Ransomware and external drives

spodeworld

Commendable
Dec 31, 2016
6
0
1,510
I understand that external drives are vulnerable to ransomware in that they are targeted along with the rest of the PC. But, what if you have an external bay that is attached via a USB but powered down and when the PC is infected by ransomware? Would they be safe (assuming you don't turn them on again while attached to the infected PC)?

Thanks
 
Solution
Make sure you're already protected, but I probably don't have to remind anyone here! Ours for example allows you to be very strict, all smart shields on plus Hardened Mode should give you some peace of mind :)

Also agreed with other posters here, if the drive is active and connected then it could be compromised, if ransomware is allowed through or your system is already infected. Ransomware/crypto/etc can pass to connected drives as well as network shares.

USAFRet

Illustrious
Moderator


If the drive is OFF, then it won't be affected.
 

spodeworld

Commendable
Dec 31, 2016
6
0
1,510
Great! I use those drives to create images of the system and of the data drive. So, maybe I'll leave them off except when I want to create an incremental image.

Thanks!



 
Now if you plug the drives back in before removing the ransomeware the backups will also be compromised.

Ransomware like cryptolocker has to be overocme by not giving it access to your backups.
Either the backups needs to be not connected in the computer, or using file permissions that prevent your user account from having write access
 

spodeworld

Commendable
Dec 31, 2016
6
0
1,510
Agreed. What I thought would do is if a ransonware situation happens, I would disconnect the drives from the PC (they would already have been powered down), boot from a utility like AOMEI, which I use to make the images, turn on the drives and do a restore while booted through the USB.

Hopefully that makes sense.




 
MERGED QUESTION
Question from spodeworld : "Ransomware and External Drives II"



if the external is inactive and does not run when system is except when you start back up your ok if not unplug it .
 

spodeworld

Commendable
Dec 31, 2016
6
0
1,510
Looking for clarification.

Are you saying that it can be attached via the USB (we're talking about the portable type that gets its power via the USB port) but as long as it was ejected through the taskbar and no longer visible in This PC, it's safe (assuming you don't re-connect as is)?



 
Correct, but is awfully risky for one little extra step.
If windows reboots or anything at all causes the USB port to act as if you just plugged something new into it then you can risk compromising your backup when 4 more seconds to unplug the cable after "ejecting it" would fix the issue.
 

Avast-Team

Estimable
Mar 3, 2017
225
1
5,165
Make sure you're already protected, but I probably don't have to remind anyone here! Ours for example allows you to be very strict, all smart shields on plus Hardened Mode should give you some peace of mind :)

Also agreed with other posters here, if the drive is active and connected then it could be compromised, if ransomware is allowed through or your system is already infected. Ransomware/crypto/etc can pass to connected drives as well as network shares.
 
Solution