- Microsoft SharePoint
- Azure
Can ransomeware encrypt SharePoint and Azure Backup Files
Can SharePoint files get encrypted by ransomware?
Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
Ransomware can encrypt any file it has access to.
Regarding accessing files where a login is required, clever ransomware may search the system for password lists or lie in wait for a while and watch the system to capture necessary passwords. That is why the only safe backup is an air-gapped backup, inaccessible by any means except physically plugging it in to the system.
Regarding accessing files where a login is required, clever ransomware may search the system for password lists or lie in wait for a while and watch the system to capture necessary passwords. That is why the only safe backup is an air-gapped backup, inaccessible by any means except physically plugging it in to the system.
Only if you authenticate using a different system. Once a virus is in the system it has access to everything going on so it can see the two-factor authentication as well.
E.g.: Two-factor authentication via "We will send you an authentication code by email." Inside the email is text which says "Your authentication code is FAZBAZBLETCH." Ransomware reads the email and says, "Neat, now I can subvert that resource too."
Then there is still the problem that once the external files have been brought online, the ransomware has access to them. Two factor authentication cannot prevent that.
E.g.: Two-factor authentication via "We will send you an authentication code by email." Inside the email is text which says "Your authentication code is FAZBAZBLETCH." Ransomware reads the email and says, "Neat, now I can subvert that resource too."
Then there is still the problem that once the external files have been brought online, the ransomware has access to them. Two factor authentication cannot prevent that.
The MFA sends the "approve/disapprove" message to my phone. I have to click on either choice to get access to Azure and SharePoint.
I do this every time I login to the portals so 1) to make sure it is working and 2) to know if someone else is trying to get in.
Will that work?
Thanks,
cja
I do this every time I login to the portals so 1) to make sure it is working and 2) to know if someone else is trying to get in.
Will that work?
Thanks,
cja
Malware is acting as the user it gets executed by. So when you unlock a drive with MFA, the drive is accessible to you and to all ransomware that you started (before or after).
I'm not unlocking the drive.
We use Azure Recovery Services agent to backup on premises servers.
To access our Azure account where the back ups are stored, you have to login to the Azure Portal. That is where the MFA comes into play. You cannot get access unless I approve you from the MFA app my phone.
Comments?
We use Azure Recovery Services agent to backup on premises servers.
To access our Azure account where the back ups are stored, you have to login to the Azure Portal. That is where the MFA comes into play. You cannot get access unless I approve you from the MFA app my phone.
Comments?
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?
If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?
if not compromised.
If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
check your backups and retention.
Any online accessible data reachable by some user can be victim of the ransomware. no exceptions.
Only off-line data or other data that is not accessible by the user "running" the ransomware .
The ransomware could include instruction for downloading & uploading data through webservices or whatever.
True Multifactor Authentication with independant factors, can prevent direct access but will not disallow access if you allow the system running the ransomware (might be a hidden rootkit), to some "normally offline resource). The ransomware can runpiggybacked onto the connection made for something else.
Only off-line data or other data that is not accessible by the user "running" the ransomware .
The ransomware could include instruction for downloading & uploading data through webservices or whatever.
True Multifactor Authentication with independant factors, can prevent direct access but will not disallow access if you allow the system running the ransomware (might be a hidden rootkit), to some "normally offline resource). The ransomware can runpiggybacked onto the connection made for something else.
Access Control or Authentication mitigates against unauthorised access but ransomware is authorised in a way as it access what you see, access and store. You probably have logs on the access but against ransomware it would help. So what if you know who log in and access the file share and backup in that infected machine, the fact is the files are all long encrypted.
You probably can trace the patient zero and isolate quickly if you have a monitoring team looking at anomalous activities which normal user or admin would not be doing. Azure ATP and Backup have element of the detection and prevention. Specifically for backups, I am looking at the deletion is kept 14 days before the final purging of those files. If we are lucky to detect early, maybe recovery is still feasible. Against ransomware you should be looking at ATP for defend & respond and backup for recovery.
When I login to Azure or O365 I have to "approve" my own access on my phone.
How can the ransomware get to the Azure backups if it needs me to "approve" access from the MFA app on my phone?
If the app notifies me that someone is requesting approval to login to Azure, and it is not me, and I choose "disapprove" they are not getting in.
Wouldn't that stop the attack right there? I know the local files may be affected by the ransomware, but the Azure backup files would not.
Correct?
How can the ransomware get to the Azure backups if it needs me to "approve" access from the MFA app on my phone?
If the app notifies me that someone is requesting approval to login to Azure, and it is not me, and I choose "disapprove" they are not getting in.
Wouldn't that stop the attack right there? I know the local files may be affected by the ransomware, but the Azure backup files would not.
Correct?
When you approve the connection for accessing the share for your normal work, the ransomware can use that same authorisation at that time to push other updates.
UNLESS each and every actions needs an authentication (might need 3-5 authentication for uploading some data, due to checks for existence etc.).
If a key is valid for say 15 minutes you have opened the door indiscriminately from that station for 15 minutes.
UNLESS each and every actions needs an authentication (might need 3-5 authentication for uploading some data, due to checks for existence etc.).
If a key is valid for say 15 minutes you have opened the door indiscriminately from that station for 15 minutes.
NOCI
I'm the only person who can approve login/access through the MFA, so if I see a request that is not me, I will deny it.
Does that end the attack right then and there?
No access. No changes.
I'm the only person who can approve login/access through the MFA, so if I see a request that is not me, I will deny it.
Does that end the attack right then and there?
No access. No changes.
I agree you are the only one.. When you access the site using one window you need to authenticate again if you immediately access using another window.. and again if you immediately do a 3rd window you again need another login?
If yes THEN you are safe.
If yes THEN you are safe.
NOCI
Once I approve the MFA request, I do not get prompted for it again if I open the portal in another windows or browser.
Why does it matter that I only get prompted for MFA approval one time?
Thanks,
Carmen
Once I approve the MFA request, I do not get prompted for it again if I open the portal in another windows or browser.
Why does it matter that I only get prompted for MFA approval one time?
Thanks,
Carmen
If you are not prompted the credentials are stored.
Any malware worth its salt can use those credentials also and those. And do like you do: access the site multiple times...
So if you can authenticate once for multiple access attempts a malware can do so too AFTER you accredited you access.
It will not attempt to access before you do.
Any malware worth its salt can use those credentials also and those. And do like you do: access the site multiple times...
So if you can authenticate once for multiple access attempts a malware can do so too AFTER you accredited you access.
It will not attempt to access before you do.
I'm not saving the credentials. I logout of the portal when done with it and have to verify through MFA if I log back in to the portal.
What I did was log in to the portal from Edge and was promped for MFA approval. I then logged in from Chrome, withouout loggin out in Edge and did not get MFA prompt in Chrome. Was that because I was already logged in from Edge?
What I did was log in to the portal from Edge and was promped for MFA approval. I then logged in from Chrome, withouout loggin out in Edge and did not get MFA prompt in Chrome. Was that because I was already logged in from Edge?
Explore More ContentExplore courses, solutions, and other research materials related to this topic.
-
![]()
received a Solution
Do I need to backup our SharePoint files -
![]()
wrote an Article
![]()
How to configure Fail-over and Geo-Replication for Microsoft Azure Database?
-
![]()
created a Video
![]()
Exchange 2019 - Create an Exchange lab in Azure and setup your Virtual machines Part 1
-
Explore Cloud Class® ![]()
Exploring SharePoint 2016
Premium Content
You need an Expert Office subscription to comment.Start Free Trial