I have two external drives used only for backups that are always physically connected, but are only powered up during actual backups and the [very] occasional retrieval of a file. Am I right in thinking that this gives me at least some additional measure of protection?
Yes, but with the following caveats:
- Only works if you're sure the drive requires external power to operate. For instance some USB drives will get their power from the USB cable. If your drive definitely needs the external power, then, powering it off is the same as disconnecting the cable in terms of infection risk.
- If you get infected with malware, in order to prevent the malware from spreading to the backup drive, you have to know that you've been infected so that you don't unwittingly power on the drive (or worse, begin a full disk backup) while you're infected. Some pieces of malware are very stealthy and don't announce their presence right away (or at all).
- Mustn't reconnect the backup disk until you're certain that the computer has been purged of the malware/ransomware.
I don't know if any ransomware is clever enough to deliberately keep itself quiet for a while, waiting long enough for you to have completed a backup or two before triggering the ransom demand. I have heard of situations where people say that their backups also got held for ransom. I don't know the mechanism in that case, but I can imagine that there might be a couple of scenarios under which that could happen even if the ransomware didn't have a pre-programmed wait. For example, perhaps the ransomware keeps quiet while it's taking the time to encrypt every file on the hard disk, only announcing its presence and "locking" the files at the last instant after the long encryption procedure is done. If one were to make a backup (or even merely connect/powerup the external backup drive) during that phase, then they'd be SOL.