Since my last post Protecting Yourself and Enterprise from Ransomware Attacks on the history and impact of ransomware I’ve gotten a few questions about whether Cloud Sync products like Dropbox, Box, iCloud, and OneDrive protect you from a ransomware attack. Cloud Sync products are different than Cloud Backup solutions like Mozy, Backblaze, or Carbonite. Backup solutions take a snapshot of your whole hard drive at certain points in time, because of this even if ransomware does encrypt your hard drive and your backup syncs the encrypted files to the cloud you will still have your pre-infection files available to you. Simply pick a pre-infection restore point and start from there.
To understand why Cloud Sync products are different let’s walk through how an attack scenario may occur and how Cloud Sync works. Cloud Sync creates a folder structure on your computer and monitors those folders for file changes (creations, edits, updates, or deletes). If anything is detected it replaces the version in the cloud with the new version and notifies all other synced people and devices to get the new version.
As discussed previously, encrypting ransomware works by encrypting each file with a unique key and deleting the previous version. Most ransomware also changes the name of the file to something random. When the ransomware encrypts the file and deletes the original version that signals two events to the local sync service: add the encrypted file, delete the original. Because the ransomware changed the filename it also breaks the file versioning features provided by many Cloud Sync products, which will stop you from restoring to a previous version.
If your cloud folder is shared with more than one person or device the changes will automatically propagate and the sync service will delete the encrypted files and sync the encrypted ones.
If you have an Office 365 subscription OneDrive detects and alerts users after a ransomware attack. Dropbox and OneDrive include features to help restore folders from an earlier point in time which can be used to recover. Box users have reported being able to open a ticket with Box to be able to restore files from a previous version, but the functionality to restore all files quickly doesn’t exist yet. This may be further complicated if you opt for the “Bring Your Own Key” (BYOK) features that Box provides. iCloud doesn’t keep past versions of files or folders and doesn’t have the ability to restore to a point in time.
I’ve created a quick table to help:
| Service Name | Detection | Restore |
|---|---|---|
| OneDrive | Yes (w/Subscription) | Yes |
| DropBox | No | Yes |
| Box | No | Call Support |
| iCloud | No | No |
It seems to me that sync services are in a unique position to quickly detect and alert users to ransomware attacks, often times before too much damage is done. Running a service that detects large numbers of files being quickly deleted and added could be a great first pass, double checking to see if the uploaded files are all encrypted would be a great way to confirm a malware infection. I assume OneDrive is doing something similar to this, and it would be great to see this kind of functionality built into all free tiers of the different Cloud Sync services. Until this is done please consider a robust backup solution and keep your computers clean and virus free.