Once PC is infected with ransomware, PC's hard drive and all attached to it disks/files on it (USB drives, network drives) will get encrypted.
In the worst case scenario the only way to recover such infection is to have backup (at least most important files: docs, pictures etc).

However, here is scenario that bothers me:
Now, part of the backup'd files have been encrypted but some - not.
User realized after the backup that his PC has been infected with ransomware. PC's files are basically lost BUT some files on the backup USB drive are still good.

Question: what will happen if backup USB disk will be attached to healthy/another PC?
(probably the best way in this scenario would be to connect backup USB to the PC with different kind of OS than infected PC was but for purpose of this case lets say its going to be still this same kind of OS).

In my opinion, there is no such thing as a semi-infected system, the system is either infected or not, no matter how many files have actually been infected. If it is infected, it can't be trusted.

Multiple independent backups of both system and data should be made over time using an offline method (e.g. booting a backup/imaging program from a USB key) so that you are neither dependent on your own system files for the backup, nor on a single recovered snapshot if a system does get infected.

a RANSOM demand -- should be treated as a hard drive fail.

the reasons are simple: first you have no assurance that the decrypt will work -- or even if it runs/appears to work -- that you data will be accurate afterward

best to reformat the disk, re-install the O/S and restore your data

if you don't have a backup consider making one. I just us ZIP in a bash shell.

1 members found this post helpful.

My short-term backup script does the following:

1. verify canary files are not encrypted
2. mount backup drive
3. run backup
4. umount backup drive

I should probably update it to shut off the network while running the backup.

if you can think of a "scenario" before anything actually happened, why, of course a full backup is the best option at this point?

if you already ARE infected - well, do you have reason to believe that you are?

Guys, thanks for answers but u all missed the point.
I have no ransomware infection. I do not need advices how to do full backup/backup. And so on...
I asked for very specific scenario.

Please read again with understanding.

There are a variety of to-disk backup systems available for Linux, mostly based on rsync (like Apple's venerable Time Machine). You can also fairly-easily "homebrew" one, yourself.

The critical aspect is that it needs to be a multi-generational backup (making very frequent backups and keeping these for about two weeks, then cleaning-up most of them so that (say) a daily backup is kept for a month, then weekly backups indefinitely, and so on.

Furthermore, the backups must be stored to a directory (on an external device) that is writeable only by the backup-daemon, which is a userid that can't be directly logged-on to. This effectively protects the data from modification and, if you wish, from disclosure.

And you keep this running ... all the time.

- - -
And, please, stop referring to these things as "infections." A digital computer is not a biological organism. It does not "get infected," period.

This thread seems to be a language barrier thing to me. Because earlier

Which kinda makes no sense. Ransomeware by it's very nature keeps you from accessing your files.
So how did you make a backup when

But then. I have never been the sharpest pencil in the cup.

Now. I am assuming. This hypothical made backup usb drive made will a ransomware infection was on your computer will effect another pc with ransomeware. Since it sounds like a impossible scenario.

There should be nothing on the usb drive. So no. If you think there is. Look inside with the infected ransomeware computer. Since you think it has access to files, like on that usb drive.

How do I say it? ...

In 1996(!), Steve Jobs first introduced Time Machine. And, ever since that time, Apple users have been able to avail themselves of it, even if they did not fully understand nor appreciate it.

All they knew was that, if they bought an external hard-drive and plugged it into their computer and left it there ... everything in their past history ... files, e-mails, contacts, you name it ... would be preserved.

"It Just Worked.™"

Even though Microsoft had produced Microsoft Backup half-a-decade before, it presupposed that its user was "a corporate IT professional" who was willing to "learn how to use it properly."

. . . and, I confess to say . . . "just where has Linux been, exactly, for all this time?"

@rokytnji: There is no need for that sarcasm and underlining my English skills. Specially here on a technical forum and specially by Senior Member.

Getting back into the scenario:
Read again (slowly rokytnji) bullet points from my first post. Especially point 2 and 3 - rokytnji.
If this is still unclear try following description:

Ransomware that I have seen, encrypts specific type of files only: JPG, MP3, MP4, DOC and some other (dont remember full list now).
Encryption will not happen in no-time. It must take some period of time to encrypt file by file.
Therefore I can imagine scenario where in the meantime of encryption, user plugs backup drive, backup/rsync data (some files already encrypted and some not) and then detaches backup drive.
This way some of backed up files are encrypted and some not.

Another thing that bothers me - while ransomware is already presented on the OS, it can spread on any attached drives. By this I mean copy itself (ransomware binaries) and later spread to another PC.

I hope this description clarifies the story.

It takes privileges to install software on a machine, typically. Anytime you find programs installing themselves on a machine you will usually find that the user in question has administrative privileges ... in Linux, is a member of the ("big ...") wheel group.

It can't be emphasized enough: "software intrusions most commonly occur by deceiving humans, who have more system privileges than they need and who are ignorant of how the system works. When asked to enter a password, they do so. And this password then leads "everywhere."

for me "scenario" means that you are imagining a situation.
hence my question whether something has actually really happened.

That's correct Ondoho - this is theoretical situation and nothing happened.

I was being kind. Not sarcastic. I am done here.

Edit: But I can see how you might think I was being sarcastic. My biker ways are ruff and gruff and I can come across as a meany sometimes. I don't mean to. Sorry about that. I am still done here, though.