I'm using BE for severall years to protect my data, from physical to virtual servers and also from specific data, like SQL databass and exchange stores.
Now i do use BE installed on one server wich is connected to 3 physical disks storage using only iSCSI protocol to those destinations to backup and duplicate the data between those places.
I recently was involved in a restoration of a company data, wich was attacked by ransonware, named Pedantback@protonmail wich is a recent Matrix variant. The attack was made, by not using the normalexe bot wich seeks shares and infect them, no, the attack was done by the hacker connected on the servers, by RDP, SSH... and once inside we started the ecryption process of everything he could access from the servers.
Regarding all this, if i'm using normal disk based copies, even with iSCSI for the network not reach directly those repositories, if for instance i activate the BE encrypetd copies, that could help anything, against such a kind of attack.
Or just have to be doing backups, manually to places and them turn them off.
Best backups for all
do the backup to tape or if on disk, then as you said disconnect the storage after backup..
There are some updates coming up which can help to protect the backups from these attacks. Stay tuned !
In BE 20.4 added ronsomware protection for disk based storages:
Ransomware Resilience.Backup Exec monitors access to its disk-based storage device locations. Any changes to the disk-based storage device locations can only be done by Backup Exec. No other process can write to the disk storage.
In verson 20.3 and early you should do duplicates from disk storages to physical tape library or cloud storage without dedup (because they can't be visible as local disks inside of the Windows OS)