Ransomware processing in Exchange Online is handled in much the same way as spam, phishing, impersonation and other malware attacks. Ransomware tends to invade via a message that can be categorized as malware and therefore eliminated before landing in a user mailbox. Microsoft’s algorighthms do an excellent job detecting and deleting messages (or at least, flagging and diverting messages for review) that meet the criteria of spam and/or malware. Office 365 customers, therefore, tend to be better protected against such ransomware attacks than organizations that rely on a messaging hygiene vendor—which may not have the scale to review the billions of messages passing through Office 365 each day, plus create and push updates to on-premises systems. Organizations still working on-premises (including VMs established in Azure or AWS etc.) need to ensure updates get applied to systems they manage, even if their provider is up to date.
Incoming traffic checks must be constant, and when something is detected, policies need to be immediately implemented to block messages and restrict further contamination spread. This will happen automatically, and in some cases manually, by the malware team.
Since April, 2018, advanced link-checking and file-checking have been available in Outlook to determine the level of risk before a user opens an email or file.
SharePoint Online and OneDrive
Versioning in SharePoint and OneDrive is enabled by default. This lets users revert to a previous version of the file that has become encrypted and manually reapply any updates they may have made in the intervening period. However, versioning won’t help when a file has been renamed and copied to another location or deleted. In this case, in the event of a major encryption or corruption event, it’s necessary for individual users to be able to recover files from the Recycle Bin, or for administrators to be able to recover SharePoint data at a higher level. For example, an administrator recovers an entire Site Collection from the Recycle Bin. An updated list of recoverable components may be viewed here.
Microsoft OneDrive includes a mechanism for alerting users to a potential ransomware incident. This end user guide can assist you in the recovery process.
Microsoft has taken steps to warn end users of the possibility of a ransomware incident and prompt users to take immediate action. Specifically, the Office 365 portal displays a warning similar to the one below.
OneDrive Recovery Wizard (Web)
The desktop client displays a similar notification, as shown below.
OneDrive Recovery (desktop) Notification.
Education, Education, Education
Ransomware attacks come in many forms, but with Office 365 the big concern is their impact on user data files, and on preventing the receipt of malicious messages. Your core server infrastructure should be isolated from end users so the actual backend applications aren’t vulnerable to attack. But end-user Office 365 files remain vulnerable because the local PC can ‘see’ the files and the malicious program, and therefore can execute against them.
Office 365 can stop some malicious attacks from invading your tenant, but it isn’t perfect. Office 365 can help you recover files following an incident, but it can’t prevent users from clicking on things they think are legitimate. The most important aspect of ransomware prevention is educating users not to open certain messages, even if they look legitimate. There is always some subtle sign: the grammar is terrible, and there are spelling errors or references to obscure organizations.
We’re not suggesting you train each user in how to analyze messages for everything they regard as suspicious. Rather, instill in them the idea that they are a target and should regard themselves as such and take common-sense precautions so as not to fall victim to yet another ransomware attack. Partnering with an organization such as Anexinet that has vast experience protecting organizations against ransomware and disasters is essential. If you’d like help ensuring your organization’s readiness against ransomware attacks, please don’t hesitate to reach out to us. We’d love to help you get started.