Lagos, Nigeria

Will Ransomware Encrypt Backups? – Ask Leo!

How you can protect yourself in case they do

BSOD - The Blue Screen of Death

A full-image backup is still the best defense against ransomware. But what if your backup gets encrypted? I’ll look at the likelihood of that happening and make some recommendations.

I wonder if a backup system that uses an external disk is safe from ransomware. I have Acronis True Image – paid version, and do a full backup once a month and an incremental daily. Can ransomware get to that backup? It is, in reality, just another disk in my system?

The best we can say is … maybe.

And even “maybe” has been slowly changing over time to something closer to “possibly”.

It depends on a lot of different things, including the type of backup, where it’s stored, and most importantly, the specific ransomware involved. There are many different types of ransomware, each with different characteristics.

Fortunately, there’s a simple approach to keeping your backups safe.

Most ransomware does not encrypt backups, but the possibility exists. The best protection is to keep backing up normally and periodically take an additional copy of your backup offline.

Ransomware is malware that, once it infects your machine, begins encrypting files it finds there. Once done, it displays a message indicating your files have been encrypted. Your files are inaccessible to you until you pay a fee — the ransom — to get the decryption key.

One problem is that most ransomware is pretty good when it comes to encryption. There’s little chance of somehow cracking the encryption to get your files back. Typically, you’re left with three options:

  • Pay the ransom. Strongly discouraged, as it encourages more attacks.
  • Restore the files from a backup: strongly encouraged. This can make it all a non-issue, but requires that you have backups.
  • Give up. Remove the malware, but live with the loss of whatever files were encrypted.

Relying on the backups, of course, assumes the backups themselves haven’t been encrypted by the malware.

What ransomware encrypts

What we call “ransomware” is not a single thing. It’s an entire class of malware that shares a particularly destructive behavior. There are hundreds, if not thousands, of different types of ransomware.

There are two very important ways they often differ: where they look for your files, and which files they choose to encrypt.

Drives scanned

Most current variations of ransomware scan only your system drive. For most systems, that’s the “C:” drive. Any other drives — including your backup drive — are ignored. This allows the ransomware to be fast, encrypting before you notice, while still giving it access to your important files, typically also stored on C:.

More sophisticated variations that can scan all drives attached to the system, including external and/or network connections, do exist. Anything with a drive letter could be at risk.

One small bit of good news is only drives are scanned. Storage accessed only via your browser or a dedicated application, such as some forms of cloud storage and online backup services, are not directly at risk. There’s still bad news, however, since if those services mirror or back up files on one of your drives, it’s very likely they’ll mirror or back up the files once they’ve been encrypted, perhaps overwriting previously saved, unencrypted backups.

Files encrypted

Ransomware does not encrypt all files. It cannot. This fact is often overlooked in the panic.

It can’t encrypt everything; Windows itself needs to keep working, as does whatever mechanism the ransomware uses to display its demands and recover your files.

Ransomware usually targets what I call “potentially high value” files, based on the filename extension:

  • Documents such as “.doc”, “.docx”, “.txt”, and others.
  • Spreadsheets and finance databases like “.xls”, “.xlsx”, “.qbw”, and more (particularly impactful for businesses).
  • Photos, including “.jpg”, “.jpeg”, and so on (particularly impactful for individuals with precious family photos).

This isn’t meant to be an exhaustive list, but it points out not all files are always at risk.

In fact, if you’re using an image backup program, it’s worth noticing that I didn’t list “.tib” (Acronis’s format), “.mrimg” (Macrium Reflect’s) or “.pbd” (EaseUS Todo’s). More often than not, these files are not encrypted. Why? Well, since they’re typically large, the encryption process could take quite a bit of time, making it more likely to be detected before it does its damage.

So there are three possibilities for those backup image files:

  • They’ll be ignored. This is still the most common.
  • They’ll be encrypted. This can happen, but is less frequent.
  • They’ll be deleted. This is rarer still, but still lands you without a backup.

While it’s infrequent, ransomware can encrypt backups, but we don’t know if it will. The best we can say is “maybe”.

What it takes for backups to be encrypted

In order to truly put your backups at risk:

  1. The ransomware variant needs to scan more than just the C: drive.
  2. The ransomware variant needs to choose to encrypt backup files.

Most ransomware today does not have both those characteristics. It’s not likely to happen.

But most is not all. You could encounter ransomware that encrypts your backups.

How to protect yourself

The knee-jerk reaction to hearing that backups might get encrypted is to disconnect the backup drive when you’re not actually making a backup.

Don’t do that.

The problem is backups are no longer automated. You have to remember to re-attach the drive in order to back up. Forgive me, but I don’t want to rely on your memory — or mine, for that matter — to perform backups. Especially when, today at least, the risk we’re trying to avoid is relatively small compared to the many other reasons you want that backup to happen.

My recommendation:

  • Keep backing up as you do: automated, with your backup drive continually attached.
  • Every so often, make a copy of your backups “somewhere else”. Copy them to some device which is then disconnected. It could be another external drive, or even another machine on your network. One approach is to have two backup drives, but only connect one at a time, and swap them periodically.

Don’t get me wrong: the risk of ransomware encrypting your backup exists, but it’s still on the low end of the scale.

It’s much more important that your automated backups continue to help you recover from more likely issues.

Of course, the best defense is to never get ransomware (or any malware) in the first place, and stay safe in general.

If you found this article helpful, I’m sure you’ll also love Confident Computing! My weekly email newsletter is full of articles that help you solve problems, stay safe, and give you more confidence with technology. Subscribe now and I’ll see you there soon,


10 Reasons Your Computer is Slow

Slow Computer?

Speed up with my FREE special report: 10 Reasons Your Computer is Slow, now updated for Windows 10.

No strings. No email. Here’s the direct download. (Just right-click and “Save As…”.)

This post was written by Leo Notenboom and was first posted to

Do you find this article helpful? Your Friend might too. So, please Share it with them using the Share button above.
Will you like to get notified when I post new updates? Then Follow me on any of my social media handles: Google News, Telegram, WhatsApp, Twitter, Facebook, Pinterest.
You can also drop your email address below if you wish to be notified by mail.

%d bloggers like this: