The question is wanted to ask is this: if you are unlucky enough to get a ransomeware attack, but have all your data backed up (say on an external HDD), and maybe a drive image too, how would you go about cleaning the PC of the malware before restoring the backups. Do you delete all the encrypted files and simply replace them with the backup? Is there not a chance that plugging in an external drive with the backup would cause all those files to be encrypted too? Is the ransomware 'vigilant' in that way, or could that only happen if you ran the same file that installed the ransonware in the first place?
When a virus attacks (or ransomware, or a worm, malware, trojan or whatever crap you want to name them, it's all the same for this purpose, I'll call it virus for simplicity), there is only one way to truly be sure to remove them, the security people call it
nuke it from orbit, or more commonly, reformat your computer, reinstall the OS from scratch from known-clean installation media, and then restore any backups you may have.
The problem with virus infections of any kind is that, once it successfully ran in your system, you have no idea of what it actually did, how can it be hiding, or what other things it introduced into the computer, so you can't trust the computer anymore. Doing so carries a very concrete risk of being still infected without you even noticing, a clean install avoids all those. Plugging the backup media could infect it too (or the virus deleting or corrupting the backups), the virus might be "vigilant" or it can really do pretty much anything once it controls your computer. Of course each virus is different, and definitive answer actually depends on the actual virus you have, but since you can't know for sure what it does, the
ONLY safe approach becomes the clean install. Your backups will restore the data and the software (which you must also backup, of course, in installer form).
A more in-depth explanation of the issue is given in those two StackOverflow posts:
How do I deal with a compromised server?
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?
I find this paragraph of particular importance:
"Lots of people will disagree with me on this, but I challenge they are not weighing consequences of failure strongly enough. Are you willing to wager your life savings, your good credit, even your identity, that you're better at this than crooks who make millions doing it every day? If you try to remove malware and then keep running the old system, that's exactly what you're doing."
Bottom line, don't bother with antiviruses, "expert" advice to clean, or crap like that, delete the system and start from scratch, plain and simple.
Discard any images you may have, they can be compromised too. Data backups should often be fine, and you can always verify the integrity of installers (or redownload them if the need arise). An antivirus on the newly built system can also be useful for extra-safety.
My worry is going to a legit website with malicious code embedded - has that happened to anyone?
It's an everyday occurrence! Websites get hacked all the time, vulnerabilities such as XSS and SQL injection appear from time to time, online advertising has become a cancer and loves to inject unknown code in many websites, and phishing can lead you into trusting things you should not. That's why taking good backups and following good security practices is of great importance.
the "how to clean up" steps would vary considerably. Just speaking about ransomware: I've cleaned up after ransomware a few times.
The solution to a confirmed infection is
ALWAYS a clean install. I'm not sure what you did, but if you didn't reformatted those system in the past, there is no way to know they're really clean.
Re-imaging the entire drive is probably best - but that might not get rid of the additional (non-ransomware) infections.
It's not the best way at all! The system could be compromised at the time of taking the image, in such case restoring from it would only lead to catch the same nasty again shortly afterwards. You can only be sure when you noticed the symptoms, not when the infection actually entered the system. Ransomware or non-ransomware is totally irrelevant too, any virus should be treated the same, just blow up everything. But people generally gets more angry when they see all their data gone
I support some people that keep an external drive connected at all times. Each night, a complete image of the OS and data drives are sent to the external drive. The NTFS permissions on that external drive prevent apps being run by the user from changing the files on the external drive. This is not perfect, but it is the best that I can some up with for these users.
I don't find that approach too bad. Permissions are a very effective security control (which many people discard because they run as a full-time-admin), but once properly configured, they can effectively keep viruses out of the backups, if the rest of the system is clean. It's true that keeping the backup drive disconnected makes it immune, but also useless. At some point, the drive must be connected to put new data in it, even for short periods of time, and that time window becomes THE chance of the virus to spread. Permissions help with that too.
