Link to home
Start Free TrialLog in
Avatar of cja-tech-guy
cja-tech-guyFlag for United States of America

asked on

Can ransomeware encrypt SharePoint and Azure Backup Files

Can SharePoint files get encrypted by ransomware?  

Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

I see no reasons why not! (if it's developed to target Sharepoint files and Azure backups.
Avatar of cja-tech-guy


Can the ransomware access the files if it requires a login to get to them?
Avatar of Dr. Klahn
Dr. Klahn

Ransomware can encrypt any file it has access to.

Regarding accessing files where a login is required, clever ransomware may search the system for password lists or lie in wait for a while and watch the system to capture necessary passwords.  That is why the only safe backup is an air-gapped backup, inaccessible by any means except physically plugging it in to the system.
I will use multifactor authentication. This will prevent unwanted access.  Correct?

Only if you authenticate using a different system.  Once a virus is in the system it has access to everything going on so it can see the two-factor authentication as well.

E.g.:  Two-factor authentication via "We will send you an authentication code by email."  Inside the email is text which says "Your authentication code is FAZBAZBLETCH."  Ransomware reads the email and says, "Neat, now I can subvert that resource too."

Then there is still the problem that once the external files have been brought online, the ransomware has access to them.  Two factor authentication cannot prevent that.
The MFA sends the "approve/disapprove" message to my phone.  I have to click on either choice to get access to Azure and SharePoint.

  I do this every time I login to the portals so 1) to make sure it is working and 2) to know if someone else is trying to get in.

Will that work?

Malware is acting as the user it gets executed by. So when you unlock a drive with MFA, the drive is accessible to you and to all ransomware that you started (before or after).
I'm not unlocking the drive.  

We use Azure Recovery Services agent  to backup on premises servers.

To access our Azure account where the back ups are stored, you have to login to the Azure Portal. That is where the MFA comes into play. You cannot get access unless I approve you from the MFA app my phone.

You'll find all your data is encrypted before it gets to Azure!

(unless air gapped!)
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?

If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?

if not compromised.

If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?

check your backups and retention.
Any online accessible data reachable  by some user can be victim of the ransomware. no exceptions.
Only off-line data or other data that is not accessible by the user "running" the ransomware .

The ransomware could include instruction for downloading & uploading data through webservices or whatever.

True Multifactor Authentication with independant factors, can prevent direct access but will not disallow access if you allow the system running the ransomware (might be a hidden rootkit), to some "normally offline resource).   The ransomware can runpiggybacked onto the connection made for something else.

Access Control or Authentication mitigates against unauthorised access but ransomware is authorised in a way as it access what you see, access and store. You probably have logs on the access but against ransomware it would help. So what if you know who log in and access the file share and backup in that infected machine, the fact is the files are all long encrypted. 

You probably can trace the patient zero and isolate quickly if you have a monitoring team looking at anomalous activities which normal user or admin would not be doing. Azure ATP and Backup have element of the detection and prevention. Specifically for backups, I am looking at the deletion is kept 14 days before the final purging of those files. If we are lucky to detect early, maybe recovery is still feasible. Against ransomware you should be looking at ATP for defend & respond and backup for recovery. 

When I login to Azure or O365 I have to "approve" my own access on my phone.

How can the ransomware get to the Azure backups if it needs me to "approve" access from the MFA app on my phone?

If the app notifies me that someone is requesting approval to login to Azure, and it is not me, and I choose "disapprove" they are not getting in.  

Wouldn't that stop the attack right there? I know the local files may be affected by the ransomware, but the Azure backup files would not.

When you approve the connection  for accessing the share for your normal work, the ransomware can use that same authorisation at that time to push other updates.

UNLESS each and every actions needs an authentication (might need 3-5 authentication for uploading some data, due to checks for existence etc.).
If a key is valid for say 15 minutes you have opened the door indiscriminately from that station for 15 minutes.
I'm the only person who can approve login/access through the MFA, so if I see a request that is not me, I will deny it.

 Does that end the attack right then and there?

No access. No changes.
I agree you are the only one..  When you access the site using one window you need to authenticate again if you immediately access using another window.. and again if you immediately do a  3rd window you again need another login?  

If yes THEN you are safe.

Once I approve the MFA request, I do not get prompted for it again if I open the portal in another windows or browser.

Why does it matter that I only get prompted for MFA approval one time?

Avatar of noci

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I'm not saving the credentials.  I logout of the portal when done with it and have to verify through MFA if I log back in to the portal.

What I did was log in to the portal from Edge and was promped for MFA approval.  I then logged in from Chrome, withouout loggin out in Edge and did not get MFA prompt in Chrome.  Was that because I was already logged in from Edge?