I delivered a talk about ransomware risks for businesses at an industry event last year. Since then, awareness of ransomware has grown due to a number of high profile outbreaks around the world. This has lead to the same types of questions from customers that I got at the end of my talk last year. One of the questions is whether cloud storage services like OneDrive for Business can prevent ransomware attacks.
As with may security-related questions, the answer is not a simple one. As consultants are fond of saying, “it depends”. Mitigating the risk of ransomware is not as simple as just using OneDrive for Business to store files. However, the capabilities of OneDrive for Business might help you in a recovery scenario. As Microsoft themselves wrote in a blog post on dealing with ransomware:
OneDrive for Business can be used as a protection mechanism against ransomware. If your organization utilizes OneDrive for Business, OneDrive will allow you to recover files stored in it.
So OneDrive itself doesn’t prevent ransomware attacks, but in the event of an attack you can use OneDrive to restore previous versions of files. The version history feature of OneDrive only supported Office file types until recently. Microsoft announced last month that version history has been extended to all file types. You can also use the OneDrive restore feature to restore an entire OneDrive library to a previous point in time.
So as I advise customers, simply deploying OneDrive isn’t the solution. For starters, OneDrive is not a good replacement for traditional file servers. It provides a good replacement for user home drives, but it’s SharePoint Online that is a more suitable replacement for file servers when using Office 365. OneDrive does allow users to sync document libraries to their computer for local and offline editing of files. But that’s the problem. The locally stored files on computers are exposed to ransomware attacks, and the encrypted files will sync to SharePoint Online. And anyone who uses one of those third party tools to mount SharePoint libraries as a drive letter to emulate old school file shares runs into the same problem. Any file the user can access via network shares is also exposed to ransomware that infects the computer.
Yes, you will probably be able to restore your files after an attack, but you did nothing to reduce the likelihood of the attack in the first place and will still suffer the downtime while you go through the recovery process.
So what can you do with Office 365 and other Microsoft services to reduce the likelihood of a ransomware attack?
- Email protection – Exchange Online Protection has basic mail flow rules for blocking executable content in file attachments, but a more effective option is to enable Advanced Threat Protection (ATP). ATP provides additional protection from email-borne attacks, both in attachments (Safe Attachments) and in links (Safe Links) within emails. The Safe Attachments feature checks for malicious behaviours, allowing it to potentially block a zero day attack. The Safe Links feature also extends to Office applications like Word, to protect users from clicking malicious links within documents.
- Web protection – obviously using secure and up to date web browsers is important, as is running good anti-malware on your desktops and laptops. You can also use “next generation” firewalls such as Palo Alto and Barracuda to perform similar behaviour-based analysis of file downloads to reduce the risk of a zero day attack from a drive-by download or malicious link. For bonus points, if you choose a firewall that integrates with Cloud App Security you can feed that to Microsoft for analysis so that abnormal and malicious behaviours can be detected and responded to.
- Device compliance – use Intune to manage user devices to ensure they meet your security standards.
- Backups – SharePoint Online has options for restoring files in the event of a ransomware outbreak. OneDrive also has a restore feature. But if you’re unsatisfied with the speed of those restore scenarios then you can look into third party backup solutions. Office 365 backups are typically limited to Exchange Online and SharePoint Online and don’t cover other applications like Teams and Planner. But if your primary concern is restoration of files in SharePoint Online and OneDrive libraries then that may be enough for you. One of the most important considerations with backups is ensuring they are not accessible by users (and therefore the ransomware itself), which would only result in your backups being ransomed as well.
- Intelligent detection – Microsoft has a good write up here on using Advanced Threat Analytics and Cloud App Security to proactively detect abnormal behaviour such as file types that indicate a ransomware attack, in order to alert administrators and suspend the infected user to prevent further spread of the ransomware. Note in the comments at the end of that blog post, Advanced Security Management (ASM) provides similar detection and prevention but only for Office 365 apps.
- Block macros in Office documents – Macro-based malware is becoming more common these days. Microsoft has published guidance for configuring macros trust levels, or blocking macros entirely, for Office applications by using Group Policy.
- Block known ransomware file types – This blog post by Ben Taylor provides steps for blocking known ransomware file types from synchronizing to SharePoint Online (which is also where users’ OneDrive files are stored). This won’t prevent a user’s computer from being infected, but it will prevent the encrypted files from syncing to the cloud. However, this list needs to be maintained over time as new ransomware file types are used. You should also implement this solution carefully in case of false positives. You might consider deploying this list in small batches, instead of all at once.
Obviously all of those things involve costs that need to be weighed up in a cost vs risk analysis for the business in question. Hopefully you have found the information useful when considering the use of OneDrive for Business as part of your ransomware mitigation approach, and are willing to look into a more comprehensive and multi-layered solution to protect your business.
Nice article Paul.
Last year I have seen a ransomware attack that even encrypted the previous versions of all files. So if the customers doesn`t want to wait on Microsoft support to perform a restore (it took several days at our customer) have a look at third party backups, which is faster to perform a restore.