Home Features Pricing Contact Login

How It Works

Ransomware Can't Encrypt
What They Can't See.

10 layers of defense. One drive that vanishes from your system 23 hours a day.

Defense Layers

23/24

Hrs Invisible

24/7

Health Monitored

AES-256

Hardware Encrypted

The Problem We Solved

Why Standard Backup Drives Fail Against Ransomware.

A USB drive plugged into your server is a target, not a safety net. Ransomware encrypts it right alongside your patient files.

Every drive letter in Windows Explorer is a target. If your backup shows up as E: or F:, it gets encrypted in the same wave that hits your live data.

The DDShield Drive solves this at the hardware level. It's invisible to your operating system 23 hours a day. No drive letter. No Device Manager entry. Ransomware can't encrypt what doesn't exist.

Standard Backup Drive — 24 Hours of Exposure

Always Visible · Always Targeted

A USB drive that's always mounted is always at risk.

DDShield Drive — 1 Hour of Exposure

Invisible to OS

Backup

Drive vanishes from the system the rest of the day.

The Architecture

Defense in Depth, in Plain English.

No single layer is the last line. The architecture assumes any layer can fail — and the ones behind it still hold.

Zone 01 · Defend

6/10

Stop the Attack

Six layers make the drive invisible, lock permissions, and randomize every predictable pattern.

Zone 02 · Detect

3/10

Catch the Threat

Three layers monitor for ransomware behavior and software tampering. If anything looks wrong, the drive stays offline.

Zone 03 · Survive

1/10

Guarantee Recovery

An air-gapped encrypted cloud copy that no local attack can ever reach.

The 10 Layers

Every Layer, Explained Without the Jargon.

Each layer plays one role. Together, they create the most protected backup target ever built for a dental practice.

Defend

Stop the Attack from Reaching the Drive

6 Layers

The Invisible Drive

Disabled at the deepest level of Windows 23 hours a day. No drive letter. No Device Manager entry. You can't encrypt what you can't see.

Technical: Windows PnP DICS_DISABLE

Unpredictable Timing

The drive comes online at a random time each night — never twice at the same minute, never predictable enough to target.

Technical: Randomized scheduler 1AM–3AM

The Locked Door

Only one service account can write to the drive. Ransomware — even with admin privileges — gets “Access Denied” on every attempt.

Technical: NTFS ACL lockdown

Windows-Level Lockdown

Windows enforces which programs can touch the drive. Only the backup software is allowed — everything else is blocked at the kernel.

Technical: Windows Defender Controlled Folder Access

The Hidden Address

The drive’s hardware identifier is encrypted in a secure Windows credential store. Even if ransomware knew the drive existed, it couldn’t locate or enable it.

Technical: AES-256 encrypted device instance ID

The Vanishing Act

The instant backup completes, the drive disappears — milliseconds after the last byte is written. Your exposure window is the backup duration and nothing more.

Technical: Immediate DICS_DISABLE post-backup

Detect

Identify Threats Before the Drive Comes Online

3 Layers

The Pre-Flight Check

Before the drive turns on, DDShield scans for ransomware fingerprints — mass file renames, encryption activity, suspicious processes. If anything looks wrong, the drive stays disabled.

Technical: 5-signal DDShield detection engine

The Watchdog Watcher

Ransomware often disables Windows Defender first, then attacks. We watch Defender constantly. If anything stops it, DDShield cancels the backup and alerts you immediately.

Technical: WinDefend service + registry monitoring

Tamper Detection

Before every backup, DentalDrive verifies its own code hasn’t been modified. If an attacker replaced our software with a malicious version, the drive refuses to mount. Period.

Technical: SHA-256 binary integrity verification

Survive

Guarantee Recovery if Everything Else Fails

1 Layer

The Last Line

Even if all 9 local layers failed, your data survives. An encrypted copy lives in our cloud — completely air-gapped and beyond the reach of any local attack.

Technical: Backblaze B2 + AES-256-GCM encryption

The Daily Cycle

23 Hours Offline. 1 Hour Protected. Every Day.

Your drive vanishes from the system entirely. It mounts only to back up, and disappears the instant it’s done.

Drive Invisible · 23 Hours

Backup

12:00 AM6:00 AM12:00 PM6:00 PM11:59 PM

23 Hours · Daily Default

Drive completely invisible to OS

No drive letter. No Device Manager entry. Ransomware has no way to find or interact with the drive.

~1 Hour · Randomized Window

Drive online for backup only

Pre-flight check passes, drive mounts, bare-metal image writes, drive disables. All under DDShield monitoring.

When Things Go Wrong

Three Recovery Paths. Three Different Threats.

Your DentalDrive setup gives you three independent recovery paths — each optimized for a different scenario.

Recovery Path	Best For	Recovery Time	Survives Ransomware	Survives Total Loss
DDVault — Local Versions	Accidental deletion, single-file rollback	Instant	Limited	No
DDShield Drive — Bare Metal	Ransomware, hardware failure, full server rebuild	~45 minutes	Yes	No
Cloud Backup — Air-Gapped	Fire, theft, total office loss, complete attack	4–8 hours	Yes	Yes

Attacks We've Already Defeated

How Real Ransomware Attacks Meet the Architecture.

Four attacks that work against standard backup drives — and the layers that stop each one.

Privilege Escalation

Ransomware escalates to system-level privileges and tries to bypass file permissions during the backup window.

■

Stopped by Layer 05 (kernel-level lockdown) and Layer 06 (Defender monitoring). Even SYSTEM-level processes are blocked.

Pattern Learning & Timing

Malware observes your backup schedule for days, then strikes when the drive comes online.

■

Stopped by Layer 03 (randomized timing). The pattern doesn’t exist to learn.

Software Hijacking

An attacker replaces DentalDrive software with a malicious version to gain legitimate drive access.

■

Stopped by Layer 07 (tamper detection). Modified software fails verification — drive refuses to mount.

Total Local Compromise

A total attack defeats every local layer and encrypts both your live data and the DDShield Drive.

■

Survived by Layer 10 (cloud backup). Air-gapped, off-site, completely separate from your network.

Honest Boundaries

What This Is — and What It Isn’t.

Here’s exactly what the DDShield Drive does and doesn’t protect against.

+ What it does

Protects your backup drive from ransomware encryption.
45-minute full server recovery from a known-good image.
Detects ransomware before backups run, preventing infected images.
Hardware-level encryption — even a stolen drive is unreadable.
24/7 drive health monitoring with proactive replacements.
Air-gapped cloud copy that survives total office loss.

− What it doesn't do

Doesn’t prevent ransomware from infecting your server — you still need antivirus and email security.
Doesn’t protect data created after the most recent backup.
Doesn’t replace security training, password policies, or MFA.
Doesn’t cover network attacks against other systems — just the backup target.
Physical drive damage requires advance-replacement (typically 2–3 days).

See It Work in Your Own Practice.

We ship the drive, you plug it in, and you decide. 15-day trial for every DentalDrive customer.

Review Manual of Operations Start My Trial

15 Days Free · Free Shipping · Cancel Anytime

Ransomware Can't Encrypt What They Can't See.