Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

When Backups Might Not Save You from Ransomware

Some ransomware goes beyond encryption.

There's more to ransomware than just encryption.
(Image: canva.com)
Ransomware is known for encrypting your data and holding it hostage. It turns out that it can do more that backups won't protect against.

Not long ago, I ran across an article entitled “Why System Backups No Longer Shield Against Ransomware“.

As an absolute statement, that title is incorrect and sensationalistic. System backups remain a critical defense — perhaps your single most important defense — against ransomware.

And yet, as expected, ransomware is evolving. It’s important to understand what it’s evolving into, and what you need to do, if anything, to defend yourself.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

Backups vs. Ransomware

Most ransomware simply encrypts files on your computer, and possibly your backups. Backups remain the most important safety net to recover from all malware, including nearly all ransomware. Some recent ransomware also threatens to publicly expose your data unless the ransom is paid. The best defense against this and all forms of malware are the steps you should already be taking to stay safe: using up-to-date software, having security measures in place, avoiding risky behaviors online, and being skeptical of phishing and malicious attachments.

Ransomware and encryption

Ransomware’s reputation is based on its personal and destructive nature.

When infected, ransomware methodically encrypts your files, after which it presents a message indicating that you can purchase the decryption key for some amount of money — the ransom. If you don’t pay, your files remain encrypted and inaccessible.

If you do pay,1 you’re supposed to receive the decryption key or a tool that will decrypt your files for you, returning your accessibility to your own data.

Backups play a key roll in protecting you from this form of ransomware. By having backed up your files prior to their being encrypted, you can “simply” restore the files in their unencrypted state and get on with your life as if nothing had happened.

Backups can be complicated, but critical

I put “simply” in quotes above because it’s not necessarily that simple.

Most ransomware does, indeed, just encrypt your data files without further impact. All you need to do is remove the ransomware malware, and then restore your files from backup. That actually is pretty simple.

Some ransomware takes the additional step of encrypting any backups it finds. It’s not as common, but it can happen. Defending yourself requires a little extra preparation, typically in the form of taking some of your backups offline.

In either case, however, having those backups in the first place is what allows you to recover and move on without needing to pay the ransom.

Keep backing up.

Backups don’t protect against a new threat

In recent months, the folks behind ransomware have modified their approach slightly. It’s become a two-step process:

  1. Steal a copy of all your data.
  2. Encrypt your data.

This means they’ve taken your data hostage: they threaten to release their copy of your data publicly unless you pay the ransom.

That has little to nothing to do with the data encrypted on your system, and is a completely separate threat from anything backups can prevent. Restore all you want; the threat of public exposure remains.

The new threat is an old threat

It’s important to realize that this isn’t a new threat. Hackers have been stealing data and posting it publicly for decades. It’s called a data breach: a system is infiltrated and data is copied and then posted publicly, often in hacker forums.

What’s new is bundling it with ransomware and offering you an opportunity to prevent them from exposing your data.

Well, “prevent” might be a strong word. If you pay, they promise not to expose your data, and often promise to delete their copy.

Until some time later, of course, when it turns out — surprise! — they didn’t delete your data, and decide to extort more ransom from you.

The new defense is the old defense

I keep saying it over and over: ransomware is just malware. It’s malware that has particularly destructive behavior, but it’s nothing more than malicious software — malware.

You defend against ransomware the same way you defend against any malware, and hopefully the same way you’ve been protecting yourself against malware all along.

  • Keep software up-to-date.
  • Have properly configured security software and hardware configurations.
  • Avoid risky online behaviors.
  • Don’t fall for phishing attempts, and don’t open unexpected, untrusted email attachments.

That last one is worth special mention. Opening email attachments is now the #1 way that ransomware infections and data breaches happen. No amount of security software, hardware, or policy can protect you from yourself.

The glimmer of good news

If all this seems a little far-fetched — who would hold your data for ransom, after all? — you might be right.

If you’re an individual.

On the other hand, if you have a business — small, medium, or large — or have some other situation where you’re holding sensitive data, you’re clearly at higher risk of having serious problems if exposed publicly. Hackers know this, and if you happen to get infected with ransomware, you’re among those more likely to get this more threatening combo package of encryption and theft.

Keep. Backing. Up.

No, backups won’t protect you from absolutely everything — nothing can. But backups protect you from so many different types of threats and failures, you simply must keep doing them.

Tweak them if you like for additional safety from the malware known as ransomware, but keep backing up.

And don’t let your guard down in other areas. Keep doing all the things you know and need to do to keep yourself safe from any and all malware in the first place.

The best and safest scenario is to never let the malware hit your machine in the first place.

But keep backing up.

Subscribe to Confident Computing! Tech problem solving & safety tips & a weekly confidence boost in your inbox every week.

I'll see you there!

10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

NOW: name your own price! You decide how much to pay -- and yes, that means you can get this report completely free if you so choose. Get your copy now!

Podcast audio

Play

Footnotes & References

1: Don’t.

25 comments on “When Backups Might Not Save You from Ransomware”

  1. In a way, this isn’t really a new form of ransomware. It’s a combination of ransomware and an old-fashioned data breach. Using an encryption program can help against stolen data but only if those files aren’t open on your computer. If you use whole disk encryption, the data on your computer would appear unencrypted to the malware when your computer is logged in. Individual file encryption is tedious but probably the only way to be sure you are protected against a data breach. The files would only be open to malware when they are open for use, so they would only get a file or two. But again, as Leo said, the most important tool against malware is to follow the best practices as listed in Leo’s Internet Safety: 7 Steps to Keeping Your Computer Safe on the Internet article and books.

    Reply
  2. Leo –

    Under the section “The new defense is the old defense,” you said one of the defensive steps to take is “have properly configured security software and hardware configurations.”

    What did you have in mind regarding security hardware configurations?

    Thanks.

    Reply
  3. I know that no question is stupid so here goes.. If I disconnect the two external hard drives after the Macrium backup would my two externals be safe from from ransomware etc.

    Reply
    • I would say yes. If you are using the paid version of Macrium, there is a feature called Image Guardian the protects the backup images. It prevents any other program from changing the image files, even File Explorer in Windows.

      Reply
    • Yes and no, but you have to be diligent to plug them in again when you start up your computer so the incremental backup runs daily. There is still a chance that the ransomware will encrypt your backups while you are using it.

      Reply
    • The data on the drives would be safe. The data remaining on your computer of course would still be vulnerable to both encryption and being made public should you become infected with the malware.

      Make absolutely certain that you’re still backing up though. I generally DON’T recommend disconnecting because then automatic backups can’t run. The chances of ransomware are lower than the chances of many other type of issues for which you would want a current backup.

      Reply
  4. How can you be sure cloud backups are secure? Isn’t cloud storage just another resource, accessed via a password? I would think hackers are able to compromise a company data, and that company was diligent with their security, and still lost to hackers, hackers could also access cloud storage.
    Just my thought.

    Reply
  5. I’ve got to look and see how my EaseUS Todo backup works. I do a full backup, then incremental backups every night for about a month. Then I swap external hard drives and do another full backup followed by incremental backups. If I get hit with ransomware, am I only “protected” back to my initial full backup? Since the ransomware changes the files, it seems as if the incremental files would be no good.

    Leo… before I turn in for the night, would it be good practice to un-plug my Internet cable and plug in my external HD so EaseUS Todo can do the backup? I don’t feel safe with leaving my backup HD connected when my PC is connected to the Internet. Of course, all bets are off if my PC is infected with a delayed ransomware attack.

    Reply
    • I generally DON’T recommend disconnecting because then automatic backups can’t run. The chances of ransomware are lower than the chances of many other type of issues for which you would want a current backup.

      I leave mine connected and on 24/7, if that helps. Smile

      Reply
      • In that case, I’ll leave my PC connected to the internet. I’m surprised EaseUS Todo needs an internet connection to do a local backup. Perhaps my EaseUS Todo settings are stored on their servers rather than in the program on my PC.

        Reply
  6. In regard to the data theft issue, I keep my sensitive files (the ones that have my personal and financial files) in a Cryptomator vault that is in my Documents folder which is in my OneDrive.
    I discovered that when I set up Cryptomator, that OneDrive noticed that files were being encrypted and popped up a warning about a ransomware attack that might be taking place.
    That was reassuring to know that, besides doing regular backups, there is a means to recover OneDrive files as well.
    OneDrive also has a Personal Vault that allows for file encryption. I’m reluctant to use it because to access Personal Vault files, an internet connection is required. The files are not stored locally. That’s why I’m using Cryptomator.

    Reply
    • Be aware that files encrypted by Cryptomator, VeraCrypt, or BitLocker appear as unencrypted to any malware when you are logged in to those programs. I’ve switched to keeping my sensitive files in an encrypted .zip file and only open them when necessary.

      Reply
  7. After reading this I think I will just remove any personal information from my desktop machine and put it on a USB stored elsewhere. I rarely use that machine but it is an older operating system, considered insecure. Thanks for the information!

    Reply
  8. NOT saying don’t do all the steps Leo outlined, but unfortunately the basic reason for being attacked by malware is being connected to the internet. As simple as that. And if you happen to be targeted then all bets are off. Fortunately for the little guy, most direct attacks are against entities that have deep pockets. It shouldn’t be lost on anyone that ransomware victims you hear about are multi-billion dollar organizations, with all the resources, know-how, security, policies, staff … and yet they get hit. What’s even more amazing is that “backups” don’t seem to help any of them. I don’t believe any one of the victims has ever said “we’ll be down for a few hours and then be back, good as new”. There is a good reason for that, but that’s another story.

    Now, here is the bad news for the “little guy” (I’m assuming most people reading this aren’t multi-billionaires): Malware can attack and infect the UEIF and the TPM, especially software implemented TPM. Sorry, it’s a whole different topic to get into UEIF and TPM, but I mention TPM because Microsoft is selling TPM as Windows 11’s grand security feature – which, by the way, can be bypassed in the Registry (so far).

    Reply
    • “It shouldn’t be lost on anyone that ransomware victims you hear about are multi-billion dollar organizations.” <— That’s because those incidents are newsworthy. The overwhelming majority of victims are actually home users and SMBs.

      Good news for home users: pretty much the only way you’ll get hit by ransomware is by using pirated software. And it’s worth noting that the type of ransomware that comes bundled with pirated software is pretty basic and doesn’t target backups. The exception here is NAS users. They are at risk.

      Reply
      • “the only way you’ll get hit by ransomware is by using pirated software” — I disagree. The most common way is via all the normal ways one gets malware, attachments being the most common at the moment.

        Reply
  9. I have just experienced something Leo has warned about and that is failure of my Western Digital 1tb USB backup hard drive. I did a small backup a few weeks ago and put the drive safely away. On trying to access the drive recently, I found I could not access any files, although Windows reports the drive is working properly and is healthy. Although the names are visible, trying to open files freezes the computer. There is no sign of malware. Chkdsk ran until about 81000 files out of 140,000 and then stalled, reporting the files unreadable and taking about a minute to check each file, so I cancelled it. Fortunately, the backups were not required and can be rebuilt on a new drive but it shows the need to check your backups regularly and have more than one.

    Reply
  10. 7/08/2021
    Leo, I am overcoming reluctance to ask this: Isn’t it possible that a defense against Ransomware can be created?

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.