Should I Disconnect My Backup Drive When I’m Not Backing Up?

Because of the threat of ransomware, many people disconnect their backup drive when not backing up. I think that's a bad idea.

//
I keep hearing of viruses that encrypt your hard drive, and even the files on your external hard drive. Doesn’t that mean that my backups would be encrypted as well? Friends are telling me I should disconnect my backup drive when I’m not using it, but that doesn’t feel right either. What should I do?

My opinion is that you run a higher risk of not being backed up if you disconnect the drive than you do having your backups encrypted by ransomware.

Put another way: leave the drive connected and continue to let your backups run automatically.

I’ll explain why I feel that way, and what you can do to mitigate the risk of ransomware.

Ransomware

Ransomware is malicious software – a class of virus – that, when it infects your machine, encrypts your files and then holds them ransom by extorting a cash payment for the decryption key.

To date, without the decryption key, the files cannot be recovered. The individuals behind this malware are using good, strong encryption to do the deed.

Experts and authorities advise that you never pay the extortioners. It only encourages them to keep on infecting machines and holding them for ransom. I agree.

The best solution, if you find your machine suddenly held hostage, is to simply recover it from the most recent backup, and get on with your day. It works every time.

Unless your backup has been encrypted, that is, which is what has people so scared.

In my opinion, that fear is overblown.

CryptoWall

What the ransomware encrypts

Ransomware cannot encrypt every file on your system. Doing so would break Windows itself, and prevent them from offering you the ransom demand and any hope of recovery.

So, the ransomware only encrypts certain types of files. Typically that includes:

  • .doc, .docx, and similar word processing documents.
  • .jpg, .jpeg, .png, and similar photos and images.
  • .xls, .xlsx, and similar spreadsheets and accounting files.

It encrypts more file types, but even those three classes alone are enough to cause a tremendous amount of grief to individuals who find themselves facing a ransom demand – especially if they don’t have a backup.

What the ransomware typically does not encrypt

Most of the differing ransomware variants out there don’t encrypt:

  • Any file types they aren’t explicitly looking for.
  • Files on drives other than the system drive C:.

That means that most backups are protected, because:

  • Backup image files, for example, are usually not on the list of filetypes to be encrypted. Macrium’s “.mrimg” would be one example.
  • Backup files are usually on a drive other than C: – your external drive.

On top of that, encryption takes time, and can adversely impact system performance as it happens. Ransomware wants to stay hidden as long as possible while encrypting your data, so it can complete the job undetected. Backups, particularly backup image files, are often very large, and can take a long time to encrypt. For practical reasons, then, it’s actually not even in the malware’s best self-interest to attempt it.

Get More Answers!

Each week I publish The Ask Leo! Newsletter where you can find more answers tips and tricks to make your technology "just work"!

Subscribe NOW and get a FREE copy of my special report "10 Reasons Your Computer is Slow (and what to do about it)".

This report will help you identify exactly why your computer is slowing down and the steps you can take to fix it.



My Privacy Pledge

Some ransomware does encrypt backups

Never say never.

There is ransomware out there that does encrypt files on drives other than C:, including both network and external drives, and I’m sure there is ransomware out there that explicitly encrypts, or at least corrupts, any backup images that it can find. As someone pointed out, the entire image doesn’t need to be encrypted – just the first part, and the entire image could be rendered useless.

The thing is, it’s not as common as the “quick and easy” kind of ransomware that simply relies on people who aren’t backed up (a frighteningly large number).

But it does exist.

A blended approach to protection

As I’ve discussed before, the best protection is to simply to not get infected in the first place. Do everything you should be doing properly to stay safe on the internet,   and you’re unlikely to encounter ransomware.

Keep your backup drive connected. Back up regularly and automatically. That will protect you from all the other malware that’s out there, as well as all the “quick and easy” variants of ransomware. The risk of disconnecting it is that you’ll forget to plug it back in. If anything happens – hardware failure or any other type of malware infection –  you’ll be left with no recent backup at all.

If you’re really concerned about ransomware encrypting your backups, then periodically make a copy of your backup and take that offline. For example, you could get a second hard drive and periodically copy one or more of your backup images to it, and then disconnect that drive.

I’m much more comfortable relying on you remembering (or not remembering) to make this periodic copy – a backup of a backup – because I believe the risk of failure is significantly less than if you were to disconnect your backup drive.

Play

Comments

  1. greybeard

    Great series on backups! One specific observation: when I copy an Acronis image to another external hard drive, it often will no longer validate. I have to either directly make an image to that new external hard drive, or I have to use the Acronis tool to consolidate archive.

  2. bedlamb

    While periodic image backups are a good idea, I prefer to depend on data backups.
    I backup, to an external HD, weekly, plus any important changes when they occur.
    These backups are manual, and after backing up, I disconnect the drive. I’m not too concerned about
    ransomeware. I just don’t see a reason to burn the electricity unnecessarily.

  3. Duane

    I’m a big fan of keeping backup separated from your PC. Ransomware is one concern. Another is theft. A client once told me that his son backed up his computer regularly, and kept the backup next to the PC. When the house was broken in to, the thieves took the lot.

  4. Mark Jacobs

    In some ways the solution has come to the point where a backup is no longer enough. You now need to back up your backup. I do nightly incremental backup which I occasionally copy to a drive I keep at work. inn the mean time (almost) all of my data is backed up on DropBox. I pay for a little over TB. For most people One Drive or Google Drive or a combination of 2, or all 3 free cloud backups should also work.

  5. Tony

    Wow Leo,

    Just have to disagree a little bit here. Home users are to be commended to have at least one external hard drive for backups. Many do not have any. I hear on a regular basis the cries and hopes from customers of me recovering at least some of their lost data when the inevitable crashes happen. I recommend at least one certain day of the week (usually Friday)for automatic backups and have home users plug in and turn on the drive that day. I have them disconnect it before bed and place it in a safe or hiding place so it’s protected. It has been working fairly well for them. I say it’s your computer insurance policy that you must renew every Friday and its cheap. Just do it.

    For businesses they should have a full blown rotation of drives or tapes. They should not have to worry about drive disconnecting or turning them off.
    But then there are all of those small businesses that watch the pennies and don’t get more than one backup drive and leave it connected at all times. That is too bad!!! I have had two clients, one legal and one medical that got hit by CryptoLocker. Guess what? Server is encrypted, all workstations are encrypted and lastly the only single external drive is encrypted. I say take the drive offline for them. Now both of those companies experienced major financial losses due to equipment failure and loss of business income until they are open for business again. All networked computers, servers and backups all were compromised and needed complete rebuilding. At the same time the companies were out of business for many days without data or income. I got them back up and running but it was not fun times.

    So if they aren’t faithful with every backup but DO have a backup from a week or two ago, they have the major portion of their data. If they leave it connected and get hit they have nothing.

    My thoughts and experiences.

    • Mark Jacobs

      For those business watching pennies, I’d tell them that a second backup is much cheaper in the long run than paying for recovery. It’s an insurance policy with a one time layout of around $100.

  6. Ronny

    If you are worried about this, plus your external HD into a separate switched power strip and then you can quickly turn it on for a backup and off when you are done.

  7. Herbert Sweet

    I have set up a hybrid backup routine which, I believe, provides me with the benefits of both an automatic backup and a disconnected backup hard drive. I use the EASEUS backup program and, on a scheduled basis, I backup my C drive and data drives to a second internal drive. Then, after checking for encryption with Bleeping Computer’s ListCRIlock, I connect my external hard drive and copy the backup files. When done, the external drive is disconnected.

    In addition, I periodically run a backup to a portable drive which is kept in a safe deposit box.

    • Mark Jacobs

      We are currently evaluating EaseUS here at Ask Leo! as a free alternative to Macrium as it allows incremental backups in the free version. Any comments you (including anyone who uses it) have (pros and cons) on the EaseUS backup would be greatly appreciated,

      • Herbert Sweet

        Hi Mark,

        I’ve been using both the free and the paid versions for quite a while now. There is one problem that I’ve experienced that has not been fixed. To be fair, I could have spent more time in chat with their tech support. For a couple of computers I’ve installed this program on, the incremental backup has not always shown all of the files. Their tech support says that is OK but I do wonder. This has been specific to particular computers. Their differential backup has always shown all of the files.

        I’ve also tested the recovery disk full recovery process and it has worked as advertized.

        One of the nice features of this backup program is the ability to examine a backed up file before you recover it. In addition, you can recover it simply by using Windows Explorer and copying it back to either its original position or to your desktop.

        The newest version, paid I believe, provides for encryption of the backup. I suspect that this would make bogus encryption by ransomware difficult if not impossible. What do you think?

        • Mark Jacobs

          Thanks for responding.
          Encrypting your backup wouldn’t prevent someone from encrypting your encrypted file :(
          One thing that would be interesting to know is how good their tech support is. How willing they are to stay with you till the problem is solved, and how knowledgeable they are in their answers, ie. does what they tell you usually work?
          As for not finding some of your files in an incremental, it’s important to go to a backup on a date after you’ve created a file and before you deleted it. I don’t know if that was your case, otherwise if a file can get lost, that can be concerning.

          • Herbert Sweet

            Mark,

            I guess I should have foreseen that you could encrypt an encrypted file.

            My experience with the EASEUS tech support is that they have been responsive and timely in their responses. Although not using English as their prime language has lead to some amusing communications. EASEUS had sent an email advertizement written to encourage users to buy a newer version. We were told that we should “dispose of our savings” to do this. :-) I passed this on to a retired professor that I know and he replied “My bad luck. I’ve already disposed of my savings!”

            What bothers me about the incremental backup file created is that in some computers, when searching My Documents, for example, all of the files are there in every increment. In other computers, only some are there and it doesn’t seem to be activity related. I’ve not seen this at all in the differential backups.

      • James B

        I’ve used EaseUS for a few years. I like it because it’s free and makes incrementals (Macrium free does not make incrementals). I find that EaseUS’ documentation leaves something to be desired. I don’t think it’s very well written and difficult to find an answer (at least for those of us using the free version). Of course I was trying to figure it all out while I was new to backups and trying to understand the different types of backups. Leo’s new series explaining these confusing things would have probably helped with that.

        But the biggest thing about EaseUS’ free version is that there is now way to make recovery media. So the free version is good most of the time because most of the time people want to recover a file that was accidentally deleted. You can double click the backup file and it will mount the backup like another drive/folder and you can just navigate to the location and copy the file, just like Windows’ native capability for ZIP files.

        What I’ve done is I’ve made a complete image with Macrium free version (to make that initial system backup that Leo likes to do with a new computer) for the recovery media and use EaseUS for everyday backups. So if I ever needed to wipe my drive and start over, I could recover with Macrium, and then use EaseUS to recover the computer to the latest incremental. It’s a two step recovery, but it’s free and it would only need to be done in the case of total system failure. Normal recovery only needs EaseUS.

        • Herbert Sweet

          James,

          EASEUS todo does have a full recovery process and I have used it successfully. At the version 8 level, go to tools > create emergency disk. From there you can choose either Linux or WinPE and then decide on the recovery media — CD/DVD, USB device (flash drive), or even ISO.

          I agree with you about their writing skills. ( See my note to Mark.) I’ve told them several times that they need a tech writer whose primary language is English. I suspect that there are not too many of those folks in China!

        • Could you clarify: you cannot make recovery media with the free version? So you could not, for example, restore an image to a replaced hard drive?

          • James B

            I started using EaseUS with version 4 Free. I never found a way to make recovery media and when I checked the online help, it specifically said that you couldn’t in the free version. I figured that was their way of encouraging people to upgrade to the paid edition.

            I currently use version 5.8, also free version. I’ve just assumed that they continued that practice. But since you asked, I went poking around. Under Tools, I found “Create Bootable Disk.” According to the online help (which is for version 7 and prior) it says, “It is indispensable when windows system fails to boot.” It goes on to explain that this option will let you choose to make either a WinPE or Linux emergency disk. However, on my computer, I didn’t have a choice … only a choice of where (USB/CD/DVD/etc.). So I created a USB. It formatted my USB and said that it successfully created the bootable recovery media.

            I rebooted my computer, but it failed to boot from the USB. I examined the USB stick with the command prompt and found that there was a hidden BOOT folder which contained two files: EASLINUX.SYS and EASLINUX.IRD, and a folder called SYSLINUX. So it looks like I’ve got a Linux recovery media. Not sure why it didn’t boot (is it a BIOS issue, a USB issue — I’ve been having some issues with my USB ports being flaky, or is the USB stick missing a file that tells the BIOS to run the EASLINUX.SYS file)

            However, it looks like the free version of version 5.8 will make recovery media to be able to recover when you can’t use your hard drive. So if I can just get it to boot from the USB, I won’t have to have the wonky two step with both Macrium and EaseUS.

          • Mark Jacobs

            From my experience with an older version of EaseUS, it allowed the Linux recovery media on the free version, the paid version allowed Windows PE. Not much difference really.

  8. Raymond

    If you were hit with ransomware that encrypted your MS Office files (for example) kept in your Dropbox folder, the online version will then become encrypted also right? If your other backup on an external HDD wasn’t available for whatever reason then are the Dropbox versions toast also or will version history save the day there? Thinking it’s time for the periodic offline backup stored elsewhere unattached to main PC.

  9. Daniel Stuhlman

    I had a cryto malware attack that even attacked the external hard drive. It didn’t get the image because that is very protected, but the incremental backup of data was trashed. I still haven’t totally recovered. I plan to reformat the hard drive and install linux and buy a new computer.

    • Herbert Sweet

      Daniel,

      Was it that the ‘image’ was specially protected or that the first full backup was just too large for the encryption program but the increments were not?

    • Mark Jacobs

      There shouldn’t be any reason to get a new computer after a malware attack, including CryptoLocker. Formatting the system drive and restoring from your image backup should be a safe option.

  10. Al Knack

    One question I have is will these programs destroy/encrip files I have stored to the cloud. Or web sites like carbonite?

    • Mark Jacobs

      They wouldn’t have any access to anything you have on the cloud, such as Carbonite, Dropbox etc. However these may upload your encrypted files. The good news is these services keep older versions of the files for 30 days.

  11. Sheri

    I use SyncBack Free version to backup my data to a portable USB drive and then to a second portable drive every day. And I do keep meaning to disconnect them when I’m not backing up, to protect them from viruses and ransom ware but I keep forgetting:-( I should build that step into my daily start up routine!

    • Mark Jacobs

      The fact that you forget to unplug them illustrates Leo’s point of the danger of forgetting to plug the external drive in.

  12. Lindsay

    I am a long time Macrium user using the paid version 5. I also am perturbed at the large increase in cost for their update so am looking at Ease US ToDo as well.

    Comments here regarding earlier versions of Ease US are not helpful – indeed, they are downright unhelpful. Version 8.2 free certainly has a Linux and Win PE recovery disk creator. About to test my just created Win PE CD!

    Regarding connected backup drives, I use my NAS for regular scheduled backups but I also periodically copy backups to a USB ext drive that gets stored in my safe. My family photos etc are also up in the cloud.

    I do PC servicing and see many PCs with no backup. I have given this much thought, but, sadly, have come to the conclusion that trying to protect the data for most people is a forlorn hope (willing to be convinced otherwise, though!!). The truth is that any backup setup has to be checked regularly to see if it is still working and this is just too skilful a job for the people who need to have their backups designed for them. Even if errors are notified by the OS, they will, more often than not, be ignored in the hope that they will go away. Drive full? Don’t know what that means. Drive doesn’t exist? Move on. Data moved to somewhere else? How could that affect a backup? Drive failing with hard errors? So what? Etc, etc.

    So, even if we provide a good solution, how do we ensure it stays good? Maybe this needs a monthly service that checks backups are still OK. Bit like the Pool cleaner or lawn mower who turns up regularly? Admittedly, hard to sell this one.

    Call me gloomy but I think this is the bigger elephant in the room.

  13. Prof. Gulliver

    Leo, first, I love your stuff. But wouldn’t this be an easy solution: If you have a second internal drive you use as a backup, simply remove the drive letter after each backup. It’s just a few clicks: Right click “computer,” click “manage,” click “storage,” click “disk management,” right-click the backup drive in the list, click “change drive letter and paths,” and click “remove” (eg: “F”).
    The drive will no longer show and even if the malware is looking for drives other than C:, it can’t find it. When you’re ready to back up, do the same steps again, but in the last step simply add the letter (eg “F”).
    The whole process takes maybe 5 seconds.

    • Sufficiently sophisticated malware can still find the drive. Not that that’s common, but to point out that it’s still not a 100% solution.

  14. Esley

    Hi Leo, I believe in backup. I have lost 3 internal HDD’s and now it looks like two external
    HDD’s. I run Windows 7 pro 64 bit. My browser uses Internet Explorer 11. My external HDD
    is a Seagate USB3 goflex. I have some Seagate software “Disc utility CD upgrade kit
    internal hard drive” on Seagate CD’s. All my photos are backed up to CD’s and DVD’s.

    My problem is “Access Denied”. I down loaded from Seagate a copy of “Disk Recovery”.
    Ran the Demo and all my files and folders are on F:\ Trouble is all the lights on that
    drive are on; the drive is getting warm. I have not formatted it. I want to power it down.

    I had installed Nero 10 on the computer but never ran the program. I also had a copy
    of Photo Shop Elements 10 up and running. PSE 10 sync with Nero and wrote 44
    backups to F: Also Seagate Dashboard using Memeo software writes backups to F:

    Windows disk manager shows my drive is okay. Control Panel shows F: and free space
    along with space used. Thanks Esley

Leave a reply:

Before commenting please:

  • Read the article. Seriously. You'd be shocked at how many people make comments that prove they didn't.
  • Comment only on the article. If you have a new, unrelated question start with the search box at the top of the page.
  • Don't post personal information. Email addresses, phone numbers and such will be removed.

VERY IMPORTANT: because of a rise in comment spam that's making it through our filters any comments that do not add to the discussion - typically off topic or content-free comments - run a very high risk of being flagged as spam and removed.

If you have a new question unrelated to the article above, ask it on the Ask Leo! ask-a-question page.

Your email address will not be published. Required fields are marked *