Ransomware now taking aim at personal backups

Today — March 31 — is World Backup Day. And every year, most people tell themselves, “I’ll get around to that tomorrow”. But even if you’re one of the responsible ones who regularly backs up their docs, photo archives, and the entire operating system — you’re still at risk. Why? Because ransomware has learned how to specifically target everyday users’ backups.

Why home users are in the crosshairs

In the not-so-distant past, ransomware was mostly a big business problem. Attackers focused on corporate servers and enterprise backups because freezing a major company’s production process or stealing all their information and customer databases usually meant a massive payout. We’ve seen plenty of those cases over the last few years. However, the “small-fry” market has become just as tempting for cybercriminals — and here’s why.

For starters, attacks are automated. Modern ransomware doesn’t need a human operating it manually. These programs scan the internet for vulnerable devices and, upon finding one, encrypt everything indiscriminately without the hacker getting involved. This means a single attacker can effortlessly hit thousands of home devices.

Second, because of this broad reach, the ransom demands have become more “affordable”. Regular users aren’t asked for millions, but “only” a few hundred or thousand dollars. Many people are willing to pay that amount without involving the police — especially when family archives, photos, medical records, banking documents, and other personal files are on the line, with no other copies in existence. And when you multiply those smaller payouts by thousands of victims, the hackers walk away with very tidy sums.

And finally, home devices are usually sitting ducks. While corporate networks are guarded really well, the average home router most likely runs on factory settings with “admin” as the password. Many people leave their network attached storage (NAS) wide open to the internet with zero protection. It’s low-hanging fruit.

How personal backups get attacked

A home NAS drive — often called a personal cloud — is essentially a mini-computer running a specialized Linux or FreeBSD-based operating system. It houses one or more large-capacity hard drives, often combined into an array. The storage connects to a home router, making files accessible from any device on the home network — or even remotely over the internet if you’ve configured it that way. Many people buy a NAS specifically to centralize their family’s backups and simplify access for family members, thinking it’s the ultimate safe haven for their digital archives.

The irony is that these very storage hubs have become the primary target for ransomware gangs. Hackers can break in relatively easily either by exploiting known vulnerabilities or simply brute-forcing a weak password. Over the last five years, there were several major ransomware attacks specifically targeting home NAS units made by QNAP, Synology, and ASUSTOR.

Targeting NAS isn’t the only way hackers can get to your files. The second method relies on social engineering: basically tricking victims into launching malware themselves. Take the massive AI hype of 2025, for example. Scammers would set up malicious websites distributing fake installers for ChatGPT, Invideo AI, and other trending tools. They would lure people in with promises of free premium subscriptions, but in reality users ended up downloading and running ransomware.

What ransomware looks for once it’s inside

Once the malware infiltrates your system, it starts surveying its environment and neutralizing anything that could help you recover your data without paying up.

• It wipes Windows shadow copies. The Volume Shadow Copy Service is a built-in Windows feature for quick file recovery. Deleting this data makes it impossible to simply roll back to a previous version of a file.
• It scans connected drives. If you leave an external hard drive permanently plugged into your computer, the ransomware will spot and encrypt it just like any other files.
• It searches for network folders. If your home cloud is mapped as a network drive, the malware will follow that path to attack that too.
• It checks cloud sync clients. Services like Dropbox, Google Drive, or iCloud for Windows all keep local sync folders on your computer. The ransomware encrypts the files in these folders, and the cloud service then “helpfully” uploads the encrypted versions to the cloud.

The golden rule of backups

The classic 3-2-1 rule for backups goes like this:

• Three copies of your data: the original plus two backups
• Two different media types: for example, your computer and an external drive
• One copy off-site: in the cloud or elsewhere, like at a relative’s place

However, this rule predates the era of ransomware. Today we need to update it with one vital condition: another copy must be completely isolated from both the internet and your computer at the time of an attack.

The new rule is 3-2-1-1 — a bit more of a mouthful, but much safer. Following it is simple: get an external hard drive that you plug in once a week, back up your data, and then unplug it.

What you actually need to back up

• Photos and videos. Wedding photos, a baby’s first steps, family archives — these are the memories people will pay for to get back.
• Digital scans or photos of essential documents for every family member — everything from passports to medical records, including old archives.
• Two-factor authentication data. If your authenticator app only lives on your phone and you lose it, you may also lose access to all your protected accounts. Many apps let you back up your authentication data.
• If you use a password manager, make sure it’s syncing to a secure cloud or has an export function.
• Privacy-focused messaging apps don’t always store your history in the cloud. Business correspondence, important agreements, and contacts could vanish if they aren’t backed up.

What to do if your data is already encrypted

Don’t panic. Check out our Free Ransomware Decryptors page. We’ve collected a library of decryption tools that might help you get your data back without paying up.

How to secure your backups

• Don’t leave your external backup drive plugged in all the time. Connect it, copy your files, and unplug it immediately.
• Set up automated cloud backups, but make sure your cloud provider keeps a version history for at least 30 days. If your current plan doesn’t offer this, it’s time to upgrade or switch providers.
• Stick to the 3-2-1-1 rule: original files on your computer, plus an external drive that you only plug in periodically, plus cloud storage. That’s three copies, two media types, one copy offline, and one off-site.
• Cut off internet access to your network storage. If you have a home network drive, make sure that it’s inaccessible from the internet without a password — and that the password isn’t “admin”. Disable any remote access features you don’t actually use, and make sure your firmware is up to date.
• Actually, keep everything up to date. Most attacks exploit known vulnerabilities that have long been patched. Enabling auto-updates for your router, NAS, and computer only takes a few minutes of setup but effectively slams the door on hundreds of known security holes.
• Steer clear of “free” versions of paid software. Fake installers for pirated software or game cheats are some of the primary delivery channels for ransomware. By the way, Kaspersky Premium sniffs out these threats and blocks them before they even launch.
• Be sure to enable the System Watcher feature in our Windows security suites. This feature logs every operating system event to help track down threats like ransomware and either block them or roll back any damage they’ve already done.
• Back up your authenticator app. The easiest move is to migrate your authentication tokens to Kaspersky Password Manager. It keeps them securely encrypted in the cloud alongside your passwords and sensitive docs, while syncing them across all your devices. That way, if your phone gets swiped or fried, you aren’t locked out of your accounts and vital data.
• Test your backups. Every few months, try restoring a random file from your archive. You’d be surprised how often a seemingly successful backup turns out to be corrupted or glitchy. It’s better to catch those glitches now while you still have the originals to fix the problem.