Posey's Tips & Tricks
A New Type of Backup Strategy
It might be beneficial to "cryogenically" freeze a ransomware-infected hard drive until an encryption method is discovered down the road
It's long been said that having a backup is the best way to protect yourself against data loss resulting from a ransomware attack. But does it make sense to back up a PC after a ransomware attack, when the damage has already been done? In at least some situations, the case could be made for doing just that.
I have long advocated for the idea of backing up a PC prior to performing any sort of storage-level repair. Over the years, for example, I have had friends who have suffered hard disk corruption and asked if I could help to get their data back. In these types of situations, the very first thing that I usually do is to make a backup, even though the damage is already done.
There are a few reasons for this. When disk corruption occurs, there is always a chance that there is still some good data on the disk. However, there is also a chance that the corruption could spread, thereby affecting whatever good data is left. Likewise, the hard disk could completely fail during the recovery effort or one of the recovery utilities could cause further damage rather than fixing the problem.
There are countless reasons why it might be advisable to have a backup before beginning a storage recovery operation. The same basic principle could also apply to ransomware recovery. Even so, there is a bit more to the idea of creating a backup following a ransomware infection.
We've probably all heard the urban legend about terminally ill patients having their heads or maybe even their entire bodies cryogenically frozen in case a cure for their disease ever becomes available in the future. Well, the reasoning behind creating a backup following a ransomware attack is kind of like that.
I recently helped someone in my family with upgrading an ancient PC. Back in 2016, that PC had suffered a ransomware attack. Although the infection has been long since removed, the encrypted files remain on the hard disk. In 2016 when the attack happened, breaking the encryption (without paying the ransom) was considered to be impossible. Today, in 2024 however, there are several free tools available that can easily reverse the encryption.
My point is that if a PC suffers a ransomware attack, and there is no way to get the data back, then it may make sense to create an image backup of the PC's hard disk in case a decryption tool were to become available in the future.
Of course this raises the question of whether creating a long-term backup of an infected PC is even worth the effort. In my mind, the answer to this question is that it depends on the data that is stored on the PC. Consider for example, my recent recovery operation. The infection occurred in 2016. That's eight years ago. In this particular case, the encrypted files were things like family photos, financial documents, and the like. Hence, it was absolutely worth the effort to recover the data.
Given the amount of time that it can take for a decryption tool to become available (if such a tool ever exists), it's worth considering whether the lost data will still be useful in five to ten years. If the answer to that question is yes, then it's probably a good idea to create a backup of the PC's hard disk.
Of course, it's extremely important to remove the ransomware infection before backing up the encrypted data. Otherwise, if you do try to decrypt the data at some point in the future, you may find yourself accidentally unleashing a ransomware infection upon your organization.
About the Author
Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.