Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Should I Disconnect My Backup Drive When I’m Not Backing Up?

I keep hearing of viruses that encrypt your hard drive, even the files on your external hard drive. Doesn’t that mean that my backups would be encrypted as well? Friends are telling me I should disconnect my backup drive when I’m not using it, but that doesn’t feel right either. What should I do?

Even as I update this article five years after its original publication, my opinion remains unchanged: you run a higher risk of not being backed up if you disconnect the drive than you do having your backups encrypted by ransomware.

That being said, ransomware has become more destructive, is encrypting more files, and is reaching out to more locations, including network shares and external drives. So, yes, there are reports of individuals who find that their backups, as well as their other files, have been encrypted.

Nonetheless, my basic advice also remains unchanged: leave the drive connected and continue to let your backups run automatically.

I’ll explain why I feel that way, and additional steps you should consider to mitigate the risk of ransomware encrypting those backups.

Become a Patron of Ask Leo! and go ad-free!

It’s important to leave your backup drive connected so backups continue to protect you from hardware failure and malware. If you remain concerned that ransomware might encrypt your backups, periodically copy a backup to an additional drive that you then take offline.

Ransomware

Ransomware Ransomware is malicious softwaremalware — that encrypts your files and holds them ransom by extorting a cash payment for the decryption key.

Without the decryption key, the files cannot be recovered. Most ransomware appears to use good, strong encryption to do the deed.

Experts and authorities advise that you never pay the ransom. It only encourages malware authors to keep infecting more machines and holding them for ransom. I agree.

If you find your machine suddenly held hostage, the best solution is to recover with your most recent backup and get on with your day. It works every time.

Unless your backup has been encrypted.

Encryption priorities

Ransomware can’t encrypt every file on your system. Doing so would break Windows itself, preventing them from presenting you the ransom demand and any hope of recovery.

So ransomware generally encrypts only certain types of files. Typically, those includes:

  • .doc, .docx, and similar word processing documents.
  • .jpg, .jpeg, .png, and similar photos and images.
  • .xls, .xlsx, and similar spreadsheets and accounting files.

Those are enough for most ransomware to effectively get most people’s attention. If those files aren’t backed up in some way, then paying the ransom is the only way to get the data back.

And this is exactly what ransomware relies on: people not being backed up. And it’s why most ransomware is “successful”.

You’re protected from most

Most ransomware variants do not encrypt:

  • File types they aren’t explicitly looking for.
  • Files on drives other than the system drive, C:.

That means most connected backups are protected, because:

  • Backup image files are usually not on the list of filetypes to be encrypted. Macrium’s “.mrimg” files would be one example. They are ignored by ransomware.
  • Backup files are usually kept on a drive other than C: — your external drive. Once again, the files are ignored.

Ransomware wants to stay hidden as long as possible while encrypting your data so it can complete the job undetected. Backups — particularly backup image files — are often very large and can take a long time to encrypt. Encryption takes time and can adversely impact system performance. For practical reasons, then, it’s not in the malware’s best self-interest to attempt it.

Next-level ransomware

Never say never.

There is ransomware out there that does encrypt files on drives other than C:, including network and external drives, as well as explicitly encrypt backup images. As someone pointed out, the entire image doesn’t need to be encrypted; encrypt just the first part, and the entire image could be rendered useless.

There’s more “next-level” ransomware now than there was when this article was originally written.

It’s still not as common as the “quick and easy” ransomware that relies on people who aren’t backed up.

But it does exist.

Protection priorities

Here’s the thing: not everything has the same risk. Just because backup-encrypting ransomware exists doesn’t mean it’s what you’re most likely to encounter.

  • You run some risk of encountering malware.
  • You run a smaller risk of that malware being ransomware.
  • You run an even smaller risk of that ransomware being the encrypt-your-backups variant.

Keeping your backups automated and your backup drive connected guarantees protection from the first two: the two you’re most likely to encounter.

Put another way, if you disconnect your backup drive and forget to reconnect it for some time, you’re not protected from anything.

Thus my advice: keep the backup drive connected, let your backups happen automatically, and as usual, do everything you should to stay safe on the internet.

But, but, but … what if???

Particularly with the (small) risk of backup-encrypting ransomware increasing, I get a lot of pushback from people who seem to be convinced that:

  • It’s the only malware that exists. (Not true, of course.)
  • It’s going to happen to them. (Other maladies are more likely.)

However, there is a very reasonable approach to protecting yourself from everything. It works like this:

  • Leave your backup drive connected.
  • Let your backups happen automatically.
  • Periodically copy a backup image to an off-line location, such as an additional drive that you then disconnect.
  • Practice safe computing.

I’m much more comfortable relying on you remembering to make this periodic copy, a backup of a backup. The risk of failure if you forget is significantly less than if you were to disconnect your backup drive and forget to reconnect it.

If you found this article helpful, I'm sure you'll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I'll see you there soon,

Leo

Podcast audio

Play

45 comments on “Should I Disconnect My Backup Drive When I’m Not Backing Up?”

  1. Great series on backups! One specific observation: when I copy an Acronis image to another external hard drive, it often will no longer validate. I have to either directly make an image to that new external hard drive, or I have to use the Acronis tool to consolidate archive.

    Reply
  2. While periodic image backups are a good idea, I prefer to depend on data backups.
    I backup, to an external HD, weekly, plus any important changes when they occur.
    These backups are manual, and after backing up, I disconnect the drive. I’m not too concerned about
    ransomeware. I just don’t see a reason to burn the electricity unnecessarily.

    Reply
  3. I’m a big fan of keeping backup separated from your PC. Ransomware is one concern. Another is theft. A client once told me that his son backed up his computer regularly, and kept the backup next to the PC. When the house was broken in to, the thieves took the lot.

    Reply
  4. In some ways the solution has come to the point where a backup is no longer enough. You now need to back up your backup. I do nightly incremental backups which I occasionally copy to a drive I keep at work. in the meantime (almost) all of my data is backed up on OneDrive. I pay for a little over TB. Dropbox, Google Drive, or a combination of 2 or all 3 free cloud backups should also work.

    Reply
  5. Wow Leo,

    Just have to disagree a little bit here. Home users are to be commended to have at least one external hard drive for backups. Many do not have any. I hear on a regular basis the cries and hopes from customers of me recovering at least some of their lost data when the inevitable crashes happen. I recommend at least one certain day of the week (usually Friday)for automatic backups and have home users plug in and turn on the drive that day. I have them disconnect it before bed and place it in a safe or hiding place so it’s protected. It has been working fairly well for them. I say it’s your computer insurance policy that you must renew every Friday and its cheap. Just do it.

    For businesses they should have a full blown rotation of drives or tapes. They should not have to worry about drive disconnecting or turning them off.
    But then there are all of those small businesses that watch the pennies and don’t get more than one backup drive and leave it connected at all times. That is too bad!!! I have had two clients, one legal and one medical that got hit by CryptoLocker. Guess what? Server is encrypted, all workstations are encrypted and lastly the only single external drive is encrypted. I say take the drive offline for them. Now both of those companies experienced major financial losses due to equipment failure and loss of business income until they are open for business again. All networked computers, servers and backups all were compromised and needed complete rebuilding. At the same time the companies were out of business for many days without data or income. I got them back up and running but it was not fun times.

    So if they aren’t faithful with every backup but DO have a backup from a week or two ago, they have the major portion of their data. If they leave it connected and get hit they have nothing.

    My thoughts and experiences.

    Reply
  6. If you are worried about this, plus your external HD into a separate switched power strip and then you can quickly turn it on for a backup and off when you are done.

    Reply
  7. I have set up a hybrid backup routine which, I believe, provides me with the benefits of both an automatic backup and a disconnected backup hard drive. I use the EASEUS backup program and, on a scheduled basis, I backup my C drive and data drives to a second internal drive. Then, after checking for encryption with Bleeping Computer’s ListCRIlock, I connect my external hard drive and copy the backup files. When done, the external drive is disconnected.

    In addition, I periodically run a backup to a portable drive which is kept in a safe deposit box.

    Reply
    • We are currently evaluating EaseUS here at Ask Leo! as a free alternative to Macrium as it allows incremental backups in the free version. Any comments you (including anyone who uses it) have (pros and cons) on the EaseUS backup would be greatly appreciated. (Update – we now recommend both EaseUS Todo and Macrium Reflect)

      Reply
      • Hi Mark,

        I’ve been using both the free and the paid versions for quite a while now. There is one problem that I’ve experienced that has not been fixed. To be fair, I could have spent more time in chat with their tech support. For a couple of computers I’ve installed this program on, the incremental backup has not always shown all of the files. Their tech support says that is OK but I do wonder. This has been specific to particular computers. Their differential backup has always shown all of the files.

        I’ve also tested the recovery disk full recovery process and it has worked as advertized.

        One of the nice features of this backup program is the ability to examine a backed up file before you recover it. In addition, you can recover it simply by using Windows Explorer and copying it back to either its original position or to your desktop.

        The newest version, paid I believe, provides for encryption of the backup. I suspect that this would make bogus encryption by ransomware difficult if not impossible. What do you think?

        Reply
        • Thanks for responding.
          Encrypting your backup wouldn’t prevent someone from encrypting your encrypted file 🙁
          One thing that would be interesting to know is how good their tech support is. How willing they are to stay with you till the problem is solved, and how knowledgeable they are in their answers, ie. does what they tell you usually work?
          As for not finding some of your files in an incremental, it’s important to go to a backup on a date after you’ve created a file and before you deleted it. I don’t know if that was your case, otherwise if a file can get lost, that can be concerning.

          Reply
          • Mark,

            I guess I should have foreseen that you could encrypt an encrypted file.

            My experience with the EASEUS tech support is that they have been responsive and timely in their responses. Although not using English as their prime language has lead to some amusing communications. EASEUS had sent an email advertizement written to encourage users to buy a newer version. We were told that we should “dispose of our savings” to do this. 🙂 I passed this on to a retired professor that I know and he replied “My bad luck. I’ve already disposed of my savings!”

            What bothers me about the incremental backup file created is that in some computers, when searching My Documents, for example, all of the files are there in every increment. In other computers, only some are there and it doesn’t seem to be activity related. I’ve not seen this at all in the differential backups.

      • I’ve used EaseUS for a few years. I like it because it’s free and makes incrementals (Macrium free does not make incrementals). I find that EaseUS’ documentation leaves something to be desired. I don’t think it’s very well written and difficult to find an answer (at least for those of us using the free version). Of course I was trying to figure it all out while I was new to backups and trying to understand the different types of backups. Leo’s new series explaining these confusing things would have probably helped with that.

        But the biggest thing about EaseUS’ free version is that there is now way to make recovery media. So the free version is good most of the time because most of the time people want to recover a file that was accidentally deleted. You can double click the backup file and it will mount the backup like another drive/folder and you can just navigate to the location and copy the file, just like Windows’ native capability for ZIP files.

        What I’ve done is I’ve made a complete image with Macrium free version (to make that initial system backup that Leo likes to do with a new computer) for the recovery media and use EaseUS for everyday backups. So if I ever needed to wipe my drive and start over, I could recover with Macrium, and then use EaseUS to recover the computer to the latest incremental. It’s a two step recovery, but it’s free and it would only need to be done in the case of total system failure. Normal recovery only needs EaseUS.

        Reply
        • James,

          EASEUS todo does have a full recovery process and I have used it successfully. At the version 8 level, go to tools > create emergency disk. From there you can choose either Linux or WinPE and then decide on the recovery media — CD/DVD, USB device (flash drive), or even ISO.

          I agree with you about their writing skills. ( See my note to Mark.) I’ve told them several times that they need a tech writer whose primary language is English. I suspect that there are not too many of those folks in China!

          Reply
        • Could you clarify: you cannot make recovery media with the free version? So you could not, for example, restore an image to a replaced hard drive?

          Reply
          • I started using EaseUS with version 4 Free. I never found a way to make recovery media and when I checked the online help, it specifically said that you couldn’t in the free version. I figured that was their way of encouraging people to upgrade to the paid edition.

            I currently use version 5.8, also free version. I’ve just assumed that they continued that practice. But since you asked, I went poking around. Under Tools, I found “Create Bootable Disk.” According to the online help (which is for version 7 and prior) it says, “It is indispensable when windows system fails to boot.” It goes on to explain that this option will let you choose to make either a WinPE or Linux emergency disk. However, on my computer, I didn’t have a choice … only a choice of where (USB/CD/DVD/etc.). So I created a USB. It formatted my USB and said that it successfully created the bootable recovery media.

            I rebooted my computer, but it failed to boot from the USB. I examined the USB stick with the command prompt and found that there was a hidden BOOT folder which contained two files: EASLINUX.SYS and EASLINUX.IRD, and a folder called SYSLINUX. So it looks like I’ve got a Linux recovery media. Not sure why it didn’t boot (is it a BIOS issue, a USB issue — I’ve been having some issues with my USB ports being flaky, or is the USB stick missing a file that tells the BIOS to run the EASLINUX.SYS file)

            However, it looks like the free version of version 5.8 will make recovery media to be able to recover when you can’t use your hard drive. So if I can just get it to boot from the USB, I won’t have to have the wonky two step with both Macrium and EaseUS.

  8. If you were hit with ransomware that encrypted your MS Office files (for example) kept in your Dropbox folder, the online version will then become encrypted also right? If your other backup on an external HDD wasn’t available for whatever reason then are the Dropbox versions toast also or will version history save the day there? Thinking it’s time for the periodic offline backup stored elsewhere unattached to main PC.

    Reply
  9. I had a cryto malware attack that even attacked the external hard drive. It didn’t get the image because that is very protected, but the incremental backup of data was trashed. I still haven’t totally recovered. I plan to reformat the hard drive and install linux and buy a new computer.

    Reply
    • Daniel,

      Was it that the ‘image’ was specially protected or that the first full backup was just too large for the encryption program but the increments were not?

      Reply
  10. One question I have is will these programs destroy/encrip files I have stored to the cloud. Or web sites like carbonite?

    Reply
    • They wouldn’t have any access to anything you have on the cloud, such as Carbonite, OneDrive, or Dropbox, etc. However, these may upload your encrypted files. The good news is these services keep older versions of the files for 30 days.

      Reply
  11. I use SyncBack Free version to backup my data to a portable USB drive and then to a second portable drive every day. And I do keep meaning to disconnect them when I’m not backing up, to protect them from viruses and ransom ware but I keep forgetting:-( I should build that step into my daily start up routine!

    Reply
  12. I am a long time Macrium user using the paid version 5. I also am perturbed at the large increase in cost for their update so am looking at Ease US ToDo as well.

    Comments here regarding earlier versions of Ease US are not helpful – indeed, they are downright unhelpful. Version 8.2 free certainly has a Linux and Win PE recovery disk creator. About to test my just created Win PE CD!

    Regarding connected backup drives, I use my NAS for regular scheduled backups but I also periodically copy backups to a USB ext drive that gets stored in my safe. My family photos etc are also up in the cloud.

    I do PC servicing and see many PCs with no backup. I have given this much thought, but, sadly, have come to the conclusion that trying to protect the data for most people is a forlorn hope (willing to be convinced otherwise, though!!). The truth is that any backup setup has to be checked regularly to see if it is still working and this is just too skilful a job for the people who need to have their backups designed for them. Even if errors are notified by the OS, they will, more often than not, be ignored in the hope that they will go away. Drive full? Don’t know what that means. Drive doesn’t exist? Move on. Data moved to somewhere else? How could that affect a backup? Drive failing with hard errors? So what? Etc, etc.

    So, even if we provide a good solution, how do we ensure it stays good? Maybe this needs a monthly service that checks backups are still OK. Bit like the Pool cleaner or lawn mower who turns up regularly? Admittedly, hard to sell this one.

    Call me gloomy but I think this is the bigger elephant in the room.

    Reply
  13. Leo, first, I love your stuff. But wouldn’t this be an easy solution: If you have a second internal drive you use as a backup, simply remove the drive letter after each backup. It’s just a few clicks: Right click “computer,” click “manage,” click “storage,” click “disk management,” right-click the backup drive in the list, click “change drive letter and paths,” and click “remove” (eg: “F”).
    The drive will no longer show and even if the malware is looking for drives other than C:, it can’t find it. When you’re ready to back up, do the same steps again, but in the last step simply add the letter (eg “F”).
    The whole process takes maybe 5 seconds.

    Reply
    • Sufficiently sophisticated malware can still find the drive. Not that that’s common, but to point out that it’s still not a 100% solution.

      Reply
  14. Hi Leo, I believe in backup. I have lost 3 internal HDD’s and now it looks like two external
    HDD’s. I run Windows 7 pro 64 bit. My browser uses Internet Explorer 11. My external HDD
    is a Seagate USB3 goflex. I have some Seagate software “Disc utility CD upgrade kit
    internal hard drive” on Seagate CD’s. All my photos are backed up to CD’s and DVD’s.

    My problem is “Access Denied”. I down loaded from Seagate a copy of “Disk Recovery”.
    Ran the Demo and all my files and folders are on F:\ Trouble is all the lights on that
    drive are on; the drive is getting warm. I have not formatted it. I want to power it down.

    I had installed Nero 10 on the computer but never ran the program. I also had a copy
    of Photo Shop Elements 10 up and running. PSE 10 sync with Nero and wrote 44
    backups to F: Also Seagate Dashboard using Memeo software writes backups to F:

    Windows disk manager shows my drive is okay. Control Panel shows F: and free space
    along with space used. Thanks Esley

    Reply
  15. I HAD to get an Android from Metro PCS. Somehow I ended up at a page asking for a code.I thought it was my voicemail code.WRONG!! I managed to lock it up and pay $10 for a new card.I charged my phone and it has ransomware.Says I went to a kiddy porn site or some crap. I’d NEVER pay. I know on a computer you can system restore. Please tell me how to get it off my phone. I can’t get to any way to download.Thanx. I’ve learned sooo much from your newsletters.Got ’em
    all saved in my Leo file.Pertinent ones.

    Reply
  16. It would be much less trouble to put the external drive offline if I didn’t get the message “drive currently in use” that requires me to shut down the whole system, just to safely switch off the external drive. Why can I safely remove USB sticks but not the HDD? Does anyone know of a solution?

    Reply
  17. Thank you Leo, procexp.exe is certainly useful.
    As to figuring which process is using which hard disk, I found that I could sharpen the search by using “ F:\ “ (F: drive for example) instead of “harddisk”.
    Problem then is that most of the listed process items referencing my external drive are listed as “system”, which I guess would be unwise to “kill”.
    I have to say that with device External USB policy set through Control Panel to Quick Removal and not Write Caching, and I just pull the plug anyway, I have never actually had a problem with the drive. Maybe the worry is overrated.

    Reply
  18. Here is my way of adding a few security layers for Ransonware to navigate. First, remove administrator rights from your ‘daily use’ user, ie. create a user just for daily use. Next, use either an internal or external drive exclusively for backup, I use an internal 1T drive. Then using Powershell both remove the drive letter and set to OFFLINE. Lastly, again use Powershell to Set you know backup drive(by Name) to ONLINE, run WBADMIN(this is native Windows Backup) command-line, when completed, set drive back OFFLINE. You can even send yourself status emails via Powershell

    Reply
  19. I am not entirely happy with any of the ideas presented here, but least of all with the idea of having your backup device always connected. I was keeping my wife’s computer pictures and documents backed up to an external USB HDD using Win 10 File History. She opened the wrong attachment and fell victim to Zepto/Lockey ransomware. The infection was immediate. Removed the virus with SpyHunter by Enigma but the files on both the computer and the backup drive were gone for good. Fortunately I had copied a lot of the pictures to a thumb drive for a relative and could borrow them back. Not so the documents. I will never, ever, leave my backup medium attached while I am using my computer. Even then it will be just a matter of time before the villains write ransom ware that does not activate until it senses a drive addition. Perhaps the answer is cloud storage. Would the infection spread to Dropbox, especially if I save directly to a Dropbox folder as Leo suggests?

    Reply
    • It would synchronize the infected files with Dropbox, but Dropbox maintains a 30 backup of all deleted and changed files, so it is a great addition to your backup arsenal. I like it so much I have the paid version and do all my work and keep all my files in the Dropbox folder. I also make regular image and incremental backups and rotate my removable drives regularly.

      Reply
  20. My OS is Linux Mint. I use Aptik and Backintime to back up Root and Home, respectively. These happen incrementally daily, to an always connected external 1TB HD. My desktop includes two 1TB internal drives in addition to the 256GB SSD containing Root and Home. The internal 1TB drives contain historical documents, photos, audio and video files, my Calibre database, etc.; items that don’t change much. Weekly, or when I remember, I mirror (using FreeFileSync) all the internal and external drives to an external 3TB which is unplugged afterwards. We recently had a direct lightning hit on the house which fried the desktop which was running at the time and corrupted (but luckily didn’t destroy) the connected drives. Bought a refurb desktop from Amazon, loaded the Linux OS from a live USB stick, formatted the drives and restored everything from the 3TB drive. All done in a few hours, not counting the wait for the refurb desktop to be delivered from Amazon. My essential documents are also backed up real-time to the Mega cloud service which features end-to-end encryption and archives all file changes automatically.

    Reply
    • Was your USB drive a 3.5″ drive with an external power supply or a 2.5″ drive which gets its power directly from the USB port? In’ asking because, the lightning strike woud be more likely to damage the USB drive if it was plugged in to the wall.

      Reply
      • I’m not sure I’d make that assumption, myself. So many odd things can happen with lightning strikes that I’d place the odds at about even between the two. Depends on so many things (quality of manufacture, capriciousness of the strike Smile, etc.)

        Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.