The best we can say is … maybe.
It actually depends on a lot of different things, including the type of backup, where it’s stored, and the specific characteristics of the ransomware involved. That’s perhaps the biggest unknown: there are many different types of ransomware, each with different characteristics.
Of course, what to do about this “maybe” also represents a trade-off between getting regular backups and keeping those backups safe.
First, a quick refresher: ransomware is malware that, once it infects your machine, begins encrypting files it finds there. Once it’s done, it presents a message indicating that your files have been encrypted. As a result, your files are inaccessible until you pay a fee – the ransom – to get the decryption key.
Most ransomware gets encryption right. There’s little chance of somehow cracking the encryption to get your files back. Typically, the victim is left with three options:
Relying on the backups, of course, assumes that the backups themselves aren’t encrypted.
That’s where things get uncertain.
What ransomware encrypts
What we call “ransomware” is not a single thing. In reality, ransomware is a class of malware, like any other, that happens to have particularly destructive behavior. There are hundreds, if not thousands, of different variations on ransomware.
Two of those variations are central to this discussion: which drives they encrypt, and which files they encrypt.
Some (perhaps even most) current variations of ransomware scan only your system drive. For most systems, that’s the “C:” drive. Any other drives – including your backup drive – are ignored.
As ransomware has become more sophisticated, however, variations that scan all drives attached to the system have been developed. That means anything with a drive letter is potentially at risk, including internal and external drives. In some cases, even network drives that are connected and assigned a drive letter, such as “Z:”, are at risk.
One small bit of good news is that only drives are scanned. Storage you access only via your browser or a dedicated application, such as some forms of cloud storage and online backup services, are not directly at risk. There’s still bad news, however, since if those services mirror or back up files on one of your drives, it’s very likely they’ll mirror or back up the files once they’ve been encrypted, perhaps overwriting previously saved, unencrypted backups.
Ransomware does not encrypt all files.
This fact is often overlooked when folks are busy panicking over ransomware in general. But of course ransomware can’t encrypt everything; Windows itself needs to keep working, as does whatever mechanism the ransomware uses to display its demands and recover your files if you pay up.
In general, ransomware targets what I call “potentially high value” files, based on the filename extension:
- Documents such as “.doc”, “.docx”, “.txt”, and more.
- Spreadsheets and finance databases like “.xls”, “.xlsx”, “.qbw”, and more (particularly impactful for businesses).
- Photos, including “.jpg”, “.jpeg”, and more (particularly impactful for individuals with precious family photos).
This isn’t meant to be an exhaustive list, by any stretch, but it points out that not all files are always at risk.
In fact, if you’re using an image backup program, it’s worth noticing that I didn’t list “.tib” (Acronis’s format), “.mrimg” (Macrium Reflect) or “.pbd” (EaseUS Todo). More often than not, these files are not encrypted. Why? Well, since they’re typically large, the encryption process could take quite a bit of time, making it more likely to be detected before it does its damage.
So there are three possibilities for those backup image files:
- They’ll be ignored. This is currently the most common.
- They’ll be encrypted. This is, to the best of my knowledge, currently very rare.
- They’ll be deleted. This is a tactic I heard of only recently. If the ransomeware deletes your backups, you’re more likely to be forced to pay the ransom to recover your files. (Though I would expect other techniques, including “undelete”, to be a possible solution, at least for a while.)
Hence, the best we can say is “maybe”.
What it takes for backups to be encrypted
In order to truly put your backups at risk:
- The ransomware variant needs to scan more drives that just the C: drive.
- The ransomware variant needs to specifically choose to encrypt backup image files.
Most ransomware today does not have both those characteristics.
But most is not all. You could encounter ransomware that encrypts your backups; it’s just not likely currently.
How to protect yourself
The knee-jerk reaction to hearing that backups might get encrypted is to disconnect the backup drive when you’re not actually making a backup.
The problem with that is the backups are no longer automated. You have to remember to re-attach the drive in order to back up.
Forgive me, but I don’t want to rely on your memory – or mine, for that matter – to perform backups. Especially when, today at least, the risk we’re trying to avoid is relatively small.
- Keep backing up as you do: automated, with your backup drive continually attached.
- Every so often, make a copy of your backups “somewhere else” – to some source which is then disconnected. It could be another drive, another machine on your network, whatever. One approach might be to have two backup drives, but only connect one at a time, and swap them then every week or two.
Don’t get me wrong: the risk of ransomware encrypting your backup exists, but it’s on the low end of the scale. It’s much more important to me that your backups continue, automated, to help you recover from more likely issues.
Of course, the best defense is to never get ransomware in the first place and stay safe in general.