Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware and MS OneDrive


  • Please log in to reply
3 replies to this topic

#1 yu gnomi

yu gnomi

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:07:00 PM

Posted 07 March 2017 - 01:53 AM

my desktop PC has a USB connection to an external HDD that I normally leave turned off. I use Macrium Reflect to make images of my system drive, and save these to my external HDD, so that in the case of a ransomware infection, I can nuke everything (i.e. format all drives) and restore my OS from the most recent un-infected image.

 

So far, I have been, without explicitly considering it, assuming that copies of my documents in One Drive would be unaffected. To elaborate on my set up, all of the special Windows 10 user folders (Documents, Pictures, etc. ) are in my One drive folder, so they are automatically synced/backed-up to MS's cloud.

 

My question is am I wrong to think that I can just restore ransomware encrypted files from their synced copies in the cloud?

 

Might syncing the ransomware encrypted files lead to the cloud versions also being encrypted?


Edited by yu gnomi, 07 March 2017 - 01:55 AM.


BC AdBot (Login to Remove)

 


#2 britechguy

britechguy

    Been there, done that, got the T-shirt


  • Moderator
  • 9,008 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Staunton, VA
  • Local time:08:00 PM

Posted 07 March 2017 - 10:40 AM

 

My question is am I wrong to think that I can just restore ransomware encrypted files from their synced copies in the cloud?

 

Might syncing the ransomware encrypted files lead to the cloud versions also being encrypted?

The answer to both your questions is a complex combination of "yes and no" and it's all dependent on timing.

 

If your machine were infected and the last file sync to OneDrive occurred immediately prior to the infection and the next sync has not yet occurred, then your files out in the cloud on OneDrive would be uninfected.

 

If, however, a sync occurs after the infection then the files on OneDrive in the cloud are synced copies of your infected files.

 

I would never, ever, rely on cloud storage from OneDrive (or Google Drive Sync or any "sync my files as they exist on my machine to cloud storage on a routine interval" software) to serve as a recovery mechanism.  The probability of a sync after infection is just too high.

 

Using a backup drive, whether your own or Cloud based, where you control when backups are taken and there is no possibility of a backup after infection or the setup keeps versioned backups where you can go back to a pre-infection backup is the only safe way to go.


Brian  AKA  Bri the Tech Guy (website in my user profile) - Windows 10 Home, 64-Bit, Version 1803, Build 17134 

     . . . the presumption of innocence, while essential in the legal realm, does not mean the elimination of common sense outside it.  The willing suspension of disbelief has its limits, or should.

    ~ Ruth Marcus,  November 10, 2017, in Washington Post article, Bannon is right: It’s no coincidence The Post broke the Moore story


 

 

 

              

 


#3 yu gnomi

yu gnomi
  • Topic Starter

  • Members
  • 532 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Chicago suburb
  • Local time:07:00 PM

Posted 07 March 2017 - 12:51 PM

Thank you for your reply.

 

I was suspecting that cloud copies might not be safe from infection, but I wasn't sure. I already back-up my system drive with Reflect, so now I'll also back up my HDD (where my OneDrive folder is) as well.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:00 PM

Posted 08 March 2017 - 09:40 PM

US-CERT Alert (TA13-309A) advises some crypto malware variants have the ability to target, find and encrypt files located within network drives, shared (mapped network paths), USB drives, external hard drives, and even some cloud storage drives if they have a drive letter. In most cases, if you're using a cloud backup that provides strong encryption, includes versioning and does not utilize a drive letter (cloud backups typically do not use those), then you should be safe from crypto ransomware as you can back up to the date prior to the infection. Some of our crypto malware experts recommend cloud services such as CrashPlan, Carbonite or Dropbox.

OneDrive is Microsoft's data hosting cloud service that allows users to sync files and later access them from a web browser or mobile device. I do not use OneDrive, but from what I understand the source data (like GoogleDrive) resides locally in the OneDrive folder. If that gets encrypted by ransomware, it will get encrypted in the Cloud service as well since it gets automatically synchronized. However, according to Microsoft, OneDrive has the capability to restore files affected by ransomware by using Version History or restoring from the OneDrive Recycle Bin...see OneDrive vs. Ransomware which includes links with instructions for recoveing OneDrive-based files using Version History and the OneDrive Recycle Bin.IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users