linux – Can I check if ransomware is running by using a VM

I am not an expert, but as far as I understand, ransomware will encrypt files and (for an undefined period) decrypt as well, so it appears all is well. At some point in time, the decrypting ends and your files are held hostage.

A backup can help restoring the files, but my question is how to detect the files are not already encrypted before I make a backup.

So I’m wondering if I can use a virtual machine for this purpose. In other words, before I make a backup, can I view the files with a VM (running another OS like Linux) to detect if they are encrypted?