Are my Office 365 files at risk of infection by Ransomware?

   Back to blog listing

Posted by David Bishop on 24-May-2017 10:49:46
David Bishop

Cyber attacks have been on all of our minds since the recent WannaCry ransomeware on the NHS. However, it is important to remember that ransomware attacks can affect any size business and cause a multi-plus of problems. Infected data can become inaccessible and pave the ransom fuel for further attacks of this nature. In this post we will look at the risks when storing file data in Office 365 and what can be done to protect your Office data.


Where is my data stored in Office 365?

There are various options for storing file data in Office 365. The majority of this data resides in a SharePoint farm that Microsoft host and you connect to via the internet, but the front end that users interact with could be OneDrive for Business, Office 365 Groups/Microsoft Teams or a SharePoint site.

What files does Microsoft scan for Malware?

Microsoft does scan for malware for files over 25MB as they are uploaded to Office 365 and if identified, it sets a property flag against the document. Microsoft do however say "These antivirus capabilities in SharePoint Online are a way to contain viruses. They aren't intended as a single point of defence against malware for your environment."

How can ransomware infect office 365 files, particularly SharePoint Online or OneDrive?

Ransomware must run on a local computer or server, it cannot run in the Office 365 service. This means ransomware can infect files stored in Office 365 in two ways.

1. If you use the 'open with explorer' feature to map network drives to document libraries in Office 365 - the ransomware can scan for connected drives and will infect all files it finds.

2. If you synchronise files from document libraries using the OneDrive sync client - these files are a copy of the online files sitting locally on your PC/Mac, the infected files are then synchronised to Office 365.

What does the end user see when an infected file is downloaded?

Microsoft adds additional warnings when there is an attempt to download a file that is infected, however there is no way an administrator can get an overview of files that have been flagged as containing Malware and users can override this warning and still download the file.

The OneDrive client will also fail when trying to sync an infected item and show an alert in the system tray. 

What backup and recovery options does Microsoft offer?

Microsoft backs up data from SharePoint Online every 12 hours and retains this data for a period of 14 days. The options for restoring this data are limited, for example you can only restore data at site collection level and the data restoration is in place, meaning it will overwrite any data currently sitting in the Site Collection or OneDrive for Business site. These days site collections support up to 25TB.

Can I use version history to recover non-infected files?

If versioning is enabled on your document libraries then you may be able to recover the data. First you will want to disconnect the mapped network drive or stop syncing the data from the devices that are infected. The ransomware that has infected your files may only have infected a single version, this provides the opportunity to delete the current version and revert to a previous copy which is not infected. The only way to achieve this for all files in a library or OneDrive would be to script this process or use a third-party tool.

Recovery by version history may not help in all cases as it is possible that historical versions of files have been infected also.

What can I do protect my Office 365 data from infection?

To fully protect your Office 365 data from being affected by a crypto locker virus you would need to disable the ability to sync files and only allow users access files using 'Open with Explorer' but not permit the mapping of SharePoint Online as a network drive.

This would mean that files are always accessed via an https address either through a web browser or file explorer.

 

Backup Solutions

Backing up data to another service from Office 365 is the only way to empower you to quickly and easily recover files at a granular level and to alternate location from the original.

There are various options offered by third parties including:

 

AvePoint

- Cloud 2 Cloud backup

- 1GB of backup storage per user included

- Minimum 3 Year Subscription

- Includes a suite of management and audit tools for managing permissions, structure, content.

- Subscription licencing

 

SkyKick

- Cloud 2 Cloud backup

- 5GB of backup storage per user included

- Subscription licencing

 

CloudAlly

- Cloud 2 Cloud backup

- Unlimited retention

- No minimum subscription

- Subscription licensing

 

Metalogix

- Cloud 2 on-premises backup while maintaining file formats/file level access

- Requires setup and Infrastructure to run the software

- Perpetual licence

- Support cost is optional

 

 After the WannaCry Cyber attacks on the NHS, cyber security has been on all of our minds. That's why we're offering a free cyber security health check to help inform the important decisions about your IT system. Click here or below to find out more.

 Book Your IT Cyber Security Health Check