Files in Microsoft’s cloud storage OneDrive and Sharpoint Online are no longer safe from ransomware attacks. This is what Proofpoint experts have stated.
Sticking point versioning
According to Proofpoint, once the user account is in the possession of the attacker, it is possible to reduce the number of versions of the automatically created backup copies of the files stored in the cloud, which can reach up to 500, to a single one. If this version is then encrypted, the user is at the mercy of ransomware attackers.
“Each document library in SharePoint Online and OneDrive has a user-configurable setting for the number of versions saved,” the Proofpoint researchers explain. In order to be able to change the number, users do not need any special privileges such as an administrator role. Because the versioning settings are located under the list settings for each document library and are also accessible to pure users, it is said.
However, the Proofpoint researchers also point out that the method they discovered is only effective if the user does not have a local copy of their data. Thus, the data could be restored if the hackers did not have access to the local OneDrive or Sharepoint folder and the files have not been synced with the online version yet.
In addition, Proofpoint points out that, according to Microsoft’s own information, support is generally able to restore older file versions that are up to 14 days old. This is likely due to the service’s automated backup system, which users cannot access directly.
In any case, Proofpoint advises keeping an eye on configuration changes in Office365 accounts. The security experts therefore advise that changes to the versioning settings are unusual and should be treated as suspicious behavior.