Thursday, May 28, 2015

Why Even Files Stored in the Cloud are Not Safe from Ransomware Attacks

For our 100th topic it only felt right to talk about something we are very passionate about:  file security and data protection.  Like every post, we hope you find the information enlightening, helpful, and relevant.

First things first, Ransomware does not directly encrypt files located in the cloud.  However, when files on a computer backing up to the cloud get encrypted, the usable files in the cloud are replaced with the encrypted versions.  Once this backup occurs, there is no way to recover the usable files from the cloud unless file versioning is in place.

About Ransomware Attacks
Ransomware attacks, which it seems will not be going away any time soon, resurfaced again just this week.  These attacks encrypt files on an infected device in hopes of forcing victims into purchasing a decryption key to regain access to their files.  When files are encrypted their extension changes to .ecc rather than .pdf or .xlsx irrespective of the originating file type, (see below for other files these attacks can access and encrypt).  This latest attack is called Locker and uses Bitcoin as the payment currency.  Unfortunately, paying the perpetrator is not always successful as was sometimes the case with Cryptolocker, a similar Ransomware attack where some victims reported they never received their decryption key after paying.

Beyond paying the ransom, once a device is infected with Ransomware there are no controls in place to prevent the same files from being encrypted again.  This is because there are no rules for this type of attack.  Remember, the people behind these scams care about money, not how their actions affect people's lives or businesses.  Having a greater understanding of how these attacks work, and the best way to protect our files from them, is often the best way to fight back.  

Protecting Files from Ransomware Attacks
Cloud storage without file versioning stores a single set of files.  When a new version of a file is created, it is uploaded to overwrite the existing file.  The purpose of this is simple, to make sure every file is always in the most current state no matter when or where it is accessed.  A big problem with a Ransomware attack is that the update process, which normally protects the user, works against the user in this case by overwriting usable files with locked files.  Once the files are overwritten with the encrypted versions, usable versions are no longer accessible.

An online backup service like ours provides file versioning so multiple copies of files are stored, rotated, and available for recovery at any time.  File versioning can be implemented in different ways, based on a number of days or a number of file copies.  For example, if a plan's data retention is set to 90 days and the same file is modified every day, there will be 90 versions of the file.  Using the same data retention period, a file modified once a month would have 3 versions available.

Why Ransomware Attacks are Effective
Ransomware attacks hit all kinds of users, but those who do not have any file backups are more likely to feel paying the ransom is their only option for recovering their files.  What also makes Ransomware attacks effective is that they are able to encrypt files beyond the infected device including:
  • Attached USB flash drives
  • Attached external hard drives
  • Mapped network drives
This means files stored on a network share accessed by the infected device are also encrypted even though the files are stored on a different device, usually a server.  Businesses of every size use network shares because it makes it easy to provide commonly used documents and database files to staff in a single accessible location.  Unfortunately, after a single user's computer is infected, these files are rendered useless for everyone.  Any files backed up to an attached USB or external drive will also be encrypted.

Another layer to these attacks is that most types of Ransomware have secondary safeguards in place.  These safeguards, e.g., permanently destroying decryption keys or completely wiping drives, discourage victims from tampering with their infected devices.  Real threats and scare tactics leave victims without backups of their files with few options for recovering them without paying the ransom.  As a result, many victims are forced into paying the ransom which is the perpetrators ultimate goal.

No matter what type of files you have on a computer device, a Ransomware attack can be frustrating, is a violation of privacy, can put proprietary and personal information at risk, and requires time and/or money to recover.  Keeping backups of files in multiple locations is a good start to ensuring files are protected.  Using services that support file versioning greatly increases the chance files can be recovered without paying a ransom.

As always, keep your files safe!


  1. Thanks for sharing this informative article on cloud. You may also refer

  2. Thanks Ramesh, these are good questions to ask!