Got OneDrive? Got backup? Here’s why you’re still not safe from ransomware

09 Nov 2020

Isn’t it strange how software corporations sell us X, but what we think they’ve sold us is gold-plated X with knobs on?

With Microsoft’s OneDrive, for example, as explored in a previous post, what businesses often think they’re getting is backup for their precious data. But what they’re really getting is cloud storage that may see their deleted files gone forever after no more than a few days, just as they encounter an issue that requires them to get those files back. And with no backup anywhere in sight!

As if this weren’t worrisome enough, what businesses also often think they’re getting with OneDrive – but aren’t – is magical, cloud-conferred immunity to ransomware. In fact, OneDrive is vulnerable to ransomware in several ways, just as files stored on a local PC or server are. This can potentially leave your data locked and inaccessible with – again – no backup source for you to retrieve and restore it from.

So, if you get data backup, does this dual nightmare go away? No, because the wrong choice of backup can itself be vulnerable to ransomware too!

Here’s what you need to know…

Ransomware – what’s the risk?

A successful ransomware attack – whether on OneDrive or your backup service - can result in huge costs for your business.

And if you think only large corporations are targeted, think again. According to this article in cybersecurity publication CSO Online, 48% of all UK organisations were hit by ransomware in the last year.

In fact, there are around 65,000 attempts to hack SMEs in the UK every day - around 4,500 of which are successful.

Ultimately, this rampant ransomware can damage a business’s operational capability to the point where it cannot recover - and it simply goes under.

OneDrive, many weaknesses: how ransomware spreads

So, what part does OneDrive potentially play in the ransomware attackers’ game plan?

There are at least three ways in which ransomware can infect OneDrive.

  • Through the OneDrive sync client. This is the application on your desktop through which the files on your computer are synchronised to OneDrive in the cloud. If data on your computer gets corrupted with ransomware, the synchronisation can transmit that ransomware to your files in the cloud.
  • Through illicit permissions. Software add-ons and extensions that you download or install can be exploited by attackers to give illicit access to your OneDrive account. Malicious links in phishing emails can achieve the same end. Once access is obtained, the attacker can deposit ransomware.
  • Through an administrator account. Admin accounts give access to many other accounts, so these are a juicy target for ransomware attackers, who will attempt to crack the administrator’s password, or trick the administrator into revealing login credentials, in order to deposit ransomware in multiple users’ accounts.

Again, data backup theoretically renders these attacks toothless, because you can simply access your data from the backup source, and restore it back into your systems.

But when the backup service itself is infected by ransomware, that whole strategy falls apart. So what do you need to look for to guarantee a ransomware-resilient backup service?

Ransomware-proofing your backup

When it comes to cloud backup solutions, the three bulwarks against ransomware are configuration, immutability, and point-in-time restore.

Configuration: don’t leave the door open!

Configuration relates to the backup service’s own security and access rules setup – making sure all the doors and windows are properly secured, if you will. Attackers exploit misconfigurations to gain access privileges, permanently delete the backups, and then launch their ransomware attack.

Effective configuration controls will help ensure your business isn’t robbed of its backup data exactly when it needs it most!

Immutability: making data tamper-proof

Some backups can be tricked by ransomware into accepting encryption as a legitimate modification of data.

Pretty soon, this leaves you with locked-up data in your business and locked-up data in your backup.

Check that your backup service offers ‘immutable storage’, as this prevents backed-up data being deleted or altered in any way throughout its retention lifetime - and stops ransomware in its tracks.

Point-in-time restore: get back what you need

This is about being able to retrieve backed-up data from a precise point in time before a ransomware (or other) incident occurred.

It also enables the backup system to revert to the latest unaffected files should a misconfiguration (see above) permit a ransomware attack within the backup system itself.

Further measures: are you prepared?

Look out for the three features above, and you’ll be doing the best you possibly can to protect your backup data from the same evil that’s just locked your OneDrive files!

But on that point, there are anti-ransomware measures you can put in place within and around OneDrive too.

These can include setting up anti-malware filters and anti-phishing policies in Microsoft 365 email, and blocking typical ransomware delivery mechanisms like zip files, JavaScript and VBScript attachments, micros, and .RTF, .PPT, and .DOC files.

But ask yourself this: if all that failed or proved unworkable, would your backup – and your business - withstand an attack?