asked on Can ransomeware encrypt SharePoint and Azure Backup Files
Can SharePoint files get encrypted by ransomware?
Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
RansomwareMicrosoft SharePointAzureSecurity
Last Comment
cja-tech-guy
I see no reasons why not! (if it's developed to target Sharepoint files and Azure backups.
ASKER
Can the ransomware access the files if it requires a login to get to them?
Ransomware can encrypt any file it has access to.
Regarding accessing files where a login is required, clever ransomware may search the system for password lists or lie in wait for a while and watch the system to capture necessary passwords. That is why the only safe backup is an air-gapped backup, inaccessible by any means except physically plugging it in to the system.
Regarding accessing files where a login is required, clever ransomware may search the system for password lists or lie in wait for a while and watch the system to capture necessary passwords. That is why the only safe backup is an air-gapped backup, inaccessible by any means except physically plugging it in to the system.
ASKER
I will use multifactor authentication. This will prevent unwanted access. Correct?
Thanks,
cja
Thanks,
cja
Only if you authenticate using a different system. Once a virus is in the system it has access to everything going on so it can see the two-factor authentication as well.
E.g.: Two-factor authentication via "We will send you an authentication code by email." Inside the email is text which says "Your authentication code is FAZBAZBLETCH." Ransomware reads the email and says, "Neat, now I can subvert that resource too."
Then there is still the problem that once the external files have been brought online, the ransomware has access to them. Two factor authentication cannot prevent that.
E.g.: Two-factor authentication via "We will send you an authentication code by email." Inside the email is text which says "Your authentication code is FAZBAZBLETCH." Ransomware reads the email and says, "Neat, now I can subvert that resource too."
Then there is still the problem that once the external files have been brought online, the ransomware has access to them. Two factor authentication cannot prevent that.
ASKER
The MFA sends the "approve/disapprove" message to my phone. I have to click on either choice to get access to Azure and SharePoint.
I do this every time I login to the portals so 1) to make sure it is working and 2) to know if someone else is trying to get in.
Will that work?
Thanks,
cja
I do this every time I login to the portals so 1) to make sure it is working and 2) to know if someone else is trying to get in.
Will that work?
Thanks,
cja
Malware is acting as the user it gets executed by. So when you unlock a drive with MFA, the drive is accessible to you and to all ransomware that you started (before or after).
ASKER
I'm not unlocking the drive.
We use Azure Recovery Services agent to backup on premises servers.
To access our Azure account where the back ups are stored, you have to login to the Azure Portal. That is where the MFA comes into play. You cannot get access unless I approve you from the MFA app my phone.
Comments?
We use Azure Recovery Services agent to backup on premises servers.
To access our Azure account where the back ups are stored, you have to login to the Azure Portal. That is where the MFA comes into play. You cannot get access unless I approve you from the MFA app my phone.
Comments?
You'll find all your data is encrypted before it gets to Azure!
(unless air gapped!)
(unless air gapped!)
ASKER
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?
If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?
if not compromised.
If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
check your backups and retention.
Any online accessible data reachable by some user can be victim of the ransomware. no exceptions.
Only off-line data or other data that is not accessible by the user "running" the ransomware .
The ransomware could include instruction for downloading & uploading data through webservices or whatever.
True Multifactor Authentication with independant factors, can prevent direct access but will not disallow access if you allow the system running the ransomware (might be a hidden rootkit), to some "normally offline resource). The ransomware can runpiggybacked onto the connection made for something else.
Only off-line data or other data that is not accessible by the user "running" the ransomware .
The ransomware could include instruction for downloading & uploading data through webservices or whatever.
True Multifactor Authentication with independant factors, can prevent direct access but will not disallow access if you allow the system running the ransomware (might be a hidden rootkit), to some "normally offline resource). The ransomware can runpiggybacked onto the connection made for something else.
Access Control or Authentication mitigates against unauthorised access but ransomware is authorised in a way as it access what you see, access and store. You probably have logs on the access but against ransomware it would help. So what if you know who log in and access the file share and backup in that infected machine, the fact is the files are all long encrypted.
You probably can trace the patient zero and isolate quickly if you have a monitoring team looking at anomalous activities which normal user or admin would not be doing. Azure ATP and Backup have element of the detection and prevention. Specifically for backups, I am looking at the deletion is kept 14 days before the final purging of those files. If we are lucky to detect early, maybe recovery is still feasible. Against ransomware you should be looking at ATP for defend & respond and backup for recovery.
ASKER
When I login to Azure or O365 I have to "approve" my own access on my phone.
How can the ransomware get to the Azure backups if it needs me to "approve" access from the MFA app on my phone?
If the app notifies me that someone is requesting approval to login to Azure, and it is not me, and I choose "disapprove" they are not getting in.
Wouldn't that stop the attack right there? I know the local files may be affected by the ransomware, but the Azure backup files would not.
Correct?
How can the ransomware get to the Azure backups if it needs me to "approve" access from the MFA app on my phone?
If the app notifies me that someone is requesting approval to login to Azure, and it is not me, and I choose "disapprove" they are not getting in.
Wouldn't that stop the attack right there? I know the local files may be affected by the ransomware, but the Azure backup files would not.
Correct?
When you approve the connection for accessing the share for your normal work, the ransomware can use that same authorisation at that time to push other updates.
UNLESS each and every actions needs an authentication (might need 3-5 authentication for uploading some data, due to checks for existence etc.).
If a key is valid for say 15 minutes you have opened the door indiscriminately from that station for 15 minutes.
UNLESS each and every actions needs an authentication (might need 3-5 authentication for uploading some data, due to checks for existence etc.).
If a key is valid for say 15 minutes you have opened the door indiscriminately from that station for 15 minutes.
ASKER
NOCI
I'm the only person who can approve login/access through the MFA, so if I see a request that is not me, I will deny it.
Does that end the attack right then and there?
No access. No changes.
I'm the only person who can approve login/access through the MFA, so if I see a request that is not me, I will deny it.
Does that end the attack right then and there?
No access. No changes.
I agree you are the only one.. When you access the site using one window you need to authenticate again if you immediately access using another window.. and again if you immediately do a 3rd window you again need another login?
If yes THEN you are safe.
If yes THEN you are safe.
ASKER
NOCI
Once I approve the MFA request, I do not get prompted for it again if I open the portal in another windows or browser.
Why does it matter that I only get prompted for MFA approval one time?
Thanks,
Carmen
Once I approve the MFA request, I do not get prompted for it again if I open the portal in another windows or browser.
Why does it matter that I only get prompted for MFA approval one time?
Thanks,
Carmen
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
I'm not saving the credentials. I logout of the portal when done with it and have to verify through MFA if I log back in to the portal.
What I did was log in to the portal from Edge and was promped for MFA approval. I then logged in from Chrome, withouout loggin out in Edge and did not get MFA prompt in Chrome. Was that because I was already logged in from Edge?
What I did was log in to the portal from Edge and was promped for MFA approval. I then logged in from Chrome, withouout loggin out in Edge and did not get MFA prompt in Chrome. Was that because I was already logged in from Edge?
ASKER
Thanks