Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Recovering from Ransomware with an Online Backup

One of the comments I quickly received on my article “Using OneDrive for Nearly Continuous Backup” was this:

If one should fall victim to hostile file encryption, instantaneous backup to OneDrive presumably would result in those being encrypted too.

In other words, if you’re using OneDrive (or Dropbox, or other similar services) to automatically back up files online whenever they change, doesn’t that mean that ransomware would cause those backups to automatically be replaced with their encrypted versions?


But before you give in to a knee-jerk reaction to avoid online backups completely, consider this: they’ll give you more options, not fewer, should ransomware ever strike. In fact, they could save you in ways other backups might not.

Become a Patron of Ask Leo! and go ad-free!

Online backup to the rescue

Whenever a file is deleted from your computer in a folder being continuously backed up by OneDrive1, the following happens:

  • Any prior copy of the file is moved to a Recycle Bin on the OneDrive servers.

Whenever a file changes on your computer in a folder being continuously backed up by OneDrive2, the following happens:

  • The prior copy is moved to the version history for that file. (A kind of recycle bin specifically for that file.)
  • The new copy is uploaded.

Yes, OneDrive has a Recycle Bin. This means OneDrive can save your data from ransomware.

OneDrive Version History Access It would work like this:

  • You use OneDrive to keep a more-or-less continuous backup of your data online.
  • Your machine becomes infected with ransomware of some form, and all your data files are encrypted (and therefore lost to you).
  • If you are online, OneDrive dutifully notices that the files have changed, and backs up the now-encrypted files.
  • You panic. (Technically, this step is optional, but quite common.)
  • You disconnect, clean up, rebuild, or otherwise remove the malware from your machine, but are left with all of your files encrypted.
  • You visit OneDrive online3, and recover your unencrypted files from its Recycle Bin and each file’s version history.
  • You vow to never again do whatever it was that allowed the malware infection to happen in the first place.
  • Life goes on.

OneDrive just saved your bacon. What’s more, everything I’ve described above all happens without any other form of backup in place.

But of course, you also have other forms of backup — right?

Belt and suspenders and suspenders

The person who originally left the comment continued:

A simple, but probably inefficient, means I use is to weekly make a copy within OneDrive of backed up files.

This is (almost) exactly what I do myself. Every night I make a copy, elsewhere on my machine, of everything in my OneDrive folder, in the form of a compressed archive (like a “.zip” file). Should I ever succumb to ransomware, I can recover my files from that additional backup. I would not make the copy “within OneDrive”, however, since ransomware could impact that backup copy as well.

Backing Up In Windows 10

Backing Up in Windows 10

This article is excerpted from Backing Up In Windows 10, available now. Top-to-bottom, end-to-end, Backing Up In Windows 10 will walk you through all the steps you need to keep your data safe, using Windows 10's built-in tools, as well as a free alternative.

Of course, on top of that, I have my nightly backups running to an external hard drive: monthly full backups with daily incrementals, meaning I can always recover the files “as of” a few days ago. (And in case I happen to run across ransomware that also tries to encrypt backups … some of those backups are copied elsewhere, effectively “offline” and not directly accessible to my machine.)

It would take a lot for even the nastiest ransomware to cause me to lose any significant number of files.

You don’t need to go overboard

You don’t need to be as backup-crazy as I am. You can protect yourself with just a few simple steps.

And, honestly, that last one is just to make people panicking about ransomware encrypting their backups happy. That doesn’t happen so often that I consider it truly critical, particularly with what we’ve just discussed about OneDrive’s Recycle Bin.

Don’t let the worst case scare you away from reasonable choices

What concerns me most are folks who say they won’t use online backups because their files might be encrypted by ransomware and the online backup would be useless.

Ransomware is only one type of threat. More importantly, it’s not even the most likely threat.

For example, a hard disk failure can be much more destructive than ransomware, and is probably much more likely to happen. Even more bluntly: you’re more likely to accidentally overwrite or delete a file than you are to personally encounter ransomware.

Even if the Recycle Bin didn’t exist, continuous online backups save your files from many threats that don’t involve invalidating the backup.

The same is true for nightly backups to an always-connected external hard drive. Yes, there’s a chance that ransomware could encrypt your backups. There’s a higher probability that you’ll be glad you had those backups current for a variety of other failures.

Making backups easy, timely, and automatic is more important than fearing one specific — albeit destructive — form of malware.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio


Footnotes & references

1: I’ll keep refering only to OneDrive, as it’s baked in to Windows 10, but most of these concepts apply to DropBox as well. Other services may also include similar features, so if you choose to use something other than DropBox or OneDrive, I encourage you to research the options available. The amount of free storage you get is not necessarily the most important factor in deciding which to use.

2: Within 30 days, that is. I’d strongly recommend doing it as soon as you possibly can, just for added safety and reassurance.

16 comments on “Recovering from Ransomware with an Online Backup”

  1. Leo, I was at a friend’s house one day recently when a ransomware demand popped up on her screen. She had no backups, so we had a few minutes of panic. I was able to unlock the screen and determine that this was, fortunately, fake ransomware. The scare was enough to get her to start backing up her files online. That paid off for her last week when Hurricane Harvey hit. She got flooded and her computer won’t boot (I don’t think it is dead, but I won’t know more until I can get over there and check it out). She was able to locate her backups online and get back to work on another PC.

    We faced a flooding threat here, too, and I was a little calmer than I might otherwise have been knowing that even if something happened to my laptop, my files would live on. A backup to an external drive is good (and I do that), but a backup that fails due to the same thing that took out your computer is of no use. Thank you for your constant admonitions to back up and to back up your backup!

  2. you forgot to mention one drive is only on windows 10. i`m sticking with win 7 ult until the bitter end.
    anybody else out there doing the same?

  3. I personally don’t like backing up on line. I do two kinds of backup. The first is a program called FoldrSync. The user creates a script which contains as many actions as desired. A typical action looks like these 2

    Path1=D:\Scanned and digital photos 2
    Path2=F:\RBH WIN7 BUP\Scanned and digital photos 2_BU

    Path1=C:\Users\All Users\ddisoftware
    Path2=F:\RBH WIN7 BUP\Qimage_BU

    I use a variety of internal and external drives to store files to. My typical script contains about 40 actions. I also use them to keep other machines up to date. I always have complete sets of files in many places, so I will hopefully never lose at least one set.

    And, I use Macrium Reflect to create images of my C drives in all my machines. This protects against everything, including HD failures, numerous of which I have had in my 30 years of personal computers.

    Both of these tasks have saved me from a variety of catastrophes.

  4. I’ve been backing up since 1989, when I used a magnetic tape device to contain the backup. It stored at the rate of 5 MB per hour. These days backing up and imaging of 50-100 GB takes only minutes.

  5. When choosing an external drive for your back up pick one with an on/off switch (Fantom is one brand that has an on/off switch). This makes it easy to turn it on for the back up and then off when done. No unplugging under the desk. Simple and easy.

    • My external backup drive is connected through a USB3 hub. Each hub connection has its own on-off switch with a LED indicator. Backup finished, just push the button (after dismounting so all data is finalized). Light goes out. Drive is offline and since the drive is USB3 powered, also turned off.

  6. Most online backup programs, such as IDrive and Carbonite, keep multiple historical versions of backed up files, unlike online storage services such as OneDrive, which only keeps a the most recent historical version in its recycle bin. That can be crucial at times.

  7. Checking my online Onedrive Recycle Bin it would appear that only deleted files are moved to the ‘online Onedrive Recycle Bin’, not changed files as you advise ?

    ‘Whenever a file changes on your computer in a folder being continuously backed up by OneDrive1, the following happens:
    Any prior copy of the file is moved to a Recycle Bin on the OneDrive servers.’

    PS. Thanks Leo for all your helpful advise over the years.

    • I just experimented and found that although previous versions of files are not found in the recycle bin, you can go to the OneDrive website and right click on a file, select version history and download previous versions of files.
      OneDrive for Business allows you to right click on a file and under Properties directly from File Explorer and click on the Previous Versions tab to recover older files.

  8. It would help to know how long an online backup or full system image will take. My ISP provides 6Mbs download speed and 1Mbs upload. (That’s megaBIT, not megaBYTE.) Those speeds are not absolute. It all depends on time of day (my ISP throttles back at night to roughly 2Mbs D/L and .5Mbps U/L), and how many people are sharing the bandwidth. Just as a personal example, Windows 10 Pro was a 3.2GB D/L package from Microsoft. It took 14 hours. If my math is correct, it would take more than 5 days for me to upload 60GB to the cloud at my current U/L speed.

    The cloud may be a viable solution for those who have a fast internet connection. But as for me? I’ll stick to my external hard drives.

    • With my internet connection 42 Mb down 8 Mb up, it took me about 2 weeks to download 100 GB of data to OneDrive when restoring my system. Uploading would take probably 5 times longer. That’s why it’s not practical to use the cloud for a full system image backup. Many people I know only have one or two GB of user data. In that case, even a slow DSL should work for data backups.

    • Performing a full image backup online is impractical at today’s connections speeds and disk sizes. Online backups are best for collection of your data files.

      • I use the MegaSync cloud service to maintain an online backup of my important data files. This includes my Documents folder. MegaSync includes zero-knowledge end-to-end encryption. Since I have the MegaSync app on all my devices, these important files (things like receipts, bank statements, passport images, car registration and insurance, etc.) are always available. Since the data is encrypted and decrypted on my own device it’s un-hackable in practice. Of course I maintain comprehensive local backups of data and OS as well.

  9. I got an email from Microsoft OneDrive telling me 7273 files were victims of malware. I believe that is a false positive based on having a similar number of Cryptomator files and not finding any other encrypted files.

    What I found interesting in the email was:
    “Visit within 30 days of the attack to:

    · Review suspicious files and confirm they have been compromised

    · Remove ransomware from your devices

    · Restore your files on OneDrive
    You can restore your files on OneDrive for only 30 days after they were compromised. If you don’t restore the compromised files within 30 days from the ransomware attack, the files won’t be recoverable.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.