Should I Disconnect My Backup Drive When I’m Not Backing Up?

//
I keep hearing of viruses that encrypt your hard drive, and even the files on your external hard drive. Doesn’t that mean that my backups would be encrypted as well? Friends are telling me I should disconnect my backup drive when I’m not using it, but that doesn’t feel right either. What should I do?

My opinion is that you run a higher risk of not being backed up if you disconnect the drive than you do having your backups encrypted by ransomware.

Put another way: leave the drive connected and continue to let your backups run automatically.

I’ll explain why I feel that way, and what you can do to mitigate the risk of ransomware.

Become a Patron of Ask Leo! and go ad-free!

Ransomware

Ransomware is malicious software – a class of virus – that, when it infects your machine, encrypts your files and then holds them ransom by extorting a cash payment for the decryption key.

To date, without the decryption key, the files cannot be recovered. The individuals behind this malware are using good, strong encryption to do the deed.

Experts and authorities advise that you never pay the extortioners. It only encourages them to keep on infecting machines and holding them for ransom. I agree.

The best solution, if you find your machine suddenly held hostage, is to simply recover it from the most recent backup, and get on with your day. It works every time.

Unless your backup has been encrypted, that is, which is what has people so scared.

In my opinion, that fear is overblown.

CryptoWall

What the ransomware encrypts

Ransomware cannot encrypt every file on your system. Doing so would break Windows itself, and prevent them from offering you the ransom demand and any hope of recovery.

So, the ransomware only encrypts certain types of files. Typically that includes:

  • .doc, .docx, and similar word processing documents.
  • .jpg, .jpeg, .png, and similar photos and images.
  • .xls, .xlsx, and similar spreadsheets and accounting files.

It encrypts more file types, but even those three classes alone are enough to cause a tremendous amount of grief to individuals who find themselves facing a ransom demand – especially if they don’t have a backup.

What the ransomware typically does not encrypt

Most of the differing ransomware variants out there don’t encrypt:

  • Any file types they aren’t explicitly looking for.
  • Files on drives other than the system drive C:.

That means that most backups are protected, because:

  • Backup image files, for example, are usually not on the list of filetypes to be encrypted. Macrium’s “.mrimg” would be one example.
  • Backup files are usually on a drive other than C: – your external drive.

On top of that, encryption takes time, and can adversely impact system performance as it happens. Ransomware wants to stay hidden as long as possible while encrypting your data, so it can complete the job undetected. Backups, particularly backup image files, are often very large, and can take a long time to encrypt. For practical reasons, then, it’s actually not even in the malware’s best self-interest to attempt it.

Some ransomware does encrypt backups

Never say never.

There is ransomware out there that does encrypt files on drives other than C:, including both network and external drives, and I’m sure there is ransomware out there that explicitly encrypts, or at least corrupts, any backup images that it can find. As someone pointed out, the entire image doesn’t need to be encrypted – just the first part, and the entire image could be rendered useless.

The thing is, it’s not as common as the “quick and easy” kind of ransomware that simply relies on people who aren’t backed up (a frighteningly large number).

But it does exist.

A blended approach to protection

As I’ve discussed before, the best protection is to simply to not get infected in the first place. Do everything you should be doing properly to stay safe on the internet,   and you’re unlikely to encounter ransomware.

Keep your backup drive connected. Back up regularly and automatically. That will protect you from all the other malware that’s out there, as well as all the “quick and easy” variants of ransomware. The risk of disconnecting it is that you’ll forget to plug it back in. If anything happens – hardware failure or any other type of malware infection –  you’ll be left with no recent backup at all.

If you’re really concerned about ransomware encrypting your backups, then periodically make a copy of your backup and take that offline. For example, you could get a second hard drive and periodically copy one or more of your backup images to it, and then disconnect that drive.

I’m much more comfortable relying on you remembering (or not remembering) to make this periodic copy – a backup of a backup – because I believe the risk of failure is significantly less than if you were to disconnect your backup drive.

Podcast audio

Play

42 comments on “Should I Disconnect My Backup Drive When I’m Not Backing Up?”

  1. Great series on backups! One specific observation: when I copy an Acronis image to another external hard drive, it often will no longer validate. I have to either directly make an image to that new external hard drive, or I have to use the Acronis tool to consolidate archive.

  2. While periodic image backups are a good idea, I prefer to depend on data backups.
    I backup, to an external HD, weekly, plus any important changes when they occur.
    These backups are manual, and after backing up, I disconnect the drive. I’m not too concerned about
    ransomeware. I just don’t see a reason to burn the electricity unnecessarily.

  3. I’m a big fan of keeping backup separated from your PC. Ransomware is one concern. Another is theft. A client once told me that his son backed up his computer regularly, and kept the backup next to the PC. When the house was broken in to, the thieves took the lot.

  4. In some ways the solution has come to the point where a backup is no longer enough. You now need to back up your backup. I do nightly incremental backup which I occasionally copy to a drive I keep at work. inn the mean time (almost) all of my data is backed up on DropBox. I pay for a little over TB. For most people One Drive or Google Drive or a combination of 2, or all 3 free cloud backups should also work.

  5. Wow Leo,

    Just have to disagree a little bit here. Home users are to be commended to have at least one external hard drive for backups. Many do not have any. I hear on a regular basis the cries and hopes from customers of me recovering at least some of their lost data when the inevitable crashes happen. I recommend at least one certain day of the week (usually Friday)for automatic backups and have home users plug in and turn on the drive that day. I have them disconnect it before bed and place it in a safe or hiding place so it’s protected. It has been working fairly well for them. I say it’s your computer insurance policy that you must renew every Friday and its cheap. Just do it.

    For businesses they should have a full blown rotation of drives or tapes. They should not have to worry about drive disconnecting or turning them off.
    But then there are all of those small businesses that watch the pennies and don’t get more than one backup drive and leave it connected at all times. That is too bad!!! I have had two clients, one legal and one medical that got hit by CryptoLocker. Guess what? Server is encrypted, all workstations are encrypted and lastly the only single external drive is encrypted. I say take the drive offline for them. Now both of those companies experienced major financial losses due to equipment failure and loss of business income until they are open for business again. All networked computers, servers and backups all were compromised and needed complete rebuilding. At the same time the companies were out of business for many days without data or income. I got them back up and running but it was not fun times.

    So if they aren’t faithful with every backup but DO have a backup from a week or two ago, they have the major portion of their data. If they leave it connected and get hit they have nothing.

    My thoughts and experiences.

    • For those business watching pennies, I’d tell them that a second backup is much cheaper in the long run than paying for recovery. It’s an insurance policy with a one time layout of around $100.

  6. If you are worried about this, plus your external HD into a separate switched power strip and then you can quickly turn it on for a backup and off when you are done.

  7. I have set up a hybrid backup routine which, I believe, provides me with the benefits of both an automatic backup and a disconnected backup hard drive. I use the EASEUS backup program and, on a scheduled basis, I backup my C drive and data drives to a second internal drive. Then, after checking for encryption with Bleeping Computer’s ListCRIlock, I connect my external hard drive and copy the backup files. When done, the external drive is disconnected.

    In addition, I periodically run a backup to a portable drive which is kept in a safe deposit box.

    • We are currently evaluating EaseUS here at Ask Leo! as a free alternative to Macrium as it allows incremental backups in the free version. Any comments you (including anyone who uses it) have (pros and cons) on the EaseUS backup would be greatly appreciated,

      • Hi Mark,

        I’ve been using both the free and the paid versions for quite a while now. There is one problem that I’ve experienced that has not been fixed. To be fair, I could have spent more time in chat with their tech support. For a couple of computers I’ve installed this program on, the incremental backup has not always shown all of the files. Their tech support says that is OK but I do wonder. This has been specific to particular computers. Their differential backup has always shown all of the files.

        I’ve also tested the recovery disk full recovery process and it has worked as advertized.

        One of the nice features of this backup program is the ability to examine a backed up file before you recover it. In addition, you can recover it simply by using Windows Explorer and copying it back to either its original position or to your desktop.

        The newest version, paid I believe, provides for encryption of the backup. I suspect that this would make bogus encryption by ransomware difficult if not impossible. What do you think?

        • Thanks for responding.
          Encrypting your backup wouldn’t prevent someone from encrypting your encrypted file 🙁
          One thing that would be interesting to know is how good their tech support is. How willing they are to stay with you till the problem is solved, and how knowledgeable they are in their answers, ie. does what they tell you usually work?
          As for not finding some of your files in an incremental, it’s important to go to a backup on a date after you’ve created a file and before you deleted it. I don’t know if that was your case, otherwise if a file can get lost, that can be concerning.

          • Mark,

            I guess I should have foreseen that you could encrypt an encrypted file.

            My experience with the EASEUS tech support is that they have been responsive and timely in their responses. Although not using English as their prime language has lead to some amusing communications. EASEUS had sent an email advertizement written to encourage users to buy a newer version. We were told that we should “dispose of our savings” to do this. 🙂 I passed this on to a retired professor that I know and he replied “My bad luck. I’ve already disposed of my savings!”

            What bothers me about the incremental backup file created is that in some computers, when searching My Documents, for example, all of the files are there in every increment. In other computers, only some are there and it doesn’t seem to be activity related. I’ve not seen this at all in the differential backups.

      • I’ve used EaseUS for a few years. I like it because it’s free and makes incrementals (Macrium free does not make incrementals). I find that EaseUS’ documentation leaves something to be desired. I don’t think it’s very well written and difficult to find an answer (at least for those of us using the free version). Of course I was trying to figure it all out while I was new to backups and trying to understand the different types of backups. Leo’s new series explaining these confusing things would have probably helped with that.

        But the biggest thing about EaseUS’ free version is that there is now way to make recovery media. So the free version is good most of the time because most of the time people want to recover a file that was accidentally deleted. You can double click the backup file and it will mount the backup like another drive/folder and you can just navigate to the location and copy the file, just like Windows’ native capability for ZIP files.

        What I’ve done is I’ve made a complete image with Macrium free version (to make that initial system backup that Leo likes to do with a new computer) for the recovery media and use EaseUS for everyday backups. So if I ever needed to wipe my drive and start over, I could recover with Macrium, and then use EaseUS to recover the computer to the latest incremental. It’s a two step recovery, but it’s free and it would only need to be done in the case of total system failure. Normal recovery only needs EaseUS.

        • James,

          EASEUS todo does have a full recovery process and I have used it successfully. At the version 8 level, go to tools > create emergency disk. From there you can choose either Linux or WinPE and then decide on the recovery media — CD/DVD, USB device (flash drive), or even ISO.

          I agree with you about their writing skills. ( See my note to Mark.) I’ve told them several times that they need a tech writer whose primary language is English. I suspect that there are not too many of those folks in China!

        • Could you clarify: you cannot make recovery media with the free version? So you could not, for example, restore an image to a replaced hard drive?

          • I started using EaseUS with version 4 Free. I never found a way to make recovery media and when I checked the online help, it specifically said that you couldn’t in the free version. I figured that was their way of encouraging people to upgrade to the paid edition.

            I currently use version 5.8, also free version. I’ve just assumed that they continued that practice. But since you asked, I went poking around. Under Tools, I found “Create Bootable Disk.” According to the online help (which is for version 7 and prior) it says, “It is indispensable when windows system fails to boot.” It goes on to explain that this option will let you choose to make either a WinPE or Linux emergency disk. However, on my computer, I didn’t have a choice … only a choice of where (USB/CD/DVD/etc.). So I created a USB. It formatted my USB and said that it successfully created the bootable recovery media.

            I rebooted my computer, but it failed to boot from the USB. I examined the USB stick with the command prompt and found that there was a hidden BOOT folder which contained two files: EASLINUX.SYS and EASLINUX.IRD, and a folder called SYSLINUX. So it looks like I’ve got a Linux recovery media. Not sure why it didn’t boot (is it a BIOS issue, a USB issue — I’ve been having some issues with my USB ports being flaky, or is the USB stick missing a file that tells the BIOS to run the EASLINUX.SYS file)

            However, it looks like the free version of version 5.8 will make recovery media to be able to recover when you can’t use your hard drive. So if I can just get it to boot from the USB, I won’t have to have the wonky two step with both Macrium and EaseUS.

          • From my experience with an older version of EaseUS, it allowed the Linux recovery media on the free version, the paid version allowed Windows PE. Not much difference really.

  8. If you were hit with ransomware that encrypted your MS Office files (for example) kept in your Dropbox folder, the online version will then become encrypted also right? If your other backup on an external HDD wasn’t available for whatever reason then are the Dropbox versions toast also or will version history save the day there? Thinking it’s time for the periodic offline backup stored elsewhere unattached to main PC.

  9. I had a cryto malware attack that even attacked the external hard drive. It didn’t get the image because that is very protected, but the incremental backup of data was trashed. I still haven’t totally recovered. I plan to reformat the hard drive and install linux and buy a new computer.

    • Daniel,

      Was it that the ‘image’ was specially protected or that the first full backup was just too large for the encryption program but the increments were not?

    • There shouldn’t be any reason to get a new computer after a malware attack, including CryptoLocker. Formatting the system drive and restoring from your image backup should be a safe option.

  10. One question I have is will these programs destroy/encrip files I have stored to the cloud. Or web sites like carbonite?

    • They wouldn’t have any access to anything you have on the cloud, such as Carbonite, Dropbox etc. However these may upload your encrypted files. The good news is these services keep older versions of the files for 30 days.

  11. I use SyncBack Free version to backup my data to a portable USB drive and then to a second portable drive every day. And I do keep meaning to disconnect them when I’m not backing up, to protect them from viruses and ransom ware but I keep forgetting:-( I should build that step into my daily start up routine!

    • The fact that you forget to unplug them illustrates Leo’s point of the danger of forgetting to plug the external drive in.

  12. I am a long time Macrium user using the paid version 5. I also am perturbed at the large increase in cost for their update so am looking at Ease US ToDo as well.

    Comments here regarding earlier versions of Ease US are not helpful – indeed, they are downright unhelpful. Version 8.2 free certainly has a Linux and Win PE recovery disk creator. About to test my just created Win PE CD!

    Regarding connected backup drives, I use my NAS for regular scheduled backups but I also periodically copy backups to a USB ext drive that gets stored in my safe. My family photos etc are also up in the cloud.

    I do PC servicing and see many PCs with no backup. I have given this much thought, but, sadly, have come to the conclusion that trying to protect the data for most people is a forlorn hope (willing to be convinced otherwise, though!!). The truth is that any backup setup has to be checked regularly to see if it is still working and this is just too skilful a job for the people who need to have their backups designed for them. Even if errors are notified by the OS, they will, more often than not, be ignored in the hope that they will go away. Drive full? Don’t know what that means. Drive doesn’t exist? Move on. Data moved to somewhere else? How could that affect a backup? Drive failing with hard errors? So what? Etc, etc.

    So, even if we provide a good solution, how do we ensure it stays good? Maybe this needs a monthly service that checks backups are still OK. Bit like the Pool cleaner or lawn mower who turns up regularly? Admittedly, hard to sell this one.

    Call me gloomy but I think this is the bigger elephant in the room.

  13. Leo, first, I love your stuff. But wouldn’t this be an easy solution: If you have a second internal drive you use as a backup, simply remove the drive letter after each backup. It’s just a few clicks: Right click “computer,” click “manage,” click “storage,” click “disk management,” right-click the backup drive in the list, click “change drive letter and paths,” and click “remove” (eg: “F”).
    The drive will no longer show and even if the malware is looking for drives other than C:, it can’t find it. When you’re ready to back up, do the same steps again, but in the last step simply add the letter (eg “F”).
    The whole process takes maybe 5 seconds.

    • Sufficiently sophisticated malware can still find the drive. Not that that’s common, but to point out that it’s still not a 100% solution.

  14. Hi Leo, I believe in backup. I have lost 3 internal HDD’s and now it looks like two external
    HDD’s. I run Windows 7 pro 64 bit. My browser uses Internet Explorer 11. My external HDD
    is a Seagate USB3 goflex. I have some Seagate software “Disc utility CD upgrade kit
    internal hard drive” on Seagate CD’s. All my photos are backed up to CD’s and DVD’s.

    My problem is “Access Denied”. I down loaded from Seagate a copy of “Disk Recovery”.
    Ran the Demo and all my files and folders are on F:\ Trouble is all the lights on that
    drive are on; the drive is getting warm. I have not formatted it. I want to power it down.

    I had installed Nero 10 on the computer but never ran the program. I also had a copy
    of Photo Shop Elements 10 up and running. PSE 10 sync with Nero and wrote 44
    backups to F: Also Seagate Dashboard using Memeo software writes backups to F:

    Windows disk manager shows my drive is okay. Control Panel shows F: and free space
    along with space used. Thanks Esley

  15. I HAD to get an Android from Metro PCS. Somehow I ended up at a page asking for a code.I thought it was my voicemail code.WRONG!! I managed to lock it up and pay $10 for a new card.I charged my phone and it has ransomware.Says I went to a kiddy porn site or some crap. I’d NEVER pay. I know on a computer you can system restore. Please tell me how to get it off my phone. I can’t get to any way to download.Thanx. I’ve learned sooo much from your newsletters.Got ’em
    all saved in my Leo file.Pertinent ones.

    • I’ve reset my Android phones and tablets a few times. I went to the manufacturers’ websites and got the specific instructions for my phones and tablets.

  16. It would be much less trouble to put the external drive offline if I didn’t get the message “drive currently in use” that requires me to shut down the whole system, just to safely switch off the external drive. Why can I safely remove USB sticks but not the HDD? Does anyone know of a solution?

  17. Thank you Leo, procexp.exe is certainly useful.
    As to figuring which process is using which hard disk, I found that I could sharpen the search by using “ F:\ “ (F: drive for example) instead of “harddisk”.
    Problem then is that most of the listed process items referencing my external drive are listed as “system”, which I guess would be unwise to “kill”.
    I have to say that with device External USB policy set through Control Panel to Quick Removal and not Write Caching, and I just pull the plug anyway, I have never actually had a problem with the drive. Maybe the worry is overrated.

  18. Here is my way of adding a few security layers for Ransonware to navigate. First, remove administrator rights from your ‘daily use’ user, ie. create a user just for daily use. Next, use either an internal or external drive exclusively for backup, I use an internal 1T drive. Then using Powershell both remove the drive letter and set to OFFLINE. Lastly, again use Powershell to Set you know backup drive(by Name) to ONLINE, run WBADMIN(this is native Windows Backup) command-line, when completed, set drive back OFFLINE. You can even send yourself status emails via Powershell

  19. I am not entirely happy with any of the ideas presented here, but least of all with the idea of having your backup device always connected. I was keeping my wife’s computer pictures and documents backed up to an external USB HDD using Win 10 File History. She opened the wrong attachment and fell victim to Zepto/Lockey ransomware. The infection was immediate. Removed the virus with SpyHunter by Enigma but the files on both the computer and the backup drive were gone for good. Fortunately I had copied a lot of the pictures to a thumb drive for a relative and could borrow them back. Not so the documents. I will never, ever, leave my backup medium attached while I am using my computer. Even then it will be just a matter of time before the villains write ransom ware that does not activate until it senses a drive addition. Perhaps the answer is cloud storage. Would the infection spread to Dropbox, especially if I save directly to a Dropbox folder as Leo suggests?

    • It would synchronize the infected files with Dropbox, but Dropbox maintains a 30 backup of all deleted and changed files, so it is a great addition to your backup arsenal. I like it so much I have the paid version and do all my work and keep all my files in the Dropbox folder. I also make regular image and incremental backups and rotate my removable drives regularly.

Leave a reply: