The clean state) $ husk restore --file-path "/archive/docs/contract_2026.docx" \ --dest-path "/archive/docs/contract_2026.docx" \ --version 1 [INFO] Found '/archive/docs/contract_2026.docx' (Version 1) on Volume '/dev/nst0' [INFO] Restoring from Volume '/dev/nst0'... [INFO] Successfully rolled back to '/archive/docs/contract_2026.docx'

The recovery above has zero data loss for any file that had already aged into the archive tier. While active files sitting exclusively on your hot SSD since the last backup are still subject to your traditional Recovery Point Objective, the petabytes of historical data your business actually relies on — compliance logs, financial records, and legal contracts — are fully recovered in minutes. With traditional backups, that entire archive would require weeks of blind tape restoration.

The RPO Is the Event Log, Not the Backup Schedule

This is the conceptual shift worth sitting with. In a traditional backup architecture, your RPO is defined by how often you run a job. Run it every 15 minutes and your worst-case loss is 15 minutes. You trade compute, storage, and network overhead for a smaller RPO window.

In HuskHoard, there is no job. The event log runs continuously at zero overhead because the kernel event stream already exists — fanotify is just listening to it. The RPO is not a schedule. It's a timestamp. Any timestamp. Down to the second.

The Physical Air Gap: Unhackable by Definition

Software immutability — Object Lock, snapshot protection, WORM filesystems — is valuable. But it relies on the software being correctly configured and on the attacker not having found a way to bypass it. Sophisticated ransomware groups specifically probe for and disable software-level backup protections before detonating.

A tape cartridge that is not in a drive cannot be attacked. There is no network path, no API, no credential, no exploit that reaches physical media sitting on a shelf. This is not a security feature that can be misconfigured. It is physics.

0
Network Attack Surface
An ejected tape cartridge has no IP address, no open ports, no attack surface of any kind. It is as unreachable as a book locked in a safe.
Credential Resistance
Stolen admin credentials can delete cloud backups and disable software protections. They cannot reach a cartridge in a fireproof box. No credential grants physical access to offline media.
$105
Cost of an Offsite Copy
An 18TB LTO-9 cartridge costs $105. Driving it to a second location costs whatever your time is worth. That is a complete, physically isolated offsite backup for a flat fee.

HuskHoard's design makes the air gap a natural consequence of the storage model rather than an additional step. Files migrate to tape based on policy. Once on tape and ejected, they are air-gapped. You don't have to remember to eject — the cartridge rotation that's part of any sensible tape workflow produces the air gap automatically.

WORM Volumes and Immutable Retention

For data that needs to be not just backed up but provably unmodified — legal records, financial archives, compliance data — HuskHoard supports WORM (Write Once, Read Many) tape volumes. WORM isn't a software flag or a permission setting. It's a physical property of the cartridge media itself. Once written, the data cannot be altered or deleted by any software command, including by the tape drive's own firmware.

# husk_config.toml # High-value directories and file extensions are immediately forced to tape immediate_archive_dirs = ["/archive/legal/", "/archive/now/"] immediate_archive_extensions = [".bak", ".sql", ".raw", ".braw"] primary_volumes = ["/dev/nst0"] # The physical LTO Tape drive
# Check the capacity and health of your physical WORM volume $ husk info --tape-dev /dev/nst0 [INFO] Volume Health (/dev/nst0): [INFO] [████████████████████░░░░░░░░░░░░░░░░░░░░] 50.00% Written [INFO] Capacity: 6.00 TB / 12.00 TB total

The "straight-to-archive" capability completely eliminates the hot-tier vulnerability window for your most critical assets. If a database dump (.sql), a system backup (.bak), or a massive raw video file (.raw) lands on your server, HuskHoard doesn't wait for a standard aging policy. It intercepts the write and immediately flushes that file to WORM tape.

In a ransomware scenario, WORM volumes are completely irrelevant to the attacker. The malware cannot overwrite them, cannot delete them, and cannot instruct the drive to modify them. The compliance data survives any software-level attack unconditionally.

Regulatory note

WORM tape is widely accepted for SEC Rule 17a-4, FINRA, HIPAA, and similar compliance frameworks that require immutable, non-rewritable storage. If your industry mandates records retention with immutability guarantees, WORM tape cartridges are among the most auditor-friendly storage media available — they're physical objects with a hardware-enforced write-once guarantee that is easy to explain and verify.

The Recovery Workflow, Step by Step

Let's make this concrete. You arrive at the office on a Tuesday morning and discover ransomware has been running since 3am. Here is what recovery looks like with HuskHoard versus a traditional nightly backup approach.

Traditional Nightly Backup Recovery

  1. Determine when encryption started (this takes time — you're piecing together logs that may have been tampered with)
  2. Find the last backup that predates the attack — likely last night's 2am job, but potentially earlier if the attacker corrupted recent backups
  3. Accept that everything changed between the backup and the attack is gone
  4. Restore from the backup job — this can take hours for large datasets
  5. Manually re-enter or reconstruct anything lost in the gap

HuskHoard Recovery

  1. Query the Open Catalog: Run a simple SQL query on the husk_catalog.db to identify exactly which files were modified and given ransomware extensions (e.g., .locked).
  2. Identify the Clean Version: Note the version number of the files prior to the attack (usually Version 1).
  3. Load volumes: Nothing to do if the last version is on disk but for tape put the required tape cartridges back into the drive.
  4. Execute the Rollback: Loop the husk restore --version 1 command over the affected files.
  5. Zero-Delta Recovery: HuskHoard physically seeks to the clean blocks on the WORM tape, extracts the pristine files, and overwrites the ransomware garbage on your live server. Unaffected files are entirely untouched.
What "zero-delta" means in practice

If the ransomware started at 03:14:07, any file that was already in the archive tier or pushed via the "straight-to-archive" policy is perfectly preserved up to its last pre-attack state. While active hot-tier files will rely on your standard nightly backup, your entire historical archive experiences zero data loss. Across millions of historical files, the aggregate data loss drops from petabytes down to just the active SSD workload.

The combination of a continuous event log, a persistent catalog, physically air-gapped media, and WORM volumes doesn't just make recovery faster — it changes the calculus of whether to pay the ransom at all. When you can recover to the second before the attack, from media that the attacker provably could not have reached, the leverage disappears. While we have focused primaraly on tape in this example, writing to disk also provides a logical layer of protection because it is written to as a raw device and has no file system path. We will discuss this in another post.