Avatar of cja-tech-guy
cja-tech-guy
Flag for United States of America asked on

Can ransomeware encrypt SharePoint and Azure Backup Files

Can SharePoint files get encrypted by ransomware?  

Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
RansomwareMicrosoft SharePointAzureSecurity

Avatar of undefined
Last Comment
cja-tech-guy

8/22/2022 - Mon
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

I see no reasons why not! (if it's developed to target Sharepoint files and Azure backups.
cja-tech-guy

ASKER
Can the ransomware access the files if it requires a login to get to them?
Dr. Klahn

Ransomware can encrypt any file it has access to.

Regarding accessing files where a login is required, clever ransomware may search the system for password lists or lie in wait for a while and watch the system to capture necessary passwords.  That is why the only safe backup is an air-gapped backup, inaccessible by any means except physically plugging it in to the system.
Your help has saved me hundreds of hours of internet surfing.
fblack61
cja-tech-guy

ASKER
I will use multifactor authentication. This will prevent unwanted access.  Correct?

Thanks,
cja
Dr. Klahn

Only if you authenticate using a different system.  Once a virus is in the system it has access to everything going on so it can see the two-factor authentication as well.

E.g.:  Two-factor authentication via "We will send you an authentication code by email."  Inside the email is text which says "Your authentication code is FAZBAZBLETCH."  Ransomware reads the email and says, "Neat, now I can subvert that resource too."

Then there is still the problem that once the external files have been brought online, the ransomware has access to them.  Two factor authentication cannot prevent that.
cja-tech-guy

ASKER
The MFA sends the "approve/disapprove" message to my phone.  I have to click on either choice to get access to Azure and SharePoint.

  I do this every time I login to the portals so 1) to make sure it is working and 2) to know if someone else is trying to get in.

Will that work?

Thanks,
cja
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
McKnife

Malware is acting as the user it gets executed by. So when you unlock a drive with MFA, the drive is accessible to you and to all ransomware that you started (before or after).
cja-tech-guy

ASKER
I'm not unlocking the drive.  

We use Azure Recovery Services agent  to backup on premises servers.

To access our Azure account where the back ups are stored, you have to login to the Azure Portal. That is where the MFA comes into play. You cannot get access unless I approve you from the MFA app my phone.

Comments?
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

You'll find all your data is encrypted before it gets to Azure!

(unless air gapped!)
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
cja-tech-guy

ASKER
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?


If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?

if not compromised.

If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?

check your backups and retention.
noci

Any online accessible data reachable  by some user can be victim of the ransomware. no exceptions.
Only off-line data or other data that is not accessible by the user "running" the ransomware .

The ransomware could include instruction for downloading & uploading data through webservices or whatever.

True Multifactor Authentication with independant factors, can prevent direct access but will not disallow access if you allow the system running the ransomware (might be a hidden rootkit), to some "normally offline resource).   The ransomware can runpiggybacked onto the connection made for something else.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
btan

Access Control or Authentication mitigates against unauthorised access but ransomware is authorised in a way as it access what you see, access and store. You probably have logs on the access but against ransomware it would help. So what if you know who log in and access the file share and backup in that infected machine, the fact is the files are all long encrypted. 


You probably can trace the patient zero and isolate quickly if you have a monitoring team looking at anomalous activities which normal user or admin would not be doing. Azure ATP and Backup have element of the detection and prevention. Specifically for backups, I am looking at the deletion is kept 14 days before the final purging of those files. If we are lucky to detect early, maybe recovery is still feasible. Against ransomware you should be looking at ATP for defend & respond and backup for recovery. 

cja-tech-guy

ASKER
When I login to Azure or O365 I have to "approve" my own access on my phone.

How can the ransomware get to the Azure backups if it needs me to "approve" access from the MFA app on my phone?

If the app notifies me that someone is requesting approval to login to Azure, and it is not me, and I choose "disapprove" they are not getting in.  

Wouldn't that stop the attack right there? I know the local files may be affected by the ransomware, but the Azure backup files would not.

Correct?
noci

When you approve the connection  for accessing the share for your normal work, the ransomware can use that same authorisation at that time to push other updates.

UNLESS each and every actions needs an authentication (might need 3-5 authentication for uploading some data, due to checks for existence etc.).
If a key is valid for say 15 minutes you have opened the door indiscriminately from that station for 15 minutes.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
cja-tech-guy

ASKER
NOCI
I'm the only person who can approve login/access through the MFA, so if I see a request that is not me, I will deny it.

 Does that end the attack right then and there?

No access. No changes.
noci

I agree you are the only one..  When you access the site using one window you need to authenticate again if you immediately access using another window.. and again if you immediately do a  3rd window you again need another login?  

If yes THEN you are safe.
cja-tech-guy

ASKER
NOCI

Once I approve the MFA request, I do not get prompted for it again if I open the portal in another windows or browser.

Why does it matter that I only get prompted for MFA approval one time?

Thanks,
Carmen
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
noci

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
cja-tech-guy

ASKER
I'm not saving the credentials.  I logout of the portal when done with it and have to verify through MFA if I log back in to the portal.

What I did was log in to the portal from Edge and was promped for MFA approval.  I then logged in from Chrome, withouout loggin out in Edge and did not get MFA prompt in Chrome.  Was that because I was already logged in from Edge?
cja-tech-guy

ASKER
Thanks