Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Will Malware Infect the Backups on My Connected Backup Drives as Well?

Question: You stated elsewhere that typically backup images are not compromised by malware. Is this because the malware works by searching for specific file types and the backup file types aren’t in the list? As I understand it from your articles on encryption, a complete disk could be encrypted rather than only some of the content. Could an external drive being used for backup storage be so encrypted by malware?

Typically, backup images and drives are not affected by malware. I have to say “typically” because things can happen, but it’s just not very common.

Become a Patron of Ask Leo! and go ad-free!

Malware and backup images

To begin with, and perhaps the most important point, malware doesn’t understand the file formats being used by your backup program. That means that they have no way to infect or insert themselves into a backup image.

The backup images (the files that contain your backup) are usually unaffected by malware – completely.

Now, the drive could certainly be infected; that’s not that uncommon. Like any removable USB drive, it could be infected in such a way that if you were to take it to another machine, AutoRun would kick in and infect that other machine. That is independent of the backups stored on your drive. The backups are basically ignored. The virus files are just additional files placed on the hard drive without touching your backup images.

Now, a complete disk could be encrypted; all of the files could be encrypted or erased for that matter. It’s just not that common.

Ransomware

Current ransomware (the software that encrypts files on your machine and holds it for ransom) actually focuses only on certain file types. There are many different file types that they look for, like .docx, .jpg, .pst and many more, but certainly not all of them.

Encrypted!In part, that’s so that they don’t encrypt something that’s required to keep Windows running. They need Windows to keep running, so that they can post up their window that has the ransom demand and enables you to contact their payment provider so that you can pay (which you should never, ever do – for the record).

Backup images are not on the list. Backup images like “.tib”, “.mrimg” and others are, for now, left alone. I suspect that’s mostly because they would take a long time to encrypt. Backup images are usually pretty big and they’re not the low-hanging fruit that the malware authors are going for. More quickly and easily encrypted are things like your email files, pictures and the documents you’re currently working on or use daily – on your C: drive.

Staying safe

I’m not saying that an external backup drive can’t be harmed by malware. They absolutely can, as can drives connected via network shares on other machines. It’s just not that typical. If you like, keep copies of backups offline somewhere, but honestly in a world of things to worry about, this part just doesn’t rank all that high for me.

I’d rather have you focus on keeping your entire machine safe to begin with. Leave the drive connected so your backups happen on schedule. My concern is that by periodically disconnecting the drive, you’re actually relying on your memory to connect it again so that you can get your backups. My personal experience has shown that can be very, very risky.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

50 comments on “Will Malware Infect the Backups on My Connected Backup Drives as Well?”

  1. As a computer tech…I see LOTS of malware, spyware, and virus infections! I also have said that the infection shouldn’t reach the backup drive…but I was proven wrong just this week! Had a customer with a “Cyberware/FBI/Ransom” ware which I disinfected and cleaned. She took the system and then discovered that she couldn’t open ANY Word documents! She brought it back into the shop and brought her external drive that she was backing up her Documents and Settings folder. It also has what we originally thought was corrupted files on it. I thought that maybe she had done a backup over the top the files on the external drive and that was where the corrupted files came from. It seemed however that she’d NOT done a backup but during the original infection the drive WAS connected! So now ALL of her Microsoft Office files(Word, Excel, and Powerpoint) are corrupt. Of course, with the system clean…any new docs etc. that she creates are fine…but there is nothing that I’ve been able to find to repair or decrypt the other files! RansomWare 2.0!!

    Reply
    • There’s an important distinction here – if that backup was simply copying files to her external drive – in other words the external drive was also full of .doc, .xls, and .ppt files – they they are indeed at risk. HOWEVER if backup imaging software had been used and the external drive had “.mrimg” files (Macrium backup images for example) then those files would, today, not have been impacted. The backup images could be used to restore whatever it was they contained.

      Reply
      • Given the importance of that distinction, perhaps it should be mentioned in the article itself? I suspect many people backup their files simply by copying them to an external drive.

        Reply
  2. If you’d lost everything in a house fire like our family did, I think you might reconsider not worrying about keeping backups off site. Thank God we had an online backup service, or we’d have lost everything. We backed up all our computers to each other, and several had online backups.

    After the fire, some of the hard drives I pulled and got info off them (although they were backed up also), but some computers were barely recognizable as computers. One is just … gone. There are a couple wires that *might* be what’s left of it. My daughter got another computer and restored from the online backup, and it was almost as if the computer had survived the fire.

    By all means, make a backup, but I suggest getting a backup service that will back up not only your computers but also connected devices like an external drive. The cost of the service isn’t that much when you realize what you’d give to get back your family pictures, your work, your *life*, really.

    Reply
  3. Hi Leo,
    Are you saying that if the backup is in the [mrimg] compressed file format and on the attached external hard drive, and the PC becomes infected – the compressed file will be immune? That is if the virus wasn’t backed up in the image in the first place.
    Thanks,
    Randy

    Reply
    • The .mrimg file is not immune to being encrypted. It just hasn’t been targeted by any malware yet. In the future, one day, who knows? One way to guard against this, is to copy your backup folder to another removable drive every few days and keep that away from your computer, preferably in another location as that will also protect you in case of fire or theft. An online backup like Backblaze or Carbonite is also a good supplement to an image backup. I use a drive that I bring to work and Backblaze. I’ve had my backside saved a few times by my image backup and I’ve gotten a few accidentally deleted and changed files back from Backblaze. I haven’t needed the offsite backup but that’s my fire insurance. I hope never to need that one. Maybe I’m a bit fanatic about backup, but it’s always better safe than sorry.

      Reply
    • That’s my understanding of the way things are today. It would take a LONG time to encrypt a backup – they’re currently focussing on the low hanging fruit of documents and similar – more normal sized files. Things could change. They could delete or damage the backups instead. But right now, they do not, and to be honest I’m not sure I expect them to. To me it’s much more important that the backups happen.

      Reply
  4. I make backup copies of my system + programs partition (C:) a couple of times a year in an external hard drive using special backup software (Paragon), each time scanning the PC thoroughly for viruses before making the backup. I also copy video and text files as such in the same external drive (different partitions, though), to have them easily available when needed. In the meantime, I have the external drive disconnected. I assume that if, in case of a persistent virus attack, I erase my hard drive completely using special software, I can be sure that I can get rid of the virus and everything on the external drive can be recovered. Comments ?

    Reply
    • If you only do a full backup once every 6 months, you would have to roll back your system to the last backup in case of failure. If that’s OK with you and you’re confident you have a full backup of your data, it should work. As for erasing your hard drive, that wouldn’t be necessary if you restore from an image backup as the act of restoring a backup gets rid of everything on your hard drive. Any traces of the virus in the unused portion of your disk wouldn’t be able to come back and haunt you after a full restore.

      Reply
    • Seems reasonable. Only thing that bothers me is that if a problem happens near the end of one of your cycles you’ll need to catch up with a half-years worth of updates to the OS and applications. I’d also want to make sure your day-to-day work was backed up somehow more frequently.

      Reply
  5. Thank you, Mark,
    I really was worried that the virus could infect the external drive and thus the system even during restoration, but according to your message I need not worry, so it is a simple process. Yes, I take the risk that some updating has to be done after restoration, but I am prepared to do so.

    Reply
  6. Thanks to Leo, too,
    I think you make a point I have to take seriously, so increasing the frequency of backups would be sensible (perhaps always keeping the two latest backups). The most valuable data files I try to keep in more than two locations, including a USB stick.

    Reply
  7. OK. Let’s say I get infected with encryption malware. I evaluate my situation and see that my back-ups don’t seem to be infected, and though it may be painful, I can reconstruct enough of what will be lost that I don’t need to pay the ransom. I decide to take your advice and not pay.
    What do i do now? How do i get rid if the problem? Can i just delete all the encrypted files and carry on from there. Or do I need to sanitize my computer to be sure I can’t immedately be infected again? And if so, how? I could go on, but you get the idea. How do I recover from this safely and as painlessly as possible?

    Reply
    • If you took a full image backup of your computer before the infection. And then reinstall the full image backup it will completely wipe the hard drive of everything and replace it with the old image. So it will do exactly what you need it to do!

      But still – the best solution is to be safe on the internet.

      Reply
  8. Do you mean that a file encrypted by ransom ware would be intact after being backed up? That seems unlikely to me, but I suppose i could try. Fortunately I have a backup made before the attack. What I was looking for is a way to delete the backup files on the external drive which were made after files were damaged.

    Reply
    • Once a file is encrypted by ransomware, it wouldn’t be made recoverable by backing up. What Leo means is that a file backed up before the attack would be able to be used for recovery.

      Reply
    • I don’t know what you mean by intact. If you’ve backed up an encrypted file then what you have in your backup is the file encrypted. On the other hand if you back up prior to the encryption then that file backup is not encrypted. The incidence of ransomware actually proactively going out and encrypting actual backups is very low.

      Reply
  9. I think protection bits on files for Read Only and Do Not Delete might thwart encryptors, unless they managed to get themselves privileged. I remember DEC’s VMS, with what seemed like dozens of privilege bits. Too bad Windows is still a toy.

    Reply
  10. What would a program be like if when something is encrypting or even compacting has to ask for permission first.
    And identifying itself. Seems to me that if something wanted to take control of my computer, that if I had a program installed first that would stop it and ask my permission first would certainly help. My mechanic won’t put anything on my truck unless I let him, so why not the computer? It already asks my permission for program (s) to install or change my system, so why not a but more involvement in what it does and stop that which is not wanted. Not sure how to distinguish between good and bad but there are those of you out there that can.

    Reply
  11. Last year I bought a Seagate Expansion 3tb. It came with Acronis imaging software and I try to do an image each month with the free version. I’m very careful from where I get downloads. In a rural area my remote connection is mobile via my Android 5 tablet so my computer is mostly offline. In the event that disaster should strike, can I expect Acronis to perform a restoration much as Macrium?

    Reply
  12. Things have moved on in the Ransomware field. I had 3 hourly MS 10 backup on the infected PC and it was rendered virtually useless by the virus, as the system replaced good files with bad. It also messed up the index so the Restore function said there was nothing there.

    Reply
  13. Recently had a friend lose files to ramsomware, including his Macrium image files on his USB ext drive. Images need to be offline is the message.

    Reply
  14. I don’t trust that ransomware won’t soon be (or isn’t already) infecting backup images or drives. I see bringing the backup drive online only during a backup/restore process as the only secure solution. I can envision ways to do this, but you’d never want to bring the backup online if the system is infected. So what’s the most effective way for an automated backup script/program to determine if a system is infected by ransomware? I can think of a few techniques with varying effectiveness, but I’m not fully educated on the details of how they work. So hearing other good ideas would be of great value. — Ferg

    Reply
    • My backups consist of system images using Macrium Reflect and EaseUS Todo (on different machines). In addition, all of my personal files are synchronized in the cloud using Dropbox. Dropbox retains all previous versions of changed files for 30 days (you can pay a little more for longer retention). A ransomware encrypted file appears to Dropbox as a changed file, which it is. To recover, I would be able to download the version of the file just before it was encrypted. It would take a lot of time to download, but I could get them back. My question is why doesn’t Dropbox market this feature.

      Reply
  15. Hi Leo, I posted a similar question before but it wasn’t on the appropriate article, and I think I can word it better.

    I recently backed up a computer with viruses, and I connected my external drive that I used for backing up to my new computer. The problem is that I connected the drive and THEN booted it up. I did remove viruses with an anti virus afterwards though.

    Is it possible that I may have infected my computer and external drive with a boot virus that is undected? Or does that type of virus not transfer to external drives when backing up?

    Thanks

    Reply
    • If a virus is in a system image backup file, there’s no way to execute the malware file. That’s covered in the article. If the viruses were simply copied to that external drive, malware on it wouldn’t automatically install itself unless you already had malware running on your machine. And if it, somehow, tried to install something, UAC would have warned you that a program wanted to make changes.

      Reply
      • Thanks a lot Mark. So even if a virus tried to infect the boot sector, I would still get a warning of a program wanting to make a change?

        Reply
  16. Hi Leo, sorry for yet another comment here. I’ve been debating asking this because it sounds stupid but I want to be clear on this.

    If I have a file that contains a virus and I right click and delete it, and then delete it from the recycle bin, is it possible for the virus to somehow still be around, or is it definitely out of my system?

    Thanks

    Reply
    • It’s still in your computer but in a form unable to execute itself. Only the intentional use of a deleted recovery file could resurrect it.

      Reply
      • Hey Mark, if you don’t mind me asking, is it the same way when an antivirus deletes a virus? Is it still on the system but hidden?

        Thanks

        Reply
        • In this case, I’d say it’s even more hidden as it is completely removed from the file index. It sits on the hard drive until the space is reassigned to another file and the it is overwritten. It could be restored only by a delete file recovery program which searches the drive for unindexed files.

          Reply
        • This varies based on the A/V program. Some do a true delete as you’ve described. Others perform a “quarantine”, which essentially moves the file into a staging location. This is done to protect you from deleting something important because of a false positives. Quarantines are safe because the file is a) obviously considered suspect by the A/v program, and b) never run from there.

          Reply
      • Thanks for the reply, Leo. One more thing. A third party software, such as SeaTools, that scans the drive for bad sectors and disk problems can’t execute a virus file, right? Do those circumstances only occur because attackers target outdated antivirus products? Or could it also happen with hard disk diagnostic tools too?
        Thanks

        Reply
  17. How about using FTP instead of CIFS/SMB to store backup files?
    I would assume that since the FTP session is closed once the backup is completed there is no way a ransomeware bug can encrypt files stored in an ftp server.
    Cheers,
    Andres

    Reply
  18. Hi, I have two questions. First, Use use Macrium image backups to an external USB drive for my own computer and those of my clients. I do a full backup once a week and differentials the other six days of the week. Generally this gives the user the ability to restore a full image going back as far as 3 to 6 months, in some cases more than 6 months if they don’t have a lot of stuff on their hard drive. I a number of cases I would like to be able to restore from 12 or even 18 months ago, but that would require a much larger USB drive capacity. Alternately, I could run full backups less frequently, e.g., once a month and do incrementals or differentials the other days of the month. This makes me a little nervous though. If incrementals, if even one incremental image file gets corrupted, all subsequent image files are useless as well, correct? So how reliable is the “Full image once a month, incrementals all the other days of the month” when it comes time to restore? What are the odds (statistically) of a an incremental failing to restore due to corruption, malware, bad sector on the USB drive, or any other reason?

    Reply
  19. Hi Leo, here’s my second question: Macrium Reflect ver. 7.1 and above has a feature called “Macrium Image Guardian”. The purpose is to protect Macrium Backup Image files from unauthorized modification by any and all processes except Macrium Reflect itself. Thus it blocks any attempt by any process to encrypt the backup image files, thereby protecting them from RansomWare. Have you ever tested this feature, or do you know of anyone or any product evaluation/testing organization that has thoroughly tested this feature? In your opinion, how fool-proof/fail-safe is it?
    Thanks,

    Reply
    • I can’t speak to how fool-proof it is (the world keeps making bigger fools), but I’ll put it this way: once I understood how it worked, I immediately enabled it on my Macrium Backups. It affects nothing else, except your own ability to manually delete image files, which you simply need to do using Macrium’s interface instead. I like it a lot.

      Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.