My opinion is that you run a higher risk of not being backed up if you disconnect the drive than you do having your backups encrypted by ransomware.
Put another way: leave the drive connected and continue to let your backups run automatically.
I’ll explain why I feel that way, and what you can do to mitigate the risk of ransomware.
To date, without the decryption key, the files cannot be recovered. The individuals behind this malware are using good, strong encryption to do the deed.
Experts and authorities advise that you never pay the extortioners. It only encourages them to keep on infecting machines and holding them for ransom. I agree.
The best solution, if you find your machine suddenly held hostage, is to simply recover it from the most recent backup, and get on with your day. It works every time.
Unless your backup has been encrypted, that is, which is what has people so scared.
In my opinion, that fear is overblown.
What the ransomware encrypts
Ransomware cannot encrypt every file on your system. Doing so would break Windows itself, and prevent them from offering you the ransom demand and any hope of recovery.
So, the ransomware only encrypts certain types of files. Typically that includes:
- .doc, .docx, and similar word processing documents.
- .jpg, .jpeg, .png, and similar photos and images.
- .xls, .xlsx, and similar spreadsheets and accounting files.
It encrypts more file types, but even those three classes alone are enough to cause a tremendous amount of grief to individuals who find themselves facing a ransom demand – especially if they don’t have a backup.
What the ransomware typically does not encrypt
Most of the differing ransomware variants out there don’t encrypt:
- Any file types they aren’t explicitly looking for.
- Files on drives other than the system drive C:.
That means that most backups are protected, because:
- Backup image files, for example, are usually not on the list of filetypes to be encrypted. Macrium’s “.mrimg” would be one example.
- Backup files are usually on a drive other than C: – your external drive.
On top of that, encryption takes time, and can adversely impact system performance as it happens. Ransomware wants to stay hidden as long as possible while encrypting your data, so it can complete the job undetected. Backups, particularly backup image files, are often very large, and can take a long time to encrypt. For practical reasons, then, it’s actually not even in the malware’s best self-interest to attempt it.
Some ransomware does encrypt backups
Never say never.
There is ransomware out there that does encrypt files on drives other than C:, including both network and external drives, and I’m sure there is ransomware out there that explicitly encrypts, or at least corrupts, any backup images that it can find. As someone pointed out, the entire image doesn’t need to be encrypted – just the first part, and the entire image could be rendered useless.
The thing is, it’s not as common as the “quick and easy” kind of ransomware that simply relies on people who aren’t backed up (a frighteningly large number).
But it does exist.
A blended approach to protection
As I’ve discussed before, the best protection is to simply to not get infected in the first place. Do everything you should be doing properly to stay safe on the internet, and you’re unlikely to encounter ransomware.
Keep your backup drive connected. Back up regularly and automatically. That will protect you from all the other malware that’s out there, as well as all the “quick and easy” variants of ransomware. The risk of disconnecting it is that you’ll forget to plug it back in. If anything happens – hardware failure or any other type of malware infection – you’ll be left with no recent backup at all.
If you’re really concerned about ransomware encrypting your backups, then periodically make a copy of your backup and take that offline. For example, you could get a second hard drive and periodically copy one or more of your backup images to it, and then disconnect that drive.
I’m much more comfortable relying on you remembering (or not remembering) to make this periodic copy – a backup of a backup – because I believe the risk of failure is significantly less than if you were to disconnect your backup drive.