We help IT Professionals succeed at work.

ransomware and encryption

Medium Priority
209 Views
Last Modified: 2019-10-14
I have a question about ransomware.  If my computers C drive is already encrypted, is it still possible for ransomware to hold my computer hostage by encrypting files?  if we have office 365 and all the files are also backed up to the cloud through OneDrive, doesn’t that also create a level of protection?
Comment
Watch Question

Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
yes it's still possible for ransomware to take your computer hostage, it may not decrypted already encrypted files, but it can encrypted that file were you can't ccess it. also yes having files in one drive does give a level of protection so you can always restore from one drive if those files aren't infected.

Author

Commented:
I wasn’t sure I completely understood your answer...  so does drive level encryption protect against Ransomware?  Also what would be classified as an infected file?
timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
no drive level encryption doesnt protect against ransomware. drive level encryption can stop them from being able to read your data, but it wont stop them from infecting it with ransomware and holding the data hostage.
An infected file is a file that has been impacted by a computer virus in various ways.

Author

Commented:
so then in laymens terms how does ransomware actually infect a file so that it can’t be accessed?
timgreen7077Exchange Engineer
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
it locks you out of your files and the only way you can access the files is to pay the perpetrators a fee and they will give you the key to unlock the files. if you need more info on ransomware see the below link for assistance.

https://www.akamai.com/us/en/resources/what-is-ransomware.jsp?ef_id=Cj0KCQjwivbsBRDsARIsADyISJ-WbGL-QJsviQdLkOI0ozAktNY6cNyZS9jxvIdzHlEnDXZZDBFfDpIaApslEALw_wcB:G:s&utm_source=google&utm_medium=cpc&gclid=Cj0KCQjwivbsBRDsARIsADyISJ-WbGL-QJsviQdLkOI0ozAktNY6cNyZS9jxvIdzHlEnDXZZDBFfDpIaApslEALw_wcB
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT
Commented:
if we have office 365 and all the files are also backed up to the cloud through OneDrive, doesn’t that also create a level of protection?

Depends on how far back the backups go, and what kind of backups are done.  If you don't have a full image backup, or if the files you lost have been backed up in the encrypted form and the previous backups purged, then you're pretty much out of luck.  Once a drive has been infected then it cannot be trusted and must be erased before reuse.  After drive erasure only a full backup done before the system was infected will get things back running quickly.

This illustrates why backups should be full backups and done frequently.  If you do a monthly full backup at the start of the month, and then incrementals every day, on average you'll need to restore 16 backups (day 1 full backup + 15 incrementals) and in the worst case 31 backups (on day 31, the day 1 full backup + 30 incrementals.)

Restoring from a full backup kept on a cloud server can be a real problem.  The system must be running to access the internet to get at the cloud server, but the system is infected and nothing done on that system should be trusted.  This can result in the ultimate inconvenience of erasing the drive, reloading Windows from scratch, download the cloud backup to an air-gapped local USB drive, then restoring the original system drive from the local USB drive.  Things get even more complicated if the system drive is a RAID set.  It's well to think about these situations before being thrust into them unwillingly.

Author

Commented:
I believe OneDrive goes back 30 days to do a restore of the drive.  if we just install a new system, we could just do restores within that time as I doubt we would need more than 30 days on the backup before we realized there was an attack.
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
I would not consider 30 days acceptable in a business environment, for several reasons - but in this specific case the reason is that there is no telling how long something sat dormanton a drive before deciding to activate.  Day Zero exploits are, by definition, not detectable so it does not matter whether the victim system had an antivirus and scanned itself regularly.

Author

Commented:
point taken.  what length of time do you recommend?
Lee W, MVPTechnology and Business Process Advisor
CERTIFIED EXPERT
Most Valuable Expert 2013
Commented:
what length of time do you recommend?
This depends entirely on your business.  If you're in an industry that requires backups be kept for a certain amount of time.  And what happens two years down the road when the IRS decides to audit you and you don't have the records because a year ago the server crashed and you only went back a month?

I recommend you look at your business requirements and ask the question of you and your company, "what happens if I lose data from 1 months ago?  3 months ago?  6 months ago? 1 year ago?  3 years ago?  etc!
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
1) I have a question about ransomware.  If my computers C drive is already encrypted, is it still possible for ransomware to hold my computer hostage by encrypting files?

Yes.

If at any time you can access (decrypt) files, then so can ransomware.

2) if we have office 365 and all the files are also backed up to the cloud through OneDrive, doesn’t that also create a level of protection?

Yes + No.

Yes, in that you can restore your files from OneDrive (maybe, depends on many factors). Normally the answer is yes.

Problem is you can only restore files from your last backup, so all files between last backup time + restore will be lost.

Best have someone work through exactly how all your backups are managed to determine your level of protection + amount data loss when you restore.
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
I'd keep at least one year of backups in a business environment, with full backups at least on a monthly basis.

Explore More ContentExplore courses, solutions, and other research materials related to this topic.