We help IT Professionals succeed at work.

Can ransomeware encrypt SharePoint and Azure Backup Files

Can SharePoint files get encrypted by ransomware?  

Can Azure file backups, that were created using the Azure backup agent running on in house servers be encrypted by ransomware?
Comment
Watch Question

Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
GOLD EXPERT
Fellow
Expert of the Year 2017

Commented:
I see no reasons why not! (if it's developed to target Sharepoint files and Azure backups.

Author

Commented:
Can the ransomware access the files if it requires a login to get to them?
Dr. KlahnPrincipal Software Engineer
BRONZE EXPERT

Commented:
Ransomware can encrypt any file it has access to.

Regarding accessing files where a login is required, clever ransomware may search the system for password lists or lie in wait for a while and watch the system to capture necessary passwords.  That is why the only safe backup is an air-gapped backup, inaccessible by any means except physically plugging it in to the system.

Author

Commented:
I will use multifactor authentication. This will prevent unwanted access.  Correct?

Thanks,
cja
Dr. KlahnPrincipal Software Engineer
BRONZE EXPERT

Commented:
Only if you authenticate using a different system.  Once a virus is in the system it has access to everything going on so it can see the two-factor authentication as well.

E.g.:  Two-factor authentication via "We will send you an authentication code by email."  Inside the email is text which says "Your authentication code is FAZBAZBLETCH."  Ransomware reads the email and says, "Neat, now I can subvert that resource too."

Then there is still the problem that once the external files have been brought online, the ransomware has access to them.  Two factor authentication cannot prevent that.

Author

Commented:
The MFA sends the "approve/disapprove" message to my phone.  I have to click on either choice to get access to Azure and SharePoint.

  I do this every time I login to the portals so 1) to make sure it is working and 2) to know if someone else is trying to get in.

Will that work?

Thanks,
cja
SILVER EXPERT
Distinguished Expert 2019

Commented:
Malware is acting as the user it gets executed by. So when you unlock a drive with MFA, the drive is accessible to you and to all ransomware that you started (before or after).

Author

Commented:
I'm not unlocking the drive.  

We use Azure Recovery Services agent  to backup on premises servers.

To access our Azure account where the back ups are stored, you have to login to the Azure Portal. That is where the MFA comes into play. You cannot get access unless I approve you from the MFA app my phone.

Comments?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
GOLD EXPERT
Fellow
Expert of the Year 2017

Commented:
You'll find all your data is encrypted before it gets to Azure!

(unless air gapped!)

Author

Commented:
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?


If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
GOLD EXPERT
Fellow
Expert of the Year 2017

Commented:
What I'm trying to determine is ould I be able to restore from the Azure backups that were created before the encryption happened?

if not compromised.

If it is encrypted before it gets to Azure and then Azure backs up the encrypted data, I would still have access to unencrypted files in Azure from the days before the event. correct?

check your backups and retention.
nociSoftware Engineer
BRONZE EXPERT
Distinguished Expert 2019

Commented:
Any online accessible data reachable  by some user can be victim of the ransomware. no exceptions.
Only off-line data or other data that is not accessible by the user "running" the ransomware .

The ransomware could include instruction for downloading & uploading data through webservices or whatever.

True Multifactor Authentication with independant factors, can prevent direct access but will not disallow access if you allow the system running the ransomware (might be a hidden rootkit), to some "normally offline resource).   The ransomware can runpiggybacked onto the connection made for something else.
btanExec Consultant
SILVER EXPERT
Distinguished Expert 2019

Commented:

Access Control or Authentication mitigates against unauthorised access but ransomware is authorised in a way as it access what you see, access and store. You probably have logs on the access but against ransomware it would help. So what if you know who log in and access the file share and backup in that infected machine, the fact is the files are all long encrypted. 


You probably can trace the patient zero and isolate quickly if you have a monitoring team looking at anomalous activities which normal user or admin would not be doing. Azure ATP and Backup have element of the detection and prevention. Specifically for backups, I am looking at the deletion is kept 14 days before the final purging of those files. If we are lucky to detect early, maybe recovery is still feasible. Against ransomware you should be looking at ATP for defend & respond and backup for recovery. 

Author

Commented:
When I login to Azure or O365 I have to "approve" my own access on my phone.

How can the ransomware get to the Azure backups if it needs me to "approve" access from the MFA app on my phone?

If the app notifies me that someone is requesting approval to login to Azure, and it is not me, and I choose "disapprove" they are not getting in.  

Wouldn't that stop the attack right there? I know the local files may be affected by the ransomware, but the Azure backup files would not.

Correct?
nociSoftware Engineer
BRONZE EXPERT
Distinguished Expert 2019

Commented:
When you approve the connection  for accessing the share for your normal work, the ransomware can use that same authorisation at that time to push other updates.

UNLESS each and every actions needs an authentication (might need 3-5 authentication for uploading some data, due to checks for existence etc.).
If a key is valid for say 15 minutes you have opened the door indiscriminately from that station for 15 minutes.

Author

Commented:
NOCI
I'm the only person who can approve login/access through the MFA, so if I see a request that is not me, I will deny it.

 Does that end the attack right then and there?

No access. No changes.
nociSoftware Engineer
BRONZE EXPERT
Distinguished Expert 2019

Commented:
I agree you are the only one..  When you access the site using one window you need to authenticate again if you immediately access using another window.. and again if you immediately do a  3rd window you again need another login?  

If yes THEN you are safe.

Author

Commented:
NOCI

Once I approve the MFA request, I do not get prompted for it again if I open the portal in another windows or browser.

Why does it matter that I only get prompted for MFA approval one time?

Thanks,
Carmen
Software Engineer
BRONZE EXPERT
Distinguished Expert 2019
Commented:
If you are not prompted the credentials are stored.  
Any malware worth its salt can use those credentials also and those. And do like you do: access the site multiple times...

So if you can authenticate once for multiple access attempts a malware can do so too AFTER you accredited you access.
It will not attempt to access before you do.

Author

Commented:
I'm not saving the credentials.  I logout of the portal when done with it and have to verify through MFA if I log back in to the portal.

What I did was log in to the portal from Edge and was promped for MFA approval.  I then logged in from Chrome, withouout loggin out in Edge and did not get MFA prompt in Chrome.  Was that because I was already logged in from Edge?

Author

Commented:
Thanks