Ransomware still encrypts files even with backups connected

Picture this: you're running Windows 10 Pro, version 22H2, and you get that popup — all your documents, photos, and project files are now encrypted with .locked extension. The screen demands 0.5 Bitcoin to unlock them. But you've been diligent — you have an external USB hard drive (a WD My Passport, let's say) that you back up to every night using Windows File History. So you shrug, unplug the backup drive, plug it into a clean machine, and... the backup files are also encrypted. What the hell happened?

The trigger is simple: your backup drive was physically connected to your PC when the ransomware executed. Most modern ransomware families — think LockBit, Ryuk, or the newer BlackCat variants — don't just encrypt the C: drive. They scan all mounted drives, including external USB, network shares, and even cloud-synced folders like OneDrive or Google Drive. If your backup drive shows up as a drive letter (say E:), the ransomware treats it like any other volume and encrypts everything on it.

Root cause: the backup was connected during the attack

Ransomware doesn't care that the files on your backup drive are precious to you. It sees a writable drive and goes to work. The encryption process happens fast — often in seconds for a few hundred files. You didn't do anything wrong by backing up. You just needed to disconnect the backup drive after the backup completed. The real issue is that backups must be offline — physically disconnected or on a separate network segment — to survive a ransomware attack.

Here's the technical bit: ransomware uses Windows API calls like FindFirstFile and FindNextFile to enumerate all drives with DRIVE_FIXED or DRIVE_REMOVABLE types. If your external drive is plugged in, it's fair game. Some ransomware even targets mapped network drives. So your backup strategy was good in theory, but the implementation had a single, fatal flaw.

Step-by-step fix: what to do right now

I'll walk you through the only realistic fix here — you can't un-encrypt the files without paying (don't pay, it rarely works), but you can prevent it from happening again and recover from a truly safe backup if you have one.

1. Disconnect the infected PC from the network. Pull the ethernet cable or turn off Wi-Fi. Ransomware often tries to spread to other machines. Do this immediately, before doing anything else.
2. Physically disconnect all backup drives. Unplug every USB drive, SD card, external SSD. Even if they're already encrypted, you don't want the ransomware to overwrite or delete them further. Leave them unplugged.
3. Boot into Safe Mode with Networking. Restart the PC and press F8 (or Shift + Restart on Windows 10/11) and choose Safe Mode with Networking. This loads only essential drivers and often stops ransomware processes that start automatically.
4. Run a full offline scan with Windows Defender. In Safe Mode, open Windows Security (type "Windows Security" in the search bar). Go to Virus & threat protection > Scan options > Microsoft Defender Offline scan. Click Scan now. This reboots your PC and scans before Windows loads, catching most ransomware strains. Expect this to take 1-2 hours.
5. Check for decryptors. Go to the No More Ransom project (nomoreransom.org). Upload one encrypted file (not your whole drive) to their decryption tool finder. If you're lucky, a decryptor exists for your specific ransomware family. Download and run it only if it matches your infection.
6. Recover from a known-clean backup. If you have a backup that was never connected to this PC — say a cloud backup like Backblaze or a second external drive that was stored in a drawer — plug that into a completely different, clean computer (a friend's laptop, a fresh install). Copy the files from that safe backup to a new external drive. Do not connect that clean backup to the infected PC until the PC is fully wiped and reinstalled.
7. Wipe and reinstall Windows. This is the nuclear option but it's the only way to be 100% sure the ransomware is gone. Back up any personal files that weren't encrypted (like in AppData or user folders that survived) to a USB drive after scanning them with Defender. Then use Windows Media Creation Tool to make a bootable USB, boot from it, and choose Custom install. Delete all partitions on the C: drive, then click Next to let Windows create new ones.
8. Restore from safe backup after reinstall. Once Windows is fresh and updated, install antivirus (Defender is fine, but Malwarebytes is also solid). Then connect your clean backup drive and copy your files back. Scan the copied files with Defender before opening them.

What to check if it still fails

If you try to restore from your backup and the files are still encrypted, here's the harsh truth: that backup was also encrypted during the attack. You can't recover from a backup that was connected at the time. The only option left is to look for shadow copies — Windows sometimes creates previous versions of files via Volume Shadow Copy (VSS). In Windows Explorer, right-click a folder that had encrypted files, select Properties, then the Previous Versions tab. If you see any, select one and click Restore. But modern ransomware typically deletes shadow copies first thing, so don't count on it.

If you have no usable backup, you're looking at either paying the ransom (not recommended — attackers often don't send the key, and you're funding crime) or accepting the data loss. For the future, implement the 3-2-1 rule: three copies of your data, on two different media types, with one copy off-site (like cloud or a drive stored at a different location). And always disconnect your backup drive after each backup session. I know it's a pain, but it's the only way to ensure your backups survive a ransomware attack.

One last thing: if you're on a Windows 11 machine with BitLocker enabled, check that your recovery key is stored somewhere safe — not on the hard drive itself. Some ransomware tries to encrypt BitLocker-encrypted drives by tampering with the TPM, and you'll need that key to access your data after the wipe.