I have strong opinions.
Even as I update this article
five eight years after its original publication, my opinion remains unchanged: you run a higher risk of not being backed up if you disconnect the drive than you do having your backups encrypted by ransomware.
I’ll explain why I feel that way and additional steps you should consider to mitigate the risk of ransomware encrypting those backups.
Become a Patron of Ask Leo! and go ad-free!
Disconnecting your backup drive
It’s important to leave your backup drive connected so automated backups continue to protect you from hardware failure and malware. If you remain concerned that ransomware might encrypt your backups, periodically copy a backup to an additional drive that you then take offline, or use backup software with ransomware-specific protection.
Ransomware is malicious software — malware — that encrypts your files and holds them for ransom by extorting a cash payment for the decryption key. Without the decryption key, the files cannot be recovered. Most ransomware appears to use good, strong encryption to do the deed.
Experts and authorities advise us to never pay the ransom. It only encourages malware authors to keep infecting more machines and holding them for ransom. I agree.
If you find your machine suddenly held hostage, the best solution is to recover with your most recent backup and get on with your day. It works every time.
Unless your backup has been encrypted.
Ransomware can’t encrypt every file on your system. Doing so would break Windows itself, preventing the malware from presenting you the ransom demand and any hope of recovery.
So ransomware generally encrypts only certain types of files. Typically, those include:
- .doc, .docx, and similar word-processing documents.
- .jpg, .jpeg, .png, and similar photos and images.
- .xls, .xlsx, and similar spreadsheets and accounting files.
Those are enough for most ransomware to effectively get most people’s attention. If those files aren’t backed up in some way, then paying the ransom is the only way to get the data back.
And this is exactly what ransomware relies on: people not being backed up. And it’s why so much ransomware is successful.
You’re protected from most
Most ransomware variants do not encrypt:
- File types they aren’t explicitly looking for
- Files on drives other than the system drive, C:
That means most connected backups are protected because:
- Backup image files are usually not on the list of file types to be encrypted. Macrium’s “.mrimg” files would be one example. They are ignored by most ransomware.
- Backup files are usually kept on a drive other than C: — your external drive, for example. Once again, those files are typically ignored.
Ransomware wants to stay hidden as long as possible while encrypting your data so it can complete the job undetected. Backups — particularly backup image files — are large and can take a long time to encrypt. Encryption takes time and can adversely impact system performance. For practical reasons, then, it’s not in the malware’s best self-interest to attempt it.
But I have been saying “typically” and “most ransomware”. That’s not the same as “all”.
Never say never.
There is ransomware out there that does encrypt files on drives other than C:, including network and external drives, as well as backup images. As someone pointed out, the entire image doesn’t need to be encrypted; encrypt just the first part, and the entire image could be rendered useless.
There’s more “next-level” ransomware now than there was when this article was originally written.
It’s still not as common as the “quick and easy” ransomware that relies on people who aren’t backed up.
But it does exist.
Here’s the thing: not everything has the same risk. Just because backup-encrypting ransomware exists doesn’t mean you’re likely to encounter it.1
- You run some risk of encountering malware.
- You run a smaller risk of that malware being ransomware.
- You run an even smaller risk of that ransomware being the encrypt-your-backups kind.
Keeping your backups automated and your backup drive connected guarantees protection from the malware you’re most likely to encounter.
Put another way, if you disconnect your backup drive and forget to reconnect it for some time, you’re not protected from anything.
Thus my advice: keep the backup drive connected, let your backups happen automatically, and as usual, do everything you should to stay safe on the internet.
Particularly with the (small) risk of backup-encrypting ransomware increasing, I get a lot of pushback from people crying “But but but… what if?” These are folks who seem to be convinced that:
- Ransomware is the only type of or the majority of malware that exists. (Not true, of course.)
- It’s going to happen to them. (Other maladies are much more likely.)
However, there is a very reasonable approach to protecting yourself from everything. It works like this:
- Leave your backup drive connected.
- Let your backups happen automatically.
- Consider using a backup tool that specifically protects against ransomware. (Macrium Reflect’s Image Guard feature, for example.)
- Periodically copy a backup image to an off-line location, such as an additional drive that you then disconnect.
- Practice safe computing.
I’m much more comfortable relying on you to remember to make this periodic copy, a backup of a backup. The risk of failure if you forget is significantly less than if you were to disconnect your backup drive and forget to reconnect it.
Something else I’m comfortable with: suggesting you subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Honestly, most ransomware, particularly the “next level” kind, has moved on to targeting small businesses and large corporations. I assume the payoffs are higher if those targets are compromised.