How Safe is Onedrive Against Ransomware Attack?

How Safe is Onedrive Against Ransomware Attack?

OneDrive for Business

A number of businesses of late have come to rely on OneDrive for Business as their sole means of endpoint data protection. With Microsoft 365 becoming widely prevalent, businesses are viewing OneDrive as ‘free’ endpoint backup. Some have even gone to the extent of discarding their commercial-grade endpoint backup solutions in favor of using OneDrive to save costs.

While OneDrive has several fine features to recommend it, one of the things it definitely is NOT is a backup solution.

And businesses that rely on OneDrive exclusively for data protection may end up finding this out the hard way. But for this blog post, let’s focus on ransomware.

Conventional wisdom now states that one of the best defenses against ransomware is a reliable backup. Having a safe, secondary copy of your data means you don’t have to negotiate with the attacker while being held hostage. You can restore your data back on your terms and thus control your own destiny. The question is whether the data copy in OneDrive is adequate to protect you against ransomware.

In the past few years, too many businesses have grown to rely on OneDrive for Business as their go-to means of protecting their data. With Microsoft 365 becoming so pervasive, businesses view OneDrive as a ‘free’ endpoint backup. Indeed, some went so far as scrapping their commercial-grade backup solutions in favor of OneDrive as a way of saving money.  

Despite its many cool features, OneDrive is not a backup solution. Too many businesses discovered this lesson the hard way, relying solely on OneDrive for their data protection. For the purposes of this blog post, let’s narrow our conversation down to ransomware and focus on Office 365 ransomware protection.  

Did you know?  

  • Deleted item retention: Both OneDrive and SharePoint Online retain deleted items for 93 days by default. 
  • Point-in-time recovery: Only OneDrive offers the ability to recover to a specific point in time, up to 30 days. 

However, be aware that ransomware can infect and hide itself for weeks or months before launching an attack. 

A good backup is often considered one of the most natural and strongest defenses against ransomware. That is, when you have a safe, secondary copy of your data, you don’t have to negotiate with the attacker; you can restore your time and terms and stay in control. However, can OneDrive’s data copy protect you against ransomware? 

The Problems

Ransomware The Problems

1. Exposure to ransomware

OneDrive is a sync solution that is designed to quickly replicate file changes on your endpoint system to the cloud. This means all modifications to files on the endpoint – good and bad. Changes, deletions, and alterations caused to files due to a ransomware attack can also be faithfully replicated to OneDrive without delay. So, as it turns out, your backup copy can be just as susceptible as your primary copy. Not a great defense against ransomware.


2. The Site Recycle Bin

But there is a somewhat better way. Remember that ransomware usually deletes the original files and creates a new substitute file with a mangled name and encrypted contents. So, a lot of the original files end up in the SharePoint site recycle bin. This bin has a 30-day clock ticking against every file that lands in it. So, assuming the recycle bin hasn’t been deleted by anyone in those 30 days, an individual user can restore their OneDrive to a previous time. In fact, Microsoft recently introduced a new feature called “Restore your OneDrive” which allows you to roll your OneDrive back to an earlier point in time – up to 30 days ago.

Now, remember, there’s no centralized way to do this for multiple users. You’ll have to get each of your affected business users to do this with their OneDrive accounts. So, imagine doing that with several hundred users, who are not necessarily technically savvy, racing against a 30-day clock.

3. The Site Collection Recycle Bin

If you miss this 30-day period (God forbid), for the next 63 days, these files get moved to the site collection recycle bin – which only a SharePoint Admin can access. At this point, individual users can’t do the OneDrive restores on their own.

The SharePoint Admin has to restore for them. Now, imagine going through this type of restore process for several hundred users with a 30 or 60-day deadline dangling over your head.

4. Ransomware continues to get better

Most important – all this assumes that your versions and the recycle bins are immune from the ransomware attack. Ransomware authors continue to innovate each day, and the word is that there are new strains of ransomware designed to compromise the recycle bin(s) – which then naturally leaves the OneDrive user (or administrator) with no recourse but to negotiate with the ransomware attackers.

Do you have specific requirements or enterprise needs?

What you can do

Ransomware attack solutions

1. Use a commercial-grade backup solution

If you are protecting endpoints, invest in a commercial-gradebackup solution. In my opinion, this is a no-brainer and is non-negotiable. Don’t try to cut corners by using OneDrive – it’s just not worth it.

2. Make sure your backups are immutable

Look for backup solutions that have invested time and effort in ensuring that they have an immutable copy of data. This data is typically not only encrypted and versioned; it is stored securely away to prevent tampering and to keep it insulated from changes that happen on the user endpoint. To learn more about immutable and tamper-proof backups, check out Parablu’s BluVault. 

3. Ensure you can control retention times

Not only can many commercial-grade backup solutions go back in time to a previous copy of data (from before the ransomware attack), they also let you control the retention, which means you don’t have a pre-determined 30, 60, or 90-day clock looming when you already have your hands full recovering from a ransomware attack.

4. Make sure your restores are a breeze

And with solutions like BluVault, data recovery is simple. Select a device, folder, file, or even a file version. Click and walk away. Data is restored faithfully, including folder and sub-folder structure to the destination of your choice.

5. Look for centralized management

And you should be able to manage multiple users/devices – all from a centralized console. You may delegate users to do their own recovery if you wish – but you should still be able to see what they did, when they did it, whether they were successful – and how many users you still have left to go. There should be no guesswork.


Use a commercial-grade backup solution

If you still would like to use OneDrive to protect your users, that’s fine. But then, make sure to backup your OneDrive for Business data. Solutions like Parablu’s BluVault for Microsoft 365 offer cloud-cloud backups of your Microsoft 365 assets like Exchange Online and OneDrive for Business. Having frequent and reliable copies of your OneDrive data to an alternate cloud destination is a sure-fire way of defending yourself against a ransomware attack.

This way, if the OneDrive versions and the recycle bin fail you, you know you have a safe backup you can fall back to.

A sound backup strategy should be a critical part of every organization’s Information Technology plan, including user endpoints. With many employees now spread out and working from home, in unsecured and unsupervised environments, it is all the more important to ensure that their data has enterprise-class protection. Modern, enterprise-class backup solutions like Parablu’s BluVault can use your OneDrive storage securely to provide you with a commercial-grade backup solution – giving you the best of both worlds.

OneDrive for Business is a great business productivity tool designed to sync file data for immediate and easy accessibility. But businesses would be remiss in mistaking it for a backup and relying on it entirely for ransomware protection.

I hope this blog post has helped the reader understand the anatomy of the recovery process from OneDrive. Think through the ramifications of the decision you make regarding your endpoints – before you choose to use OneDrive exclusively.

How Ransomware Can Impact Microsoft 365

Advanced attacks using ransomware start aiming at Microsoft’s cloud services, such as Office 365 and SharePoint. Microsoft 365, where Office 365 is placed, has grown in usage tremendously because its clients appreciate the power of productivity tools it has, making it a rich target for cybercriminals. 

Ransomware’s entry points to a Microsoft 365 environment can occur through various vectors, such as phishing emails, attachments carrying malware, or compromised credentials. This could lead to the encryption of files in OneDrive, SharePoint, and Exchange Online, thus leaving them unavailable to users. This may result in enormous operational disruption, data loss, or even financial damage. In addition, ransomware could proliferate on other synced devices, exacerbating the situation. 

The organizations should hence develop comprehensive strategies for Office 365 ransomware protection that include regular backups, educate the users, and put in place multi-factor authentication. This will significantly reduce the chances of a ransomware attack being able to get through and cause devastating damage. 

Microsoft 365 Security Features for Robust Ransomware Protection

Microsoft has embedded various resilient security capabilities to protect against ransomware in Microsoft 365, thereby providing protection for threat detection, prevention, and rapid response to threats. 

  • Advanced Threat Protection: Microsoft 365 is available with ATP. It scans emails, links, and attachments for malicious content. This is due to machine learning, which identifies and blocks ransomware before it hits users.
  • Safe Attachments and Links: This M365 feature run real-time scans on links and attachments to prevent them in the event of threats identified within the content. 
  • OneDrive Version History: OneDrive maintains version history files that give users the possibility to restore the state of a file before it gets encrypted.
  • Security and Compliance Center: This acts as a hub from which administrators monitor and manage security across Microsoft 365, ensuring consistent policy application and protections. 
  • Regular Backups: Regular backup of data within Microsoft 365 may help an organization restore their data without the requirement to pay the ransom. 

With the above-mentioned tools and best practices for Office 365 ransomware protection, it will put the organization in a very good position to enhance their security. Also, it will help them to protect their organization’s data against ransomware attacks. 

Security concerns in Microsoft 365

Even with the high degree of security features offered within Microsoft 365, it is certainly not immune to any type of security threat. Its administrators must be aware of the impending vulnerabilities and take measures to plug them in. 

  • User Credentials: Weak passwords are one big issue; implementing MFA and strong password policies at all costs is very important. 
  • Phishing Attacks: Even though this is a very basic approach, phishing remains the most common distribution method for ransomware. This makes continuous user education and frequent phishing campaigns very important in making users aware of phishing activities. 
  • Data Encryption: Although Microsoft does both in-transit and at-rest encryption of data, more measures concerning the encryption of data might still be necessary, especially sensitive information. 
  • Third-Party Integrations: Integrations between third-party applications and Microsoft 365 sometimes expose an organization to vulnerabilities associated with these apps. Reviewing and managing application permissions becomes very critical and important in keeping risks at minimal levels. 
  • Compliance and Auditing: Industry-standard compliance and regular audits can be done to identify security gaps that must be filled. 

The importance of SharePoint ransomware protection and the overall security of Microsoft 365 environments will be enhanced by addressing these concerns. 

Request demo

Microsoft Tools for Defending Against Ransomware

Microsoft provides a comprehensive range of tools to combat ransomware and other cyber threats, encompassing protection, detection, and response capabilities.

  • Microsoft Defender for Office 365: It is a protection against advanced threats with anti-phishing, anti-spam, and anti-malware protection that performs investigation and remediation in an automated way. 
  • Microsoft Cloud App Security: This is a security solution that monitors and controls access to cloud apps. It provides real-time visibility into users’ activities and detects the possibility of threats.
  • Microsoft Information Protection: Help with classifying, labeling, and protecting sensitive information across Microsoft 365 services. 
  • Conditional Access Policies: This enables admins to lock down exactly under which conditions the user might use Microsoft 365 resources, thus making them more secure. 
  • Audit Logs and Alerts: Microsoft 365 supports robust logging and alerting capabilities for administrators to monitor suspicious activities and act on threats in due time. 

These tools properly applied, along with comprehensive strategies to attain full security, raising the level of Office 365 ransomware protection and securing data. 

Can ransomware infect SharePoint?

Yes, ransomware can infect SharePoint. As much as SharePoint offers a rich security baseline, that does not mean that it is completely safe from ransomware attacks. In most cases, ransomware enters SharePoint through previously compromised user accounts or through malicious file uploads and vulnerable third-party integrations. Having acquired access, ransomware will start encrypting files sitting in SharePoint; this will hamper business performance and potentially lead to data loss. 

Setting tight access control, performing security audits at regular intervals, and having user education programs are critical to protecting SharePoint from ransomware. Furthermore, we must activate the advanced threat protection and data loss prevention features already present in Microsoft 365 to lower infection risks and promote an efficient SharePoint ransomware protection system.

OneDrive is another highly popular service from Microsoft. It has its SOPs on controlling ransomware: while an easy solution for storing and sharing files, it synchronizes to copy documents that are already infected, in some ways contributing to the actual propagation of ransomware. 

 Parablu’s BluVault is designed to enable robust data backup from user endpoints, SaaS workloads (Microsoft 365), and edge servers. Our patented integration with Microsoft 365 and OneDrive for Business also means that you can deploy BluVault without spending a penny for backup storage. Sound interesting? Reach out to us and learn more.

Do you have specific requirements or enterprise needs?

Share the Post:
Scroll to Top