Ransomware V Diskpart

[sambat]

As I understand it, Ransomware can scan any connected drives and potentially encypt files.
What if I take my backup drive offline using the Diskpart 'offline' command?
Will the infecting program know that the drive exists?

[lingyi]

As this article explains, anything that can be done, can be undone.

https://www.infopackets.com/news/10422/8-ways-protect-your-backups-ransomware

[lordsmurf]

Safest way to backup is to pull data, not push.
Safest backup system is entirely offline, only on-network.

[sambat]

Thank's for your responses.

@lingyi re the link:

For example, the ransomware may begin its operations by scanning all available drives using the mountvol command, mount all available drives, then encrypt data on all drives

That 'mountvol' command is interesting...but if I use Diskpart to take a disk offline, it's no longer visible to 'mountvol'.
The disk is shown in Disk manager as 'offline' and with no a letter.

If I use the utility 'Hotswap!', the disk is not listed in 'mountvol' or Disk Manager.
The only way to get it back and get-at-able is a rescan.

@lordsmurf

I take your point and I keep a once a week cloned copy of my System and Data disks in a caddy in the PC.
The caddy has a power switch which I use to power down the caddy after the cloning.

It's the daily backups to various external drives that are my main focus and how to keep them secure.

[lingyi]

Not familiar with the mountvol command, but bottom line is any backup drive attached to the PC at any time is prone to attack. As the last comment on the site states, ransomware or a virus could be running on your PC for weeks or months before it's activated, monitoring keystrokes and events, even waiting until you turn on your weekly backup drive online to attack.

The best you can do is have a good antivirus, practice safe computing, backup often (2x daily, 2x weekly or more on different drives), and accept that whatever was hit at the time of the attack is gone.