One of the best defense against ransomware is to backup data and verify its integrity regularly. If your data has been breached by a ransomware, you can always restore the data from backup. However, hackers using ransomware are increasingly targeting primary backups. Adding an air gap to the secondary copy of the backup can mitigate this,
An air gap is a security measure that protects backup data from intrusion, malicious software and direct cyber attacks The idea is to place a secondary copy of backups behind a private network that is not physically connected to the wider network (i.e. behind air gaps). These secondary air-gapped backups will provide preserved backup copies and will be capable of restoring data that have been attacked by ransomware.
One example of air gap implementation is by DellEMC. In the figure below, the Data Domain primary backup storage (Source) is replicated to a Data Domain secondary backup storage (Target) inside a vault. The vault is self-contained and self-secured. It is air-gapped except for replication in cycles. It also has encryption and data protection controls including mutual authentication of source and target, data-at-rest encryption, data-in-motion encryption, replication channel encryption, Data Domain hardening, and immutable data (using retention lock). In addition, it also contains applications that scans for security issues and tests for critical apps.