Ransomware is scary, but a little preparation goes a long, long way.
That’s one of the comments I received on my article “Using OneDrive for Nearly Continuous Backup” .
I often recommend using an online service to back up your files in real time as they change, and that article is one example. It’s one way to back up changes between your image backups.
Encountering ransomware would generally call for using an image backup to reset your computer to a time before the malware arrived. You might then turn to your online backup to recover files changed between that image having been taken and the present. Unfortunately, as the questioner points out, it’s possible — likely even — that those files might also be encrypted by the ransomware.
Worse, of course, is if you’ve only been relying on that cloud backup.
But before you give in to a knee-jerk reaction to avoid online backups completely, consider this: they’ll give you more options, not fewer, should ransomware ever strike. In fact, they could save you in ways other backups might not.
Become a Patron of Ask Leo! and go ad-free!
OneDrive and ransomware
When files change or are deleted — perhaps by ransomware — OneDrive moves prior versions to a Recycle Bin or version history online, allowing you to recover files after a ransomware attack or any other error. OneDrive also has ransomware-specific detection that allows you to easily roll back all files affected. While it’s important to have multiple backup methods, OneDrive is a valuable tool against all kinds of threats.
Online backup to the rescue
- Any prior copy of the file is moved to a Recycle Bin on the OneDrive servers.
Whenever a file changes on your computer in a folder being continuously backed up by OneDrive, the following happens:
- The prior copy is moved to the version history for that file. (A kind of recycle bin specifically for that file.)
- The new copy is uploaded.
Yes, OneDrive has a Recycle Bin. This means OneDrive can save your data from ransomware.
It works like this.
- You use OneDrive to keep a more-or-less continuous backup of your data online.
- Your machine becomes infected with ransomware of some form, and all your data files are encrypted (and therefore lost to you).
- If you are online, OneDrive dutifully notices that the files have changed, and backs up the now-encrypted files.
- You panic. (Technically, this step is optional but quite common.)
- You disconnect, clean up, rebuild, or otherwise remove the malware from your machine, but your files are still encrypted.
- You visit OneDrive online2, and recover your unencrypted files from its Recycle Bin and/or each file’s version history.
- You vow to never again do whatever it was that allowed the malware infection to happen in the first place.
- Life goes on.
OneDrive just saved your bacon. What’s more, everything I’ve described above all happens without any other form of backup in place.
But of course, you also have other forms of backup — right?
Belt and suspenders and suspenders
The person who originally left the comment continued:
A simple but probably inefficient means I use is to make a copy of my OneDrive files weekly.
This is (almost) exactly what I do myself. Every night, I make a copy of everything in my OneDrive folder, in the form of a (password-protected) “.zip” file, and save it elsewhere. Should I ever succumb to ransomware, I can recover my files from that additional backup.
Of course, on top of that, I have nightly backups running to an external hard drive: monthly full backups with daily incrementals, meaning I can always recover the files “as of” a few days ago, before the ransomware attacked. (And in case I happen to run across ransomware that also tries to encrypt backups, some of those backups are copied elsewhere, effectively “offline” and not directly accessible to my machine.)
It would take a lot for even the nastiest ransomware to cause me to lose any significant number of files.
But wait, there’s more!
OneDrive includes ransomware-specific detection and recovery.
In short, if it sees a large number of files being changed in short order (or possibly a large number being deleted), it will ask if you’re experiencing the effects of ransomware.
After you’ve cleared the ransomware and secured your system, OneDrive makes it easy to restore your OneDrive — all of the affected files at once — to the state they were in prior to the suspicious activity.
Microsoft has all the details and instructions in their support article: Ransomware detection and recovering your files.
You don’t need to go overboard
You don’t need to be as backup-crazy as I am. You can protect yourself with just a few simple steps.
- Use OneDrive for nearly continuous backup of your day-to-day working files.
- Enable File History. File History, though sometimes disabled by more aggressive ransomware, will also let you restore a file to the condition it was in before encryption, and can protect files outside of those you keep on OneDrive.
- Take periodic full and more frequent incremental image backups of your entire system to protect from almost any type of failure.
- Every so often, take one of those full backup images and copy it to offline storage.
And, honestly, that last one is just to make people panicking about ransomware encrypting their backups happy. That doesn’t happen often at all, and I don’t consider it critical, particularly with what we’ve just discussed about OneDrive’s Recycle Bin.
Don’t let the worst case scare you away from reasonable choices.
What concerns me most are folk who say they won’t use online backups because their files might be encrypted by ransomware, and they think their online backups would be useless. We’ve just shown that’s absolutely not true, thanks to online Recycle Bins and the like.
More importantly, ransomware is only one type of threat. It’s not even the most likely threat.
For example, a hard disk failure can be much more destructive than ransomware and is probably much more likely to happen. Even more bluntly: you’re more likely to accidentally overwrite or delete a file than you are to encounter ransomware.
Even if the Recycle Bin didn’t exist, continuous online backups save your files from many threats that don’t involve invalidating the backup.
The same is true for nightly backups to an always-connected external hard drive. Yes, there’s a chance that ransomware could encrypt your backups. There’s a much higher probability that you’ll be glad you had those backups current for a variety of other failures.
Making backups easy, timely, and automatic is more important than fearing one specific — albeit destructive — form of malware.
Something else easy and timely? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: I’ll keep referring only to OneDrive as it’s baked into Windows, but most of these concepts apply to DropBox as well. Other services may also include similar features, so if you choose to use something other than DropBox or OneDrive, I encourage you to research the options available. The amount of free storage you get is not necessarily the most important factor in deciding which to use.
2: Within 30 days, that is. I’d strongly recommend doing it as soon as you possibly can, just for added safety and reassurance.