Some ransomware goes beyond encryption.
Not long ago, I ran across an article entitled “Why System Backups No Longer Shield Against Ransomware“.
As an absolute statement, that title is incorrect and sensationalistic. System backups remain a critical defense — perhaps your single most important defense — against ransomware.
And yet, as expected, ransomware is evolving. It’s important to understand what it’s evolving into, and what you need to do, if anything, to defend yourself.
Become a Patron of Ask Leo! and go ad-free!
Backups vs. Ransomware
Most ransomware simply encrypts files on your computer, and possibly your backups. Backups remain the most important safety net to recover from all malware, including nearly all ransomware. Some recent ransomware also threatens to publicly expose your data unless the ransom is paid. The best defense against this and all forms of malware are the steps you should already be taking to stay safe: using up-to-date software, having security measures in place, avoiding risky behaviors online, and being skeptical of phishing and malicious attachments.
Ransomware and encryption
Ransomware’s reputation is based on its personal and destructive nature.
When infected, ransomware methodically encrypts your files, after which it presents a message indicating that you can purchase the decryption key for some amount of money — the ransom. If you don’t pay, your files remain encrypted and inaccessible.
If you do pay,1 you’re supposed to receive the decryption key or a tool that will decrypt your files for you, returning your accessibility to your own data.
Backups play a key roll in protecting you from this form of ransomware. By having backed up your files prior to their being encrypted, you can “simply” restore the files in their unencrypted state and get on with your life as if nothing had happened.
Backups can be complicated, but critical
I put “simply” in quotes above because it’s not necessarily that simple.
Most ransomware does, indeed, just encrypt your data files without further impact. All you need to do is remove the ransomware malware, and then restore your files from backup. That actually is pretty simple.
Some ransomware takes the additional step of encrypting any backups it finds. It’s not as common, but it can happen. Defending yourself requires a little extra preparation, typically in the form of taking some of your backups offline.
In either case, however, having those backups in the first place is what allows you to recover and move on without needing to pay the ransom.
Keep backing up.
Backups don’t protect against a new threat
In recent months, the folks behind ransomware have modified their approach slightly. It’s become a two-step process:
- Steal a copy of all your data.
- Encrypt your data.
This means they’ve taken your data hostage: they threaten to release their copy of your data publicly unless you pay the ransom.
That has little to nothing to do with the data encrypted on your system, and is a completely separate threat from anything backups can prevent. Restore all you want; the threat of public exposure remains.
The new threat is an old threat
It’s important to realize that this isn’t a new threat. Hackers have been stealing data and posting it publicly for decades. It’s called a data breach: a system is infiltrated and data is copied and then posted publicly, often in hacker forums.
What’s new is bundling it with ransomware and offering you an opportunity to prevent them from exposing your data.
Well, “prevent” might be a strong word. If you pay, they promise not to expose your data, and often promise to delete their copy.
Until some time later, of course, when it turns out — surprise! — they didn’t delete your data, and decide to extort more ransom from you.
The new defense is the old defense
I keep saying it over and over: ransomware is just malware. It’s malware that has particularly destructive behavior, but it’s nothing more than malicious software — malware.
You defend against ransomware the same way you defend against any malware, and hopefully the same way you’ve been protecting yourself against malware all along.
- Keep software up-to-date.
- Have properly configured security software and hardware configurations.
- Avoid risky online behaviors.
- Don’t fall for phishing attempts, and don’t open unexpected, untrusted email attachments.
That last one is worth special mention. Opening email attachments is now the #1 way that ransomware infections and data breaches happen. No amount of security software, hardware, or policy can protect you from yourself.
The glimmer of good news
If all this seems a little far-fetched — who would hold your data for ransom, after all? — you might be right.
If you’re an individual.
On the other hand, if you have a business — small, medium, or large — or have some other situation where you’re holding sensitive data, you’re clearly at higher risk of having serious problems if exposed publicly. Hackers know this, and if you happen to get infected with ransomware, you’re among those more likely to get this more threatening combo package of encryption and theft.
Keep. Backing. Up.
No, backups won’t protect you from absolutely everything — nothing can. But backups protect you from so many different types of threats and failures, you simply must keep doing them.
Tweak them if you like for additional safety from the malware known as ransomware, but keep backing up.
And don’t let your guard down in other areas. Keep doing all the things you know and need to do to keep yourself safe from any and all malware in the first place.
The best and safest scenario is to never let the malware hit your machine in the first place.
But keep backing up.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: Don’t.
In a way, this isn’t really a new form of ransomware. It’s a combination of ransomware and an old-fashioned data breach. Using an encryption program can help against stolen data but only if those files aren’t open on your computer. If you use whole disk encryption, the data on your computer would appear unencrypted to the malware when your computer is logged in. Individual file encryption is tedious but probably the only way to be sure you are protected against a data breach. The files would only be open to malware when they are open for use, so they would only get a file or two. But again, as Leo said, the most important tool against malware is to follow the best practices as listed in Leo’s Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet article and books.
Leo –
Under the section “The new defense is the old defense,” you said one of the defensive steps to take is “have properly configured security software and hardware configurations.”
What did you have in mind regarding security hardware configurations?
Thanks.
Mostly have a firewall, which means being behind a router.
I know that no question is stupid so here goes.. If I disconnect the two external hard drives after the Macrium backup would my two externals be safe from from ransomware etc.
I would say yes. If you are using the paid version of Macrium, there is a feature called Image Guardian the protects the backup images. It prevents any other program from changing the image files, even File Explorer in Windows.
Yes and no, but you have to be diligent to plug them in again when you start up your computer so the incremental backup runs daily. There is still a chance that the ransomware will encrypt your backups while you are using it.
The data on the drives would be safe. The data remaining on your computer of course would still be vulnerable to both encryption and being made public should you become infected with the malware.
Make absolutely certain that you’re still backing up though. I generally DON’T recommend disconnecting because then automatic backups can’t run. The chances of ransomware are lower than the chances of many other type of issues for which you would want a current backup.
How can you be sure cloud backups are secure? Isn’t cloud storage just another resource, accessed via a password? I would think hackers are able to compromise a company data, and that company was diligent with their security, and still lost to hackers, hackers could also access cloud storage.
Just my thought.
Cloud backups can be vulnerable to ransomware, but the odds of your cloud backup and your system image backup being simultaneously hacked are infinitesimal.
If it’s a concern to you encrypt the data you place in the cloud.
I’ve got to look and see how my EaseUS Todo backup works. I do a full backup, then incremental backups every night for about a month. Then I swap external hard drives and do another full backup followed by incremental backups. If I get hit with ransomware, am I only “protected” back to my initial full backup? Since the ransomware changes the files, it seems as if the incremental files would be no good.
Leo… before I turn in for the night, would it be good practice to un-plug my Internet cable and plug in my external HD so EaseUS Todo can do the backup? I don’t feel safe with leaving my backup HD connected when my PC is connected to the Internet. Of course, all bets are off if my PC is infected with a delayed ransomware attack.
I generally DON’T recommend disconnecting because then automatic backups can’t run. The chances of ransomware are lower than the chances of many other type of issues for which you would want a current backup.
I leave mine connected and on 24/7, if that helps.
In that case, I’ll leave my PC connected to the internet. I’m surprised EaseUS Todo needs an internet connection to do a local backup. Perhaps my EaseUS Todo settings are stored on their servers rather than in the program on my PC.
It does not need an internet connection to do a backup. I just leave things connected because I don’t see enough value in disconnecting.
In regard to the data theft issue, I keep my sensitive files (the ones that have my personal and financial files) in a Cryptomator vault that is in my Documents folder which is in my OneDrive.
I discovered that when I set up Cryptomator, that OneDrive noticed that files were being encrypted and popped up a warning about a ransomware attack that might be taking place.
That was reassuring to know that, besides doing regular backups, there is a means to recover OneDrive files as well.
OneDrive also has a Personal Vault that allows for file encryption. I’m reluctant to use it because to access Personal Vault files, an internet connection is required. The files are not stored locally. That’s why I’m using Cryptomator.
Be aware that files encrypted by Cryptomator, VeraCrypt, or BitLocker appear as unencrypted to any malware when you are logged in to those programs. I’ve switched to keeping my sensitive files in an encrypted .zip file and only open them when necessary.
After reading this I think I will just remove any personal information from my desktop machine and put it on a USB stored elsewhere. I rarely use that machine but it is an older operating system, considered insecure. Thanks for the information!
Don’t forget to have a backup of your USB drive. If it’s only in one place, it is vulnerable to data ;oss.
NOT saying don’t do all the steps Leo outlined, but unfortunately the basic reason for being attacked by malware is being connected to the internet. As simple as that. And if you happen to be targeted then all bets are off. Fortunately for the little guy, most direct attacks are against entities that have deep pockets. It shouldn’t be lost on anyone that ransomware victims you hear about are multi-billion dollar organizations, with all the resources, know-how, security, policies, staff … and yet they get hit. What’s even more amazing is that “backups” don’t seem to help any of them. I don’t believe any one of the victims has ever said “we’ll be down for a few hours and then be back, good as new”. There is a good reason for that, but that’s another story.
Now, here is the bad news for the “little guy” (I’m assuming most people reading this aren’t multi-billionaires): Malware can attack and infect the UEIF and the TPM, especially software implemented TPM. Sorry, it’s a whole different topic to get into UEIF and TPM, but I mention TPM because Microsoft is selling TPM as Windows 11’s grand security feature – which, by the way, can be bypassed in the Registry (so far).
“It shouldn’t be lost on anyone that ransomware victims you hear about are multi-billion dollar organizations.” <— That’s because those incidents are newsworthy. The overwhelming majority of victims are actually home users and SMBs.
Good news for home users: pretty much the only way you’ll get hit by ransomware is by using pirated software. And it’s worth noting that the type of ransomware that comes bundled with pirated software is pretty basic and doesn’t target backups. The exception here is NAS users. They are at risk.
“the only way you’ll get hit by ransomware is by using pirated software” — I disagree. The most common way is via all the normal ways one gets malware, attachments being the most common at the moment.
I have just experienced something Leo has warned about and that is failure of my Western Digital 1tb USB backup hard drive. I did a small backup a few weeks ago and put the drive safely away. On trying to access the drive recently, I found I could not access any files, although Windows reports the drive is working properly and is healthy. Although the names are visible, trying to open files freezes the computer. There is no sign of malware. Chkdsk ran until about 81000 files out of 140,000 and then stalled, reporting the files unreadable and taking about a minute to check each file, so I cancelled it. Fortunately, the backups were not required and can be rebuilt on a new drive but it shows the need to check your backups regularly and have more than one.
7/08/2021
Leo, I am overcoming reluctance to ask this: Isn’t it possible that a defense against Ransomware can be created?
If it were possible, someone would have done it. The best defense is a backup routine and prudent Internet use.
Recovering from Ransomware with an Online Backup
The Ask Leo! Guide to Staying Safe on the Internet v5 – FREE Edition
Honestly, that’s a great question. And honestly I think the answer no. The best defense is, as Mark’s pointed out, backing up, and not getting infected in the first place.
I was dragged kicking and screaming into the computer age, when we bought a small business in 1994, and the computer had just been updated to Win 3.1. The management software was a DOS with a basic layered window interface that was actually easy to navigate – type, enter, tab, escape, scroll down, select, etc. Backup was via a tape drive that was slow, so I upgraded to the smaller faster tape drives. I used some basic software, but moved to free alternatives that seemed as reliable.
I can’t say we were ever hacked, but system glitches then were not unusual; my worst experience was when this happened, and I discovered my tapes had not properly backed up data, and learned Rule 1: Test that backups are really viable, even restoring to a dup. HD and re-booting.
The hours it took to back up to tape, and the time to restore, led me to use GoBack for several years, and it saved us more than once, by restoring the hard drive to a state prior to an unexplained crash. That concept of just going back to a previous condition before a problem makes more sense than trying to exhaustively troubleshoot an issue that may be beyond your expertise, or unrelated to anything rational.
At some points, though, the GoBack itself locked up, and became impossible to access or turn off, without wiping the drive – and so full backups periodically were still essential.
I have had less need to back up now, for just personal computing, but had my first WD external Passport fail, dropping it from 15″ to a wood floor. Lost only some of my periodic backups.
Macrium free versions have saved us several times, even needing to boot from startup CD to initiate recovery; advantages over just copying folders: compressed, verifiable, and differential backups easily explored, openable as virtual drives, with recovery of single files up to restoring to new drive. Even so, aside from laziness I should have two external HDDs stored elsewhere – or on occasion, an entire duplicate HDrive that could be swapped into the original computer, for convenience (and to go from Win 7 to 10 to whatever painlessly).
After closing our business eight years ago, my biggest worry though was to be audited for some reason – I worked many months, to create virtual machine images that were reliable, on archived machines, in order to boot up the old XP business software just in case. The IRS likely had no interest in our puny shop, but having them reach out on a separate personal estate issue years earlier, I knew how hard appeasing them could be without solid evidence, most convincing in the working software, not reams of printouts.
Leo’s remark, “chances of ransomware are lower than the chances of many other type of issues for which you would want a current backup,” is really important. I would add, that one of the biggest risks is that most small users rely on computers that run pre-installed OS linked to that one machine -and unlike fully licensed Windows in larger corporations, you CANNOT re-install from a backup, onto a new machine. New HDrive, yes. Data and software re-installations, yes, if you have the license keys.
So theft or loss of your physical computers can be a real problem, even if you have full off-site backups stored. Some virtual machines might run images from backups made elsewhere, but you need to know beforehand. Try it before catastrophes hit; do a total simulation of worst case rebuild and recovery from whatever you think is a safe backup, and deal with bad surprises.
On my first IT job at Wang. We took full system backups (sector by sector clones in those days). We didn’t have software to do incremental backups as I had to write the backup software myself and incremental backups would have been to complex for an entry level programmer and . We had a 10 MB Hawk drive with a 5 MB fixed drive and a 5 MB removeable platter. We would backup up the drives daily to removeable platters and out supervisor would take home a backup set ever night and the next morning, bring in the previous days backup set to be used for that day’s backup. This backup could be restored up to any computer of the same model. From that time, the first program I would write was a backup program.
I don’t understand the problem with supplying the IRS with printouts. The information is the same as what’s on the computer. A proper set of printouts actually serves as a data backup. One job I had was to restore a system from the printouts. By law, we had to keep the printouts for several years, and many companies keep copies even longer.