"Ransomware-Resilient Backup with HPE StoreOnce and Zerto: An Immutability Solution"

Ransomware crews no longer just encrypt production data. They hunt for the backups first, because an organization that can restore clean copies does not pay. That single shift in attacker behavior is why immutable backup on HPE has moved from a nice-to-have to a board-level requirement, especially for federal, SLED, and healthcare environments where downtime carries legal and patient-safety weight. This guide walks through how immutable StoreOnce Catalyst stores plus Zerto recovery form a layered, ransomware-resilient backup architecture, and how to harden it correctly after CVE-2025-37093.
The problem: backups are the new target
The economics of extortion changed when attackers realized that destroying or encrypting backup repositories removes the victim's only leverage. Modern ransomware spends days inside a network, escalating privileges and quietly deleting snapshots, corrupting catalogs, and overwriting backup volumes before triggering encryption. By the time the payload fires, the "3-2-1" copies many teams trusted are already poisoned.
Traditional disk and tape backups have two weaknesses here. First, if a backup admin account is compromised, the data is mutable and can be deleted or expired early. Second, recovery is slow: restoring terabytes from a degraded environment can take days, which is unacceptable for a hospital EHR or a state benefits portal. The fix is not one product. It is an architecture that makes backup data unchangeable and recovery fast.
The HPE approach: immutable StoreOnce Catalyst + Zerto
HPE addresses both weaknesses with two complementary technologies that now sit under the same roof, since Zerto is an HPE company.
HPE StoreOnce for immutable backup HPE buyers can trust. StoreOnce is HPE's purpose-built backup appliance line, and its Catalyst protocol adds a secure, immutable store capability. When you enable immutability on a Catalyst store, backup copies are locked for a defined retention period and cannot be modified or deleted, even by an administrator, until the retention clock expires. This is what gives StoreOnce ransomware resistance: a compromised backup credential cannot expire or wipe the protected copies. StoreOnce also provides high-ratio deduplication, so retaining many immutable recovery points stays economical, and it integrates with major backup software (Veeam, Commvault, and others) through Catalyst.
Zerto for near-instant, ransomware-aware recovery. Where StoreOnce gives you a tamper-proof copy, Zerto gives you the speed and detection layer. Zerto uses continuous, journal-based replication that captures every production write in near real time, unlocking recovery point objectives (RPOs) measured in seconds and recovery time objectives (RTOs) measured in minutes. Crucially, Zerto includes real-time encryption-anomaly detection, so it can flag the early signature of an in-progress attack and let you roll back to a clean checkpoint from seconds before encryption began, rather than losing a full day.
The air-gapped layer: HPE Cyber Resilience Vault. For the highest-assurance tier, the Zerto-and-HPE Cyber Resilience Vault combines Zerto replication and journaling with HPE compute, networking, and storage in a physically isolated, air-gapped "clean room." The vault uses a zero-trust posture with no path to the internet or the production network and stores immutable copies on FIPS-validated hardware, which matters for federal and regulated buyers. Together these layers cover the full protect-detect-respond-recover cycle.
You can browse current HPE storage and data-protection options in our product catalog or compare appliance tiers on our compare page.
How the layers fit together
| Layer | HPE technology | Primary role | Ransomware benefit |
|---|---|---|---|
| Immutable backup store | StoreOnce Catalyst (immutable/secure store) | Tamper-proof, deduplicated retention | Backups cannot be deleted or expired early by a compromised admin |
| Continuous replication & recovery | Zerto | Journal-based replication, seconds RPO / minutes RTO | Roll back to a clean point just before encryption |
| Threat detection | Zerto encryption-anomaly detection | Early warning on suspicious write patterns | Detect an attack in progress, not after |
| Air-gapped clean room | HPE Cyber Resilience Vault | Physically isolated, zero-trust, FIPS-validated | A truly air-gapped backup the attacker cannot reach |
Don't skip the hardening: lessons from CVE-2025-37093
Immutability protects your data, but the platform that hosts it still needs to be patched and locked down. In mid-2025, HPE disclosed CVE-2025-37093, a critical authentication-bypass flaw in StoreOnce software (CVSS 9.8) rooted in an improperly implemented authentication method. It affected versions prior to 4.3.11 and could let an unauthenticated attacker gain access, which is precisely the kind of foothold ransomware operators use against backup infrastructure. HPE shipped the fix in StoreOnce 4.3.11.
The takeaway is not that StoreOnce is risky; nearly every backup platform has had critical CVEs, and backup systems are deliberately high-value targets. The takeaway is that a ransomware-resilient backup posture requires operational discipline alongside immutability:
- Patch to 4.3.11 or later and stay current on HPE security advisories.
- Isolate the management plane. Keep StoreOnce and vault management off the general production network and behind segmentation.
- Enforce least privilege and MFA on all backup admin accounts; immutability stops deletion, but you still want to block unauthorized access.
- Verify retention locks are actually enabled on Catalyst stores, not just configured in policy.
- Test recovery, not just backup. Run regular clean-room restores so your RTO is a measured number, not a hope.
Outcomes buyers care about
When the architecture is in place and hardened, the results map directly to procurement and risk objectives: recovery points within seconds and recovery times within minutes for protected workloads; immutable copies that survive credential compromise; an air-gapped tier for crown-jewel data; and the audit evidence (FIPS-validated hardware, zero-trust isolation, tested restores) that compliance teams in government and healthcare need to sign off.
How Uniqcli helps
Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, and we build immutable backup and ransomware-recovery solutions for federal, SLED, healthcare, and enterprise buyers end to end.
- Scope and design. We size StoreOnce capacity and dedupe ratios to your retention requirements, design the Zerto replication topology for your RPO/RTO targets, and determine whether an air-gapped Cyber Resilience Vault tier is warranted.
- Procurement your way. We supply TAA-compliant hardware and quote through the contract vehicles you already use, including GSA, NASA SEWP, and E-Rate where applicable. Tell us your vehicle and we will structure the order to match. Start at our quote page.
- Deploy and harden. We stand up the appliances, enable Catalyst immutability and retention locks, validate patch levels (StoreOnce 4.3.11+), segment the management plane, and configure Zerto detection.
- Support. We help establish a recovery-testing cadence and stay on HPE advisories so your environment does not drift out of compliance.
Browse the full lineup on our products page or request a tailored design and quote to get started.
FAQ
What makes a StoreOnce backup "immutable"? Enabling immutability on a StoreOnce Catalyst secure store locks backup copies for a defined retention period. During that window the data cannot be altered or deleted, even by an administrator, which is what neutralizes ransomware that tries to wipe backups using stolen credentials.
How does Zerto differ from StoreOnce in this solution? StoreOnce provides the tamper-proof, deduplicated copy you retain. Zerto provides continuous journal-based replication with seconds-level RPO and minutes-level RTO, plus encryption-anomaly detection so you can roll back to a clean point just before an attack. They are complementary layers, not substitutes.
Do I still need to worry about vulnerabilities like CVE-2025-37093 if my backups are immutable? Yes. Immutability protects the data, but you should still patch the platform (StoreOnce 4.3.11 or later), isolate management interfaces, and enforce MFA and least privilege. Defense in depth keeps attackers off the appliance in the first place.
Is this solution suitable for federal and healthcare compliance? It can be. The HPE Cyber Resilience Vault offers a physically air-gapped, zero-trust design on FIPS-validated hardware, and Uniqcli can supply TAA-compliant equipment through GSA, SEWP, and E-Rate. We tailor the design and documentation to your specific compliance framework.