Can ransomware embed itself in to a SQL backup file?

One of the best protections against ransomware is to back up all of your database files to a completely separate system. Which we have done.

But one thought is the backup of the database could potentially now contain the ransomware. Is this possible? This is a 2016 SQL Server native created .bak. Or is it impossible for ransomware to embed itself into a backup file?

Never say never, but since backups aren't executable files and contain no directly executable code (they're about the data, not the SQL Server software itself) I would think the risk is very, very low. It would be more likely that your backup files would be the target of the ramsomware rather than the agent of infection. Anything executable would have to be executable from within the database, like a stored procedure. There are far more effective and direct ways for ransomware to spread.

StackExchange Database Administrators Q#312008, answer score: 22