Ransomware and MS OneDrive

my desktop PC has a USB connection to an external HDD that I normally leave turned off. I use Macrium Reflect to make images of my system drive, and save these to my external HDD, so that in the case of a ransomware infection, I can nuke everything (i.e. format all drives) and restore my OS from the most recent un-infected image.

 

So far, I have been, without explicitly considering it, assuming that copies of my documents in One Drive would be unaffected. To elaborate on my set up, all of the special Windows 10 user folders (Documents, Pictures, etc. ) are in my One drive folder, so they are automatically synced/backed-up to MS's cloud.

 

My question is am I wrong to think that I can just restore ransomware encrypted files from their synced copies in the cloud?

 

Might syncing the ransomware encrypted files lead to the cloud versions also being encrypted?

Edited by yu gnomi, 07 March 2017 - 01:55 AM.

 

My question is am I wrong to think that I can just restore ransomware encrypted files from their synced copies in the cloud?

 

Might syncing the ransomware encrypted files lead to the cloud versions also being encrypted?

The answer to both your questions is a complex combination of "yes and no" and it's all dependent on timing.

 

If your machine were infected and the last file sync to OneDrive occurred immediately prior to the infection and the next sync has not yet occurred, then your files out in the cloud on OneDrive would be uninfected.

 

If, however, a sync occurs after the infection then the files on OneDrive in the cloud are synced copies of your infected files.

 

I would never, ever, rely on cloud storage from OneDrive (or Google Drive Sync or any "sync my files as they exist on my machine to cloud storage on a routine interval" software) to serve as a recovery mechanism.  The probability of a sync after infection is just too high.

 

Using a backup drive, whether your own or Cloud based, where you control when backups are taken and there is no possibility of a backup after infection or the setup keeps versioned backups where you can go back to a pre-infection backup is the only safe way to go.

Thank you for your reply.

 

I was suspecting that cloud copies might not be safe from infection, but I wasn't sure. I already back-up my system drive with Reflect, so now I'll also back up my HDD (where my OneDrive folder is) as well.

US-CERT Alert (TA13-309A) advises some crypto malware variants have the ability to target, find and encrypt files located within network drives, shared (mapped network paths), USB drives, external hard drives, and even some cloud storage drives if they have a drive letter. In most cases, if you're using a cloud backup that provides strong encryption, includes versioning and does not utilize a drive letter (cloud backups typically do not use those), then you should be safe from crypto ransomware as you can back up to the date prior to the infection. Some of our crypto malware experts recommend cloud services such as CrashPlan, Carbonite or Dropbox.

OneDrive is Microsoft's data hosting cloud service that allows users to sync files and later access them from a web browser or mobile device. I do not use OneDrive, but from what I understand the source data (like GoogleDrive) resides locally in the OneDrive folder. If that gets encrypted by ransomware, it will get encrypted in the Cloud service as well since it gets automatically synchronized. However, according to Microsoft, OneDrive has the capability to restore files affected by ransomware by using Version History or restoring from the OneDrive Recycle Bin...see OneDrive vs. Ransomware which includes links with instructions for recoveing OneDrive-based files using Version History and the OneDrive Recycle Bin.

• How to Deal with Ransomware: How can I remediate a ransomware attack?
• Because Ransomware: OneDrive for Business to Get "Files Restore" Option

IMPORTANT!!! When implementing a backup strategy include testing to ensure it works before an emergency arises; routinely check to verify backups are being made and stored properly; remove (disconnect) and isolate all backups from the network or home computer...if not, you risk ransomware infecting them when it strikes.