How to Prevent Ransomware from Devouring Your Research

You’re in biblical scholarship, not information security.1 But the two go hand in hand. You won’t get much research done if what you do gets wiped out by a bad actor.

I knew that even before I had it reinforced to me with unnerving clarity. But I hadn’t thought carefully enough through some key holes in the strategy I had adopted for protecting my research.

Having been through that experience (thankfully without losing any files), I settled on two key elements that needed to be central moving forward. These were expanding and hardening my usage of multi-factor authentication and restricting access to critical files.

Multi-Factor Authentication

Multi-factor authentication (MFA; or second-factor authentication, 2FA) is the practice of requiring multiple proofs of identity before granting access to an account. Often, one proof is a password, but in the event a password gets stolen, requiring yet another form of proof helps protect access to an account.

Some 90% of online account breaches occur because of stolen login credentials. That means that, by and large, “Hackers don’t break in. They log in.”2 To work their mischief, they don’t break through security; they bypass it by stealing usernames and passwords.

Why MFA Matters

But your research isn’t vulnerable to this, is it? Unfortunately, if you keep it in one of those cloud storage services we’re all so fond of, those services are online accounts. And as such, they’re susceptible to the same kinds of threats as are accounts on Facebook or at your bank.

In addition, like the example I described, your work might be endangered by a mistake from someone you’ve implicitly trusted with it. So, the safer you are, the safer those you work with will also be, and vice versa.

How My MFA Practice Has Changed

Before what happened to me, I’d already been using MFA with an app on my phone, which would generate a 6-digit code to allow me to log into an account.

That’s better than nothing, but there’s nothing unique to those codes that, in principle, prevents them from getting phished too. (And in fact, this was one of my worries when OneDrive asked for one of these codes in order to restore my files to a point before they started getting encrypted.)

What’s much better that I’m now using is an “unphishable” physical token like a Yubikey.3 Because its a purpose-built physical token, a Yubikey isn’t susceptible to malware like authentication apps are.

For online accounts that support it, a “universal second factor” (U2F) security key creates a unique “cryptographic key pair for each service.”4 That means that, in the future, only physical device can unlock the service.—For this reason, Yubikeys come best in pairs so you always have at least one backup.

How You Can Use Yubikeys for MFA

You can use a Yubikey as a U2F for an unlimited number of accounts.5 And for accounts that don’t support U2F, each Yubikey 5 series key can also provide one-time codes for up to 32 different accounts with the help of the companion authenticator app.6 If you have more than that, you can always use another key. (I’m currently working with sets of two.)

Of course, for any accounts where you might use a Yubikey to generate a one-time password, it’s still up to you to keep that password safe until it expires. But by comparison to an authentication app, a security key is a safer place to keep the secrets that generate those codes.

If all of this sounds great but it’s a bit confusing where to begin, Yubico has a helpful catalog of compatible services with instructions about how to start using a Yubikey with each one.7

Restricting File Access

MFA helps safeguard you and others you work with safe from intrusions that could threaten your research. But how can you protect it against threats that do get onto your system despite your best efforts?

Controlled Folder Access

Of course, you always want to have any appropriate security software updated and configured properly. Beyond that, you can give your research some additional protection by restricting access to the directories where you keep it. This step is another important expression of the “zero trust” principle.8

The idea is that you only allow applications that you specifically whitelist to modify those files. By definition, malware would be a new application that you wouldn’t want to whitelist. And without that permission, it shouldn’t be able to damage your files.

On Windows, this feature goes by the name of “Controlled Folder Access.” When you first enable it, it might take a few tries to open a file in a protected directory as you approve the different applications that are involved in that process. But if you’re able to use it, it does give you markedly more control over what might be meddling with your work.

Macrium Reflect

Even if you’re not able to use Controlled Folder Access or something similar, however, you can still use Macrium Reflect to protect your backups of your data. (I’ve found the Home version plenty sufficient since starting with the free trial license.) In many ways, Reflect works similarly to other backup tools. But it has one feature that sets it apart.

This feature is Reflect’s “Image Guardian” functionality. Image Guardian essentially works by allowing only Reflect to modify Macrium backup files. You can even configure Reflect so that, if another application tries to modify a Macrium backup file, you’ll get an alert email.9


As with the selection of any tool, your own situation might call for different tools than the ones I’ve described adopting here. But whatever tools you select, the principles remain key. To protect your research, you need to have a clear plan for protecting access to it. And that plan needs to address how you’ll protect your work even from generally trustworthy sources.

  1. Header image provided by Markus Spiske

  2. “Hackers Don’t Break in. They Log In.,” Yubico, n.d. 

  3. Stina Ehrensvard, “Creating the Unphishable Security Key,” Yubico, 3 October 2017. 

  4. Ehrensvard, “Security Key.” 

  5. Meredith, “FAQ,” Yubico, 30 July 2021. 

  6. Meredith, “FAQ”; “Yubico Authenticator,” Yubico, n.d. 

  7. “Works with YubiKey Catalog,” Yubico, n.d. 

  8. “What Is Zero Trust,” Yubico, n.d. 

  9. “Macrium Image Guardian,” Macrium Software, n.d. 

You Need to Prevent Ransomware from Devouring Your Research

Your research is precious.1 It’s too precious to lose. But it’s also not nearly as precious to anyone else as it is to you. And you’ll make little progress on it if you were to lose it all and have to start from scratch. It’s even more sickening to think about having that happen more than once.

You aren’t pursuing biblical scholarship to develop a side hobby in information security. But while the Internet allows you to access a vast amount of research material, it potentially also allows bad actors to destroy the research you’ve worked so hard on.

It almost happened to me. And I’d like to share the story and what I’ve learned from it. By doing so, my hope is that the same thing won’t happen to you.


To set the stage, though, let me affirm again the importance of having good backups. That’s something I firmly believe and thought I had in place.

All my working files were in at least three places:

  • a drive in my campus office,
  • a drive in my home office, and
  • a cloud storage account.

Both in my campus office and in my home office I also had an external hard drive. Windows File History copied to that drive any working file that got changed. I then had that file history set up to stay in sync between the two external hard drives so that I had the complete file history in two places also.

If any one or even two sets of files got corrupted or deleted, I still had one more set to restore and keep working from. Even if some of the files in a cloud storage got corrupted or deleted, I had the file history to restore from.

I also made sure to have my firewall and antimalware software updated, working, and doing routine scans. But all of this almost wasn’t enough.

What Happened

On 18 April 2022, I was sitting at home working. I’d been doing that for almost a full week while my family was out of town. And because it was only me at home with the dogs, I also just happened to be working later than usual.

Initial Discovery

As I sat there working on a journal article, OneDrive started notifying me that a lot of files were getting deleted. That wasn’t terribly unusual since I keep my Zotero storage folder in OneDrive.

When Zotero empties its recycle bin, it’s pretty common for OneDrive to provide some notification about a lot of files getting deleted. So, I didn’t think anything was that odd and kept working.

But then, I started noticing OneDrive downloading a lot of new files—files whose names I knew but whose extensions I didn’t. That was odd.

So, I started searching for the filenames to see if, for some reason, they’d just gotten copied to new extensions. Nope. They were gone. Just the weird extension versions remained, and I couldn’t open them. Anxiety started to rise.

Then, OneDrive or Windows—I don’t recall which—said it saw activity consistent with ransomware. Uneasiness became full blown.

I immediately started an antimalware scan. But I’d also noticed something odd—all of the activity seemed to be in OneDrive and all of the activity seemed to be OneDrive downloading encrypted files.

Thankfully, I had remote access set up to the computer in my campus office. So, I logged in and there found the root of the problem. I hadn’t been on campus in almost a week, but there my campus computer was

  • compromised by ransomware,
  • encrypting files,
  • deleting originals, and
  • uploading the encrypted copies to the cloud.

First Steps and Key Takeaways

What I saw while I was working from home was only the end result of that process. Sure, I had backups, but the longer the ransomware went on working,

  • the more work it was going to take to restore my working files from their backups and
  • the more likely it would be that the backups themselves would get encrypted.

1. Protect your backups.

This last point is a key weakness of the backup strategy I’d adopted. I had several good backups to recover files from. But I didn’t have a way to protect those backups themselves from corruption in the event that a system ever became compromised.

What ensued was, as quickly as I could,

  • disconnecting my campus computer from anything that could possibly sync to the cloud or the computer I was working on at home,
  • starting a full antimalware scan on my campus computer, and
  • getting word to our information technology department about what I thought I was seeing happen.

There isn’t anything here that isn’t more or less stated or implied in the official statement about the incident that the university has now made available.2 There’s also nothing particularly unique about this incident. It’s a story we’ve all heard all too frequently in all too many quarters in recent years.

But what still turns my stomach a bit is how frightfully close to home it all was—and how it could have turned out so very much worse.

2. Protect against even trusted actors.

And it highlights yet another key weakness in the backup strategy that I’d adopted. I had a strategy for managing and recovering my data in case I ever did something to endanger it. But I didn’t have a good way of preventing a threat to that data that might come in because of someone else’s action.

I’ve since learned about “zero trust,” which is

an IT security model that demands every person and device provide strict identity verification to access network resources, whether or not they are inside the network perimeters.3

My backup strategy had explicitly trusted the services and technologies I was using to enable it. But I hadn’t thought about how I was implicitly trusting everything that my devices might be connected to through, for example, the campus network. However remote or functionally irrelevant that connection might be day to day, it was still there. And I hadn’t thought through the costs that there might be if that implicit trust ever proved problematic.

What Recovery Looked Like

Through this whole process, I obviously got concerned. But I knew I had backups I could restore from, so I wasn’t as worried as I would otherwise have been.

Even so, because of how I had backed things up, that recovery process took several months. Most of the work was in the first few days. Thereafter, it quickly became more occasional chipping away at some remaining pieces.

Some of this work involved smoothing out workflow disruptions or adjusting settings having restored my computer on campus. But another good part of it also involved using the experience I’d had to create a system that would

  1. better protect my data should anything similar ever happen again and
  2. allow me to recover more quickly if needed.


All of this was pretty sobering for me, and I’m hopeful it might help you think about whether you might have any weak spots in your own plans for protecting your research. If you think of some, remember that paranoia can be productive.4

It doesn’t need to leave you always uncomfortably anxious. It can move you to take action to protect the research you work so hard to produce. And it should.

Next week, I’ll share more about how my own practice changed as a result of what I learned from this experience. But if you’d rather not wait for that, drop your email address in the form below, and I’ll send you a copy of my toolbox for biblical studies. In that toolbox, especially have a look at the last two types of tools I discuss and that you can start using too.

  1. Header image provided by Markus Spiske

  2. “Notice of Security Incident,” Faulkner University, n.d. 

  3. “What Is Zero Trust,” Yubico, n.d. 

  4. See Jim Collins and Morten T. Hansen, Great by Choice: Uncertainty, Chaos, and Luck—Why Some Thrive despite Them All (New York: HarperCollins, 2011).