The single most valuable technical possession of businesses today is their data. Data is crucial to most business-critical operations that happen for most organizations and it is at the heart of most services and processes that are involved with normal everyday activities. Protecting your data is like protecting your livelihood if you are a business. In fact, the results of losing data for any reason can lead to serious adverse effects for businesses.
These include lost customer confidence, ruined reputation, and even financial repercussions. Protecting your data is serious and vital for the life of your business. In thinking about protecting your business-critical data, this is really two-fold. You must first identify the risks to your business’s data, and then implement and deploy the solutions to protect it. There are many risks that can result in data loss, including accidental or intentional data loss at the hands of employees, hardware failure, natural disaster, and many others. However, one of the single most threatening adversaries to organization data is ransomware.
Ransomware can silently and maliciously encrypt massive amounts of data and bring business continuity to a standstill. What is ransomware? What are best practices for Office 365 Ransomware protection? How can organizations today protect themselves against this formidable adversary, even if data exists in the cloud?
What is Ransomware?
Malware is certainly a risk for today’s businesses and their data. Ever more common, news headlines are being made from widespread ransomware infections that disrupt the business operations of even large corporations. Not too long ago, headlines for ransomware variants such as NotPetya, WannaCry, Locky, and others caused panic among IT personnel and had many scrambling to bolster security measures and patch vulnerable systems. Ransomware is one of the most worrisome variants of malware on the scene today. However, what exactly is ransomware and why is it especially troublesome for organizations?
Ransomware is a special type of malware that quietly and viciously traverses files and folders locally and on connected network drives, encrypting files and folders as it spreads. How does it make its way on to a corporate network? Threat actors are getting more and more efficient at dropping malware payloads onto unsuspecting users who open an infected email attachment, website active scripts, or infected downloads. More sophisticated ransomware variants are able to exploit vulnerabilities in order to spread across computer networks.
The “ransom” portion of the ransomware attack comes into play with the way users are allowed to get data back from the attackers. The ransomware perpetrators allow buying back the user data by purchasing the “encryption key” that is used to encrypt the data. Generally, the purchase is offered through Bitcoin which allows the attackers to protect their identity as this payment method is anonymous.
Ransomware does not discriminate between targets as it can affect everyone from home users to larger enterprise environments. Generally, widespread infections can begin with email forwards that may contain the infected payload and can quickly gain traction with a large damage path across multiple countries, organizations, and network address spaces. How does ransomware infect your data and keep you from accessing it? Let’s take a look at the encryption process that is used in a ransomware infection. How does ransomware use encryption to hold data hostage?
Ransomware Encryption and How it Works
Encryption is generally used as a technology by businesses and even individual users to protect their data and to prevent unauthorized access by a third-party. However, ransomware twists the intended purpose of encryption and uses it in a malicious way. How so? Encryption uses a “key” to encrypt valid data to make it unreadable. Without the key, the data will remain unreadable. This type of encryption is known as public/private key encryption. When ransomware infects an end user’s computer, the computer contacts the ransomware “command and control” server which generates a public/private key pair. The public key is issued to the infected computer where the ransomware process uses it to encrypt all files based on the algorithm that is contained in the private key. The key “pair” works together to split up the needed pieces of information so that without both, you cannot decrypt the data.
So, the ransomware author holds the private key that you now need to decrypt your data and be able to access it. This piece of information and your data is held hostage until you supply the “ransom” in the form of Bitcoin payment to obtain the private key needed to decrypt your data.
Unsuspecting end users as well as large enterprise environments caught off guard have no choice but to pay the ransom in order to gain access to business-critical data. Many have asked, if paying the ransom, does this exclude you from future ransomware infection? No. Trusting ransomware authors is simply not a game worth playing especially when your data is on the line.
How Ransomware Spreads
Ransomware can spread by a variety of methods. Ironically, phishing and other age-old tactics still work with unsuspecting or “click-happy” employees. Malware authors and SPAM’ers are getting better at making illegitimate emails look like they originate from official sources. Often it is hard to tell the difference between forged emails and legitimate ones. Often, the telltale sign of dangerous emails are those with links embedded that attempt to coerce end users into clicking links or attachments. Emails with dangerous attachments often sometimes missed by SPAM or virus protection and inadvertently slip by defenses that exist on the perimeter.
Dangerous downloads or seemingly harmless downloads are often riddled with potentially unwanted programs (PUPs) or even malicious software such as ransomware. Website active scripts can often offload ransomware payloads to end users as well by exploiting certain vulnerabilities in Java or other plugins.
Sophisticated ransomware like Spora, WannCrypt/WannyCry, and Petya/NotPetya can spread by more elaborate means. These variants can spread via network shares or vulnerabilities that can be exploited such as those in the operating system.
- Spora – drops ransomware copies in network shares
- WannCrypt – Can exploit SMB vulnerability CVE-2017-0144 which is also known as EternalBlue
- Petya and other variants can also exploit CVE-2017-0145 which is also known as EternalRomance and can steal credentials from end users and travel east/west across a network.
- Locky and other variants search for specific files to encrypt such as media related files. A ransom note is then left using text, image, or in an HTML file along with the instructions for payment./li>
- Bad Rabbit ransomware was found to hard code usernames and passwords and use brute force attempts to move across a network.
Whatever the means of spreading or variant that infects an end user computer, the results are the same, encrypted data that results in losing access to data that can most definitely interrupt business continuity. An example of this was the widespread WannaCry ransomware that hit nearly 100 countries across Europe and Asia. Business was halted across various industries and organizations including government, public services, telecom, and many others.
Office 365 Security: Ransomware Protection
Traditional means of protecting end user computers such as antivirus and other utilities are still better than having no protection at all. However, traditional means of protection such as antivirus and even today’s modern firewalls are simply not enough for protecting your data against ransomware. Why is this the case?
More traditional antivirus software works off definition-based protection. This means the definitions have to be up to date and have a match for a variant of malicious software before it can block it. Often, definition updates fail on end user computers due to various reasons. Zero-day attacks or malware variants provide little or no warning and can spread easily through end user devices that have no matching definition for the malicious code.
Firewalls only stop threats at the perimeter as traffic is coming into the network. As good as next generation firewalls have become, they are simply not 100% at recognizing every single bit of malicious software passing through the interfaces.
Untrained or unsuspecting end users present a tremendous threat as well with their activities. Despite having protection at the end-point and threat protection at the gateway, end users can inadvertently introduce malicious software into the environment with all the permissions that are assigned to them on the network.
Patching vulnerabilities in affected systems is a necessary part of protecting against the ransomware threat. As mentioned, many of the sophisticated ransomware variants are exploiting vulnerabilities in protocols and other services running in Microsoft’s Windows operating system to move across the network.
The only real way to know your data is safe despite any threat is data protection. Backing up your data and having backups that are resilient and stored off site effectively protects against any ransomware infection that successfully infiltrates your environment. While security is an absolute must and critically important to business survival in today’s threat-filled technology-centric world, there is no amount of security that can absolutely guarantee the safety of your organization’s data. Organizations today MUST account for and expect data loss at some point due to a ransomware or other malware infection.
What are the large software vendors saying about Office 365 security and effective ransomware protection? Citing Microsoft as an example, note how backups are ranked as the number one way to protect against ransomware:
- Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite.
- Apply the latest updates to your operating systems and apps.
- Educate your employees so they can identify social engineering and spear-phishing attacks.
- Controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom.
It is obvious that backing up your data is critically important!
What about the public cloud? Many organizations today are moving to the public cloud for hosting their business-critical services and data. Is the cloud immune to the threat of ransomware as many have assumed? Isn’t ransomware an “on-premises” problem only?
Ransomware in the Public Cloud?
Public cloud environments have become a staple for hosting mission critical data and services for many of today’s businesses. Public cloud usage and adoption will only continue to increase. With large hyperscale providers such as Google with their G Suite and Google Cloud Platform as well as Microsoft with Office 365 and Azure businesses have access to world-class datacenters and Software-as-a-Service platforms that would otherwise be unobtainable. Many have made the mistake of thinking data housed in the public cloud is somehow immune to the effects of ransomware.
Organizations must reexamine their thought of data in the public cloud. Cloud storage provides businesses with tremendous scalability and connectivity options. However, at the end of the day, storage in the cloud is susceptible to ransomware as is on-premises data. With Office 365 OneDrive for business, organizations can synchronize data from end user devices up to OneDrive for business storage. These synchronizing processes and utilities can be extremely dangerous when considering how ransomware could easily be introduced on-premises and then synchronized to cloud storage.
While Microsoft has introduced the ability to restore versions of files in OneDrive fairly easily now, this only covers files that are 30 days old or less and it only covers OneDrive files and no other services. What if you need to restore files older than 30 days? Additionally, Office 365 email provides email services for many of today’s enterprise environments, however, is not covered in this backup and recovery provision from Microsoft. Ransomware can easily encrypt emails in an Office 365 inbox as demonstrated by Kevin Mitnik in the video here. Without backing up Outlook email data, encrypted emails are corrupt and unreadable without the encryption key. Can you imagine a widespread encryption of business-critical Outlook email in your organization?
Microsoft provides ability to restore OneDrive files only with 30 days of history
Organizations must account for and plan for these events happening at some point. The built-in tools provided natively with Microsoft Office 365 are simply not robust enough to protect all the essential Office 365 services used by organizations today. How can you effectively protect Office 365 data from the threat of ransomware? You must employ robust data protection that protects all mission critical services. Let’s see how Spinbackup provides far superior protection when compared to Microsoft’s built-in backup and recovery capabilities.
Protect Office 365 Environments from Ransomware with Spinbackup
Spinbackup is an API-based CASB armed with machine-learning capabilities that provides superior data protection capabilities for Office 365 environments. When focusing in on backup and recovery of Office 365 environments, how does Spinbackup allow organizations to confidently protect data from ransomware?
Spinbackup provides the following backup and recovery benefits to Office 365 environments:
- Automated daily backups that can be configured to run 1x or 3x daily
- Incremental backups stored in either Google Compute Storage or AWS provides a data protection solution that stores your data separately from the Office 365 environment
- Security of data both in-flight and at-rest means your data is encrypted while it is in transit and when it is stored on disk in the cloud
- One click recovery allows easily restoring selected items or the data in an entire account with a single click
- Data protection notifications keep administrators alert to backup and restore events
- Backs up not only OneDrive for Business but also Outlook, Calendar, and People backup
- Makes data migration extremely easy by simply choosing a different user account during a restore operation. Granular files or entire data sets can be migrated to different user accounts.
- Weekly and monthly reports monitor status of your protected data
- Unlimited restore points.
Spinbackup data protection provides unlimited restore points for reverting Office 365 data including Outlook email
Spinbackup provides enterprise-ready data protection for businesses utilizing Microsoft’s Office 365 environment. Organizations need a solution that allows protecting all Office 365 services containing data that could potentially affect business continuity without being limited to OneDrive for Business. Spinbackup allows businesses today who already have data in Office 365 or those thinking of migrating data to Office 365 to meet the challenge of ransomware head-on.
The threat of ransomware to crucial business data is very real. This threat is not simply limited to on-premises environments but also extends to the public cloud. Ransomware maliciously holds your data hostage by using the effective public/private key encryption mechanism. By holding on to the private key, any data that is encrypted with the public key portion is unreadable without the private key held by the command-and-control server.
Organizations who do not have effective data protection in place are faced with the possibility of having to pay the ransom demanded by the attackers or simply suffer the loss of data. For today’s technology-centric online businesses, this is simply not an option. Data stored in the public cloud is vulnerable to many of the same ransomware threats including encrypted data and emails.
3,354 total views, 2 views today