Office 365 Security and You - Ransomware

Minecraft creeper: 'That's a very nice file share you've got there - be a shame if something happened to it'

Since I'll be on a SharePoint security panel speaking at next week's Federal IT Security Conference, I wanted to do a couple blog posts this week about cloud security.

I'm going to leave discussion of Windows zero-days, Strontium / Fancy Bear / Apartment 2B etc. for another time. There's already plenty of FUD going around about that topic. If you're not sure whether you're protected, you can update to Windows 10 Anniversary Edition and you'll be covered. The easiest way I know to do that is to buy a Win 10 Enterprise E3 subscription from us for $6.50 a month; throw in Enterprise Mobility Suite and Symantec Endpoint Protection Cloud and you'd still be spending only $19 a month. That's about all there is to that, so let's move on.

Instead I want take some time this week to talk about recent (albeit non-federal) security challenges that we see our Office 365, and particularly SharePoint Online, customers facing. Specifically, two questions I'm being asked a lot lately are "Can Office 365 protect me from ransomware?" and "Can we control when and where people can connect to Office 365?".

Today, I'll be talking about ransomware. When I come back for Part 2 we'll talk about controlling access to Office 365. Part 3 will talk specifically about securing SharePoint in the cloud.

Part 1: All About Ransomware and Office 365

Q: "I've heard of this new thing called 'ransomware'. What is it?"

Firstly, for those of you who don't know, I'll explain what ransomware is all about, and then I'll tell you what you can do about it.

Maybe I should've done this post for Halloween, because ransomware is scary stuff. Ransomware is like other virus or malware, but with a twist. It does something much more insidious than just infecting your computer, turning it into a zombie, or deleting random files.

Ransomware uses our own security defenses against us, by applying encryption on us against our will and then attempting to extort money from us to undo the damage.

So how does that work? Well, what if somebody put a lock on your door and then demanded $100 from you to remove the lock so you can get inside your home? It's sort of the same thing. Once the ransomware infects your system, it will open whatever documents that it can get access to, scramble the contents with a secret key only known to it, and save them. It then sends the key to organized cyber-criminals, and alerts you to contact them and make payment arrangements to unlock your files.

Q: "Am I in danger from ransomware?"

Yes. Yes you are.

Be afraid. Be very afraid.

But seriously, Dusty, Seth, and I saw our first case of a client affected by ransomware back in 2014 - and it wasn't pretty. This was in the spring, around the time Microsoft ended support for Windows XP. We had a client who - despite our advice - was dragging their feet about buying new Windows 7 PCs because of the cost involved. As a result, ransomware got into one PC, spread to their other workstations and servers, and then proceeded to extort and threaten their employees. That's when we got the call for help.

For the three of us, it was two hellish days working double shifts to purge the virus (from slow outdated machines), restore backup files, and clean up the mess that totaled over 100 hours and ten thousand dollars in labor charges - services for which we were never fully paid. I would never wish this fate on any client, and I hope to never receive such an emergency call again in my lifetime.

Fast forward to two years later, we're seeing an increasing number of customers telling us that they have contracted ransomware. Everybody's reaction is a bit different. Some folks are willing and able to simply walk away from their lost files, while other businesses faced a real and existential threat to their continued operations.

Any way you look at it, ransomware is a very similar problem as having your hard drive crash.

But hard drives are pretty reliable; they tend to fail from heavy use, if they are dropped, or when they get very old.

Unlike hardware failure, ransomware *wants* to be a problem for you, and there are organized teams of cyber-criminals all over the world who are actively working every day to try and find new ways to infect you with it.

If you are not working to stay ahead of this threat, it will eventually get the better of you.

Q: "What kind of information is at risk from ransomware?"

Ransomware is smart enough to go after files that you use, like Word, Excel, or PDFs while leaving program files like EXEs and DLLs alone. It can also distinguish between files you access often and files that you haven't opened in years and aren't likely to ever notice.

Ransomware can detect attached portable USB drives and find network shared folders that you have access to, so if you're infected then any folder you have access to is at risk even if it isn't necessarily on your computer. I have personally witnessed ransomware that attacked a network file server at one company and scrambled their case files for literally hundreds of customers.

Q: "Should I pay the ransom?"

Generally speaking, I want to say that you should never negotiate with terrorists - or criminals. That's a nice sentiment, and it sounds good in the movies. But in reality I think maybe that's a bit naïve.

Your best bet of course is to have a backup strategy in place and simply recover a working copy of your files from the backup. Only do this after you have thoroughly scanned, found, and cleaned the ransomware from all of your computers. Otherwise, you're putting your backup copies at risk by accessing them, which may let the ransomware know where they are too.

If you don't have a backup of your files, then paying the ransom might be your only option.

In such a case, definitely do not give a criminal your credit card info when they ask you for it. That'd be dumb. Certainly if they run your card for the ransom, you can expect the info will also circulate into databases of cards that should be used for fraud later. If you must pay the ransom, purchase a pre-paid Visa gift card to do it. Some credit card companies will provide a temporary card number you can use for a one-time online purchase. If you have that option, it’s a good idea.

Q: "I already own a firewall. Doesn't that mean I'm protected?"

Having a firewall alone is not enough unless you also have anti-virus software on all your PCs and devices. More commonly these days it is called "endpoint protection", because the threat landscape has grown to include not only viruses but also malware, ransomware, zombies, and more.

Think of it this way. Your firewall is like building a wall around a city. It doesn't make sense to have a wall to protect yourself if you don't also have soldiers inside the wall who can react to intruders. In this case, the story of the Trojan Horse is very appropriate; you must have a layer of defense inside your walled city to protect yourself in case a threat does get a foothold inside the gates.

Having anti-virus software installed is like posting guards at important bases like your armory, grain store, or government center - or having a soldier boarding in each person's house. Anyone who has ever looked at how much CPU is used by their anti-virus software understands that it may be necessary, but it's also another mouth to feed.

We also need to account for the way that mobility has affected computer security. Today, we have laptops, tablets, and smart phones that come and go freely from within our fire-walled city and out into the wide, wide world. To extend our city metaphor, it is now a bustling metropolis with merchants and travelers coming and going at all times; and the freedom to travel has become a key aspect to life that we all benefit from. We connect to Wi-Fi networks at our friends' homes or the local coffee shop, as well as cellular data networks. Then we return to our own network, usually without much fuss. Unfortunately, we also potentially bring whatever plague we've exposed ourselves to from outside back with us when we return.

Protecting the desktop doesn't need to be an expensive proposition either. It costs only $4/month per user to purchase Symantec Endpoint Protection cloud, and Microsoft's advanced security tools that are part of Enterprise Mobility Suite and/or the Office 365 E5 plan each add only $8.70 and $15 (compared to E3 plan) respectively. This is something we can help you purchase and deploy, so please do reach out to us if you want to get this set up for your organization.

Modern IT security now also includes the concept of active network defense, which takes the fight from the PCs to the network itself. These are next generation Ethernet or Wi-Fi switches than can detect and block communications known to come from viruses, malware, etc. This is a lot like making the roads in your city unfriendly to invaders by having police guards on patrol. These new technologies haven't really filtered down to the consumer and small business market yet, but I expect that will happen fairly soon.

I hope that I've been able to explain why having a network firewall alone isn't enough to protect you from security threats out there today. While endpoint protection does add a cost and can sometimes limit PC performance, it's still very much a necessary evil. Meanwhile, new products are being developed that can do even more, so it may be time soon to start looking at replacing your old equipment.

Q: "Can ransomware affect files in Office 365?"

I get this question a lot, both from existing customers and from those considering Office 365 as a possible solution for protecting themselves from ransomware.

The answer is complicated, because really "it depends". I'm sorry if that sounds like consulting-speak, so let me explain what I mean.

Firstly, let me start by saying that we haven't observed yet any instance of ransomware in the wild that directly targets Office 365. But this alone doesn't mean these files are completely safe.

Let's say for example that you are using OneDrive for Business. You have a copy of your files in Office 365 and synced copy is also on your local C: drive. If the ransomware encrypts the file on your local drive, OneDrive for Business would simply see this change as being similar to if you had opened the file yourself in Word and then saved some changes. It would then sync the [bad] changes to the cloud and overwrite the file there.

Furthermore, if ransomware infects the Microsoft Office desktop software like Outlook, Word, or Excel, then it could theoretically corrupt the process by which files are saved, regardless of where you're saving them. In fact, Microsoft Office has its own layer of file encryption called Azure Rights Management. It's not difficult to imagine a possible exploit that might somehow subvert that mechanism - or replace it with one where you don't have the keys.

So in both cases, I would say that while we don't know of any ransomware - yet - that can log in to your Office 365 account and use that access to reach your emails or documents stored in SharePoint, it is still technically possible that your files stored in the cloud are not completely out of reach.

Q: "I was thinking of buying Office 365 and moving my files to the cloud to protect them. Does what you say mean that it won't work and I shouldn't do that?"

Not at all. Moving your files to Office 365 is a good first step, and it has lots of other benefits besides security.

For starters you'd be taking advantage of Microsoft's advanced Data Protection strategy. Microsoft also has a 15 day backup window on some types of data. As a first line of defense, these are going to be a lot more secure and reliable than saving files on a USB drive in your office - even if you just look at it from a hardware perspective.

To really cover yourself, you should always have a backup strategy in place.

If your needs are minimal and the cost is a big concern, that might just involve occasionally copying important emails or files to a local drive and then unplugging it from the network at sticking it in a drawer or safety deposit box. Of course, doing things this way takes time and work. There are better options.

Third-party backup solutions for Office 365 have been around for a while. These aren't expensive - most will back up both email and SharePoint/OneDrive for Business files for just $5/month/user. Compared to other cloud backup platforms, these can be cost effective alternatives. They also add the benefit that your data isn't entirely with Microsoft, so you can feel more secure knowing that you are not keeping all your eggs in one basket.

So, if you are looking for a way to escape the threat of ransomware, Office 365 may still be a good option for you - as long as you're prepared to purchase a bit more than just the basic Office 365 plan itself.

About the Author

Thomas is an acknowledged expert on information security, the creator of Beowulf Identity Server, and will be speaking on a panel about SharePoint Security November 8th at FITSI.org's First Annual Federal IT Security Conference. You can follow him on Twitter and LinkedIn - but if you really want to connect, you're best bet is probably to call us at 410-633-5959.

OneDrive sync problems

So if you use services such as OneDrive for Business to sync to SharePoint, and you’re on Windows 10, you may have noticed a bug that has started recently popping up. When you attempt to sync, or when you disconnect from a network and reconnect to another (such as if you’re on a laptop and you travel, so you need to connect to a WiFi that’s not in your office after being connected within your office), you may get a prompt to log into your SharePoint with your login id:

 

 

 

 

 

 

 

 

Some will get a straightforward password request, like this:

 

 

 

 

 

 

Others first get a box asking them if they want to use their Microsoft account (meaning their personal account) or their work or school account. In fact, they may get this box twice, looking slightly different each time. I suspect that this happens to customers whose Office365 email is the same as their Microsoft personal account. In my case, they’re two different logins, so I can’t replicate the “two requests for Microsoft vs. work/school account” issue in order to display screenshots.

In either case, the result is the same. You click “Sign in.” The button changes color like it’s supposed to on click. But it doesn’t do anything else. It doesn’t sign you in. Click, click, click, click. No sign in. How are you supposed to sync if you can’t sign in?

The answer – at least, for me, sometimes, and several others who’ve reported this bug – is breathtakingly simple to the point where it makes me feel stupid for not thinking of it myself. Hit enter.

Sometimes this works perfectly. Other times you get a blood-chilling message:

“The server you are trying to access is using an authentication protocol not supported by this version of Office.”

What does this mean? How can SharePoint Online not be supported by the latest version of Office?

It’s a ridiculous bug, that’s what, and Microsoft needs to fix it. Until they do, here are some steps that may fix it:

Method 1:

  1. Click on your system tray at the bottom right of your screen.

See OneDrive for Business with a little exclamation mark covering it?

 

 

 

  1. Click on it, and it will prompt you to enter your credentials:

 

 

 

  1. Follow the same steps to enter your credentials that you did before.

For me, this just magically worked, even though it had failed the first time.

Method 2: If that didn’t work, try this.

  1. Exit OneDrive for Business by right-clicking on it in the system tray and choosing Exit.
  2. Close all desktop Office apps. This includes Outlook, Word, Excel, and any other Office application you may have open.
  3. Because the closing of OneDrive might not be a clean exit, or there may be background Window apps, check Task Manager (ctrl-alt-del and choose Task Manager) for the presence of background processes named GROOVE, MSOSYNC, or OneDrive anything. End these processes. End anything labeled Microsoft Office.
  4. Go to the Users directory on C: (it’s usually on C:), find the user you’re trying to fix this problem for, and delete the following folders if they exist:

c:\users\<username>\appdata\local\microsoft\office\sp
c:\users\<username>\appdata\local\microsoft\office\16.0\OfficeFileCache
c:\users\<username>\appdata\local\microsoft\office\15.0\OfficeFileCache

It’s possible that there will still be a locked Access database in the OfficeFileCache. I had one. I also have Access, so I opened it in Access and then closed it, and that unlocked it and allowed me to delete it. Hopefully it won’t be there if you don’t have Access.

 Don’t worry about deleting “important system files.” You’re going to run a repair, which will recreate the folders and files.

  1. Open Control Panel, find Credential Manager and open it. There are two sections, Web Credentials and Windows Credentials. You want the Windows one. Remove any credentials that look like : MicrosoftOffice16_data:(anything), or something like that.
  2. In Control Panel / Programs and Features, go to Microsoft Office 365 Business or ProPlus. Right Click and select Change (not Uninstall).
  3. You’ll be given the option to do a Quick Repair or an Online Repair. Choose the Online Repair, but first make sure your internet connection is stable. This will essentially re-install all of your Office apps, but because you didn’t uninstall first it will keep all of your customizations.
  4. When the Online Repair is complete, find the OneDrive for Business desktop client, and open it. (It’s usually on your Start Menu someplace.)
  5. Now you ought to get the same prompts to login that you did before, but this time once you do the procedure above, it should work.