Even as I update this article five years after its original publication, my opinion remains unchanged: you run a higher risk of not being backed up if you disconnect the drive than you do having your backups encrypted by ransomware.
That being said, ransomware has become more destructive, is encrypting more files, and is reaching out to more locations, including network shares and external drives. So, yes, there are reports of individuals who find that their backups, as well as their other files, have been encrypted.
Nonetheless, my basic advice also remains unchanged: leave the drive connected and continue to let your backups run automatically.
I’ll explain why I feel that way, and additional steps you should consider to mitigate the risk of ransomware encrypting those backups.
Become a Patron of Ask Leo! and go ad-free!
It’s important to leave your backup drive connected so backups continue to protect you from hardware failure and malware. If you remain concerned that ransomware might encrypt your backups, periodically copy a backup to an additional drive that you then take offline.
Ransomware is malicious software — malware — that encrypts your files and holds them ransom by extorting a cash payment for the decryption key.
Without the decryption key, the files cannot be recovered. Most ransomware appears to use good, strong encryption to do the deed.
Experts and authorities advise that you never pay the ransom. It only encourages malware authors to keep infecting more machines and holding them for ransom. I agree.
If you find your machine suddenly held hostage, the best solution is to recover with your most recent backup and get on with your day. It works every time.
Unless your backup has been encrypted.
Ransomware can’t encrypt every file on your system. Doing so would break Windows itself, preventing them from presenting you the ransom demand and any hope of recovery.
So ransomware generally encrypts only certain types of files. Typically, those includes:
- .doc, .docx, and similar word processing documents.
- .jpg, .jpeg, .png, and similar photos and images.
- .xls, .xlsx, and similar spreadsheets and accounting files.
Those are enough for most ransomware to effectively get most people’s attention. If those files aren’t backed up in some way, then paying the ransom is the only way to get the data back.
And this is exactly what ransomware relies on: people not being backed up. And it’s why most ransomware is “successful”.
You’re protected from most
Most ransomware variants do not encrypt:
- File types they aren’t explicitly looking for.
- Files on drives other than the system drive, C:.
That means most connected backups are protected, because:
- Backup image files are usually not on the list of filetypes to be encrypted. Macrium’s “.mrimg” files would be one example. They are ignored by ransomware.
- Backup files are usually kept on a drive other than C: — your external drive. Once again, the files are ignored.
Ransomware wants to stay hidden as long as possible while encrypting your data so it can complete the job undetected. Backups — particularly backup image files — are often very large and can take a long time to encrypt. Encryption takes time and can adversely impact system performance. For practical reasons, then, it’s not in the malware’s best self-interest to attempt it.
Never say never.
There is ransomware out there that does encrypt files on drives other than C:, including network and external drives, as well as explicitly encrypt backup images. As someone pointed out, the entire image doesn’t need to be encrypted; encrypt just the first part, and the entire image could be rendered useless.
There’s more “next-level” ransomware now than there was when this article was originally written.
It’s still not as common as the “quick and easy” ransomware that relies on people who aren’t backed up.
But it does exist.
Here’s the thing: not everything has the same risk. Just because backup-encrypting ransomware exists doesn’t mean it’s what you’re most likely to encounter.
- You run some risk of encountering malware.
- You run a smaller risk of that malware being ransomware.
- You run an even smaller risk of that ransomware being the encrypt-your-backups variant.
Keeping your backups automated and your backup drive connected guarantees protection from the first two: the two you’re most likely to encounter.
Put another way, if you disconnect your backup drive and forget to reconnect it for some time, you’re not protected from anything.
Thus my advice: keep the backup drive connected, let your backups happen automatically, and as usual, do everything you should to stay safe on the internet.
But, but, but … what if???
Particularly with the (small) risk of backup-encrypting ransomware increasing, I get a lot of pushback from people who seem to be convinced that:
- It’s the only malware that exists. (Not true, of course.)
- It’s going to happen to them. (Other maladies are more likely.)
However, there is a very reasonable approach to protecting yourself from everything. It works like this:
- Leave your backup drive connected.
- Let your backups happen automatically.
- Periodically copy a backup image to an off-line location, such as an additional drive that you then disconnect.
- Practice safe computing.
I’m much more comfortable relying on you remembering to make this periodic copy, a backup of a backup. The risk of failure if you forget is significantly less than if you were to disconnect your backup drive and forget to reconnect it.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!