[dxld]

I've been thinking about this problem for a while now. Personally I use restic[1] and B2 with a dedicated API key that can't delete anything.

[1]: Patched slightly to make it work, https://github.com/restic/restic/pull/2398 (hope this will get merged eventually)

How one goes about not accumulating backups forever is a problem with this setup. My basic plan is manually switching to another bucket and verifying the newly backed-up data before deleting the old bucket.

You can also enable a time-based deprecation of hidden files on B2 then you don't have to actively do anything, but in theory if the malware bides its time it could still delete/overwrite everything without you noticing.

If you want to self-host the restic/rest-server also has a --append-only flag that would have a similar effect, but if you use that you'll have to make sure the malware can't hop onto your backup machine via ssh.