What is Ransomware?
Ransomware is a type of malware or virus that prevents user access to devices, files or applications, requiring the victim to pay a ransom (money or information) to regain access. The ransomware that we most often see encrypts the user's files (for example: Crowti, Tescrypt and Locky) and then asks the user to pay a ransom in bitcoins (or similar payment method). If you would like to learn more about ransomware in general, you should take a look at the articles and blog posts listed under the references section at the end of this post.
How can I protect my users from ransomware?
Office 365 has several integrated protections against malware that are enabled by default, however we still see customers being affected by ransomware threats. There are several reasons why this could happen. For example, when users visit a website infected with ransomware or opening an email attachment infected with ransomware from their personal or corporate email accounts. Some possible attachments could be:
- Executables (ade, adp, ani, bas, bat, chm, cmd, com, cpl, crt, hlp, ht, hta, inf, ins, isp, job, js, jse, lnk, mda, mdb, mde, mdz, msc, msi, msp, mst, pcd, reg, scr, sct, shs, url, vb, vbe, vbs, wsc, wsf, wsh, exe, pif, etc.)
- Office files that support macros (doc, xls, docm, xlsm, pptm, etc.)
Below are some recommendations to protect your users against this threat.
Provide security awareness and education
Providing security awareness and education to your users is a good practice and can be used as an effective prevention mechanism. If users are able to identify security threats such as ransomware, they will be less susceptible to the threat. Also, educating users on how to react in a security incident or if their device has been infected with ransomware will make the recovery process less painful and minimize the risk of the infection spreading further.
Keep antivirus/antimalware solutions running and up to date.
Installing an antivirus solution like Windows Defender and keeping it up to date will prevent many instances of ransomware and malware from affecting your organization. Windows Defender and Microsoft Security Essentials will help protect your users and proactively remove many of the known ransomware attacks such as Crowti, Tescrypt, Nymaim, Troldesh, Reveton, etc…
Enable Microsoft Active Protection Service (MAPS) cloud-based protection
Microsoft Active Protection Service (MAPS) is a cloud-based service that will provide greater malware protection through cloud-delivered malware-blocking decisions and leverage the latest ecosystem-wide detection techniques offered through the cloud. To learn more about MAPS and how to enable it, see the "MAPS in the cloud: How can it help your enterprise?" blog post.
Regularly backup your files
As recommended by the Microsoft Malware Protection Center (MMPC) in their "Backup the best defense against (Cri)locked files" blog post, you should back up your files on a regular basis by enabling System Restore, using manual syncing methods, or even by manually moving your files to a separate drive. We recommend that your backups are kept in an external, non-mapped or not synced storage.
Use OneDrive for Business
OneDrive for Business can be used as a protection mechanism against ransomware. If your organization utilizes OneDrive for Business, OneDrive will allow you to recover files stored in it. More on this in the "Recover your files in your OneDrive for Business" section below.
Beware of Phishing emails and Malicious attachments
Be careful when opening emails and look for phishing indicators especially if it contains an attachment that can be used as ransomware (such as exe, js, vbs and ps or Office document types that support macros .doc, .xls or .xlm ). For more details about phishing emails and how to mitigate their, please take a look at our previous blog post about "How to review and mitigate the impact of phishing attacks in Office 365".
Keep Windows and installed software up-to-date
You should use the latest versions of your Operating System and installed software (internet browser, mail client, etc.). The latest version of Windows and other software running in your computer will support new functionalities and features that will help you prevent security threats. For example, Windows 10, already includes protections by default against ransomware like Windows Defender with MAPS (Cloud-based Protection). Another example is the latest versions of Microsoft web browsers will have SmartScreen enabled to prevent your users from visiting known malicious websites or downloading known malicious files. It is essential that the software your users are using (Browsers, Java, Flash, etc…) are kept up to date. Updates and patches fix known security vulnerabilities and add net new security functionality.
Enable file history or system protection
If you are infected by ransomware, you should make sure that you are able to recover the files by using the file history as described in step 4 below. To be able to recover previous version of your files in your Windows 10 or Windows 8.1 devices you must have your file history enabled and you have to setup a drive for file history. If you are using Windows 7 or Windows vista, the feature is named system protection. Please note that some ransomware will also encrypt or delete the backup versions which will not make this a viable solution.
Use Exchange transport rules to protect users against emails with attachments vulnerable to Ransomware
- Warning users about the risk of macros if they receive any file attachments with file extensions that support macros.
- Tracking users who have received a file extension that support macros.
- Blocking mail that allow users to run macros (especially legacy file extensions like .doc) or are executables.
In addition, you can disable macros in Office documents to help prevent infections in your devices. To learn how to implement the mitigations mentioned above please take a look at the how-to section at the end of this post.
How can I remediate a ransomware attack?
Many ransomware attacks are quite sophisticated and users can still fall victim to them regardless of protective measures. If you or somebody in your organization falls victim to a ransomware attack, please keep in mind that there is no guarantee that handing over the ransom will give you access to your files and paying the ransom can also make you a target of more malware. When dealing with ransomware, reacting in a timely manner is key. You must act as soon as possible and should not wait to deal with the problem. If you wait for more than two weeks, your ability to effectively remediate the problem is dramatically reduced. The steps below include instructions that assume you are using Office 365 and OneDrive for Business. If you are not a subscriber, the local file restoration steps can be of use.
Step 1: Make sure you have a backup of your files
We cannot guarantee that you will be able to recover your data. Make sure that you have a backup as we previously discussed under the "Regularly backup your files" section of this blog post.
Step 2: Disable ActiveSync & OneDrive Sync
ActiveSync is the service that allows your Email in Exchange Online to sync to Office 365. If you suspect your email data may be targeted by the Ransomware, you should disable ActiveSync temporarily to protect the data in the cloud from being targeted. To disable ActiveSync, you can run the following script in PowerShell:
#Connect to Office 365 using your Admin credentials $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session #Enter target user to disable Active Sync $userEmail = Read-Host -Prompt 'Please enter the user's email to disable Active Sync' #Disable ActiveSync. Optionally, if you want to disable other connections: #-OWAEnabled $False –MAPIEnabled:$false -IMAPEnabled:$false -PopEnabled:$false) Set-CASMailbox $userEmail -ActiveSyncEnabled $False
OneDrive Sync is the service that syncs document data to OneDrive for Business. Disabling sync on the service will protect your cloud data from being updated from other potentially infected devices. If you know there is only one affected device, you can use the "Pause Syncing" feature built into the local client.
Step 3: Remove the malware from the affected devices
Run a full scan with your antivirus and remove the ransomware (malware) from all devices you suspect could be affected. This can include any devices you are syncing content with or have mapped drives to. If you do not have an antivirus solution installed or your solution is not able to detect it, use Windows Defender or Microsoft Security Essentials. Another alternative that will help you remove ransomware or malware is the Malicious Software Removal Tool (MSRT). In the case that none of these solutions are enough, you can run Windows Defender offline or follow the advanced troubleshooting instructions.
Step 4: Recover the files in your device
After completing the previous step, try to recover your files to avoid the ransomware encrypting or removing your files. If you have previously turned File History on in Windows 10 and Windows 8.1 devices or System Protection in Windows 7 and Windows Vista devices, you can (in some cases) recover your local files and folders.
To restore your files or folders in Windows 10 and Windows 8.1:
- Swipe in from the right edge of the screen, tap Search (or if you're using a mouse, point to the upper-right corner of the screen, move the mouse pointer down, and then click Search). Enter "restore your files" in the search box, and then tap or click Restore your files with File History.
- Enter the name of file you're looking for in the search box, or use the left and right arrows to browse through different versions of your folders and files.
- Select what you want to restore to its original location, and then tap or click the Restore button. If you want to restore your files to a different location than the original, press and hold or right-click the Restore button, tap or click Restore To, and then choose a new location.
To restore your files in Windows 7 and Windows Vista
- Right-click the file or folder, and then click Restore previous versions. You'll see a list of available previous versions of the file or folder. The list will include files saved on a backup (if you're using Windows Backup to back up your files) as well as restore points. Note: To restore a previous version of a file or folder that's included in a library, right-click the file or folder in the location where it's saved, rather than in the library. For example, to restore a previous version of a picture that's included in the Pictures library but is stored in the My Pictures folder, right-click the My Pictures folder, and then click Restore previous versions. For more information about libraries, see Include folders in a library.
- Before restoring a previous version of a file or folder, select the previous version, and then click Open to view it to make sure it's the version you want. Note: You can't open or copy previous versions of files that were created by Windows Backup, but you can restore them.
To restore a previous version, select the previous version, and then click Restore.
Warning: The file or folder will replace the current version on your computer, and the replacement cannot be undone. Note: If the Restore button isn't available, you can't restore a previous version of the file or folder to its original location. However, you might be able to open it or save it to a different location.
Important: Some ransomware will also encrypt or delete the backup versions and will not allow you to do the actions described before. If this is the case, you need to rely on backups in external drives (not affected by the ransomware) or OneDrive (Next step).
Warning: If the folder is synced to OneDrive and you are not using the latest version of Windows, there might be some limitations using File History.
Step 5: Recover your files in your OneDrive for Business
OneDrive for Business will allow you to recover any files you have stored in it. Below are the two options that you can use to do this.
Restoring the files using the Portal
Users can restore previous version of the file through the user interface. To do this you can
Go to OneDrive for Business in the office.com portal
Right click the file you want to recover, and select Version History.
Click the dropdown list of the version you want to recover and select restore