I'll try and answer your questions without lecturing you on the importance of doing backups.
There are certain assumptions in your scenario that I'm not sure are valid. Obviously, the encryption process started by the ransomware cannot be instantaneous which gives rise to your scenario. At a given point in time while the ransomware is executing, some of the files have been encrypted and some not. You then posit a situation where a backup is then done to an external USB drive resulting in a backup where some of the files are encrypted and some intact as that was the state of the source at the time of the backup. The assumption here is that the files being backed up will be accessible for backup during the ransomware encryption process. That may not be true depending on how the ransomware software is written. It may very well be that once the target files for encryption are identified by the ransomware and the encryption process started, access to the files by other processes will be blocked until the ransomware has finished encrypting.
But let's say that's not the case and you can wind up with a backup with half encrypted files and half intact, non-encrypted files.Then in answer to your question:
Quote:
|
Question: what will happen if backup USB disk will be attached to healthy/another PC?
|
I think the only sensible answer to your question is option "c":
Quote:
a. healthy files can be restored/safely copied and PC will not be infected.
b. USB's files will continue to encrypt and will also infect PC
c. depending from ransomware it might be A or B.
|
My reason being that it is likely possible to code your ransomware to behave like option "b" although I don't know enough about ransomware to know if that is commonly done. I think the more likely scenario is for the ransomware to be coded in such a way that option "a" would be right.
