New and more dangerous strains of ransomware are emerging all the time. Ransomware is becoming more ubiquitous and hazardous due to the increasing sophistication of attacks. For example, attackers have evolved beyond the simple cryptolocker attacks of the 1990’s and 2000’s and are now using toolkits and affiliate business models to maximise potential damage. This form of sophistication and collaboration between criminal gangs has helped ransomware to grow into a large threat to businesses across the globe, with over £250m in ransomware payments made in 2020 alone. This means that the issue of recovery from a ransomware attack is something every organisation should be prepared for. In previous blogs we've discussed steps that you can take to prevent a ransomware attack utilising Microsoft 365, but in this article you will discover how to recover from a ransomware attack once it has taken place by leveraging features of Microsoft 365.
The first step to preparing for ransomware is to prevent successful attacks as I’ve discussed in a previous blog. Your organisation can mitigate the potentially crippling effects of a ransomware attack by utilising your existing M365 apps and features. These steps will help your organisation to recover from a ransomware attack with little or no extra spend. By using the full potential of Microsoft 365’s in-built security features this is what we at Softwerx call adopting a ‘Microsoft First’ approach for security and compliance.
Step 1: Companies should take and regularly verify their backups
In many cases, companies with offline backups can restore the encrypted data after removing the ransomware. Having a robust backup system is therefore the first and most crucial step to ransomware recovery. Although Microsoft 365 offers some backup solutions, we recommend using a 3rd party like Carbonite for full backup coverage. Carbonite Backup for Office 365 captures changes in Office 365 applications and replicates them to a secondary instance in Microsoft Azure. When it’s time to recover, you can quicky perform granular and full-fidelity restore of Office 365 content.
However, having regular backups is not enough. To ensure these backups are being done correctly and can be actively restored, your organisation should verify the integrity of the backups and test the restore process regularly- for example I recommend testing this once a month.
The advantage of using a backup solution such as Carbonite as opposed to simply relying on Microsoft’s OneDrive’s built-in backup function is twofold: first, OneDrive does not backup all additional user features and states unlike Carbonite. Secondly, OneDrive’s backups are also at risk of infection and encryption if the infection spreads from the live OneDrive system to the backup whereas Carbonite backups tend to be much better secured.
Step 2: Disable Exchange ActiveSync and OneDrive sync
I recommended that organisations should temporarily disable user access to online mailboxes if they suspect that their email is a target of the ransomware encryption.
To disable Exchange ActiveSync for a mailbox, see How to disable Exchange ActiveSync for users in Exchange Online.
To disable other types of access to a mailbox, see:
Additionally, temporarily stopping OneDrive sync during and after an attack can help organisations protect their cloud data from being updated by potentially infected devices. For more information, see How to Pause and Resume sync in OneDrive.
Step 3: Remove the malware from the infected devices
We have created a specific ransomware removal playbook that you can refer to more more details of our recommended process. Organisations should run a full scan of affected devices using a trusted malware removal app such as Microsoft 365 Defender’s threat hunting software, Microsoft Security Essentials or Microsoft’s Malicious Software Removal Tool (MSRT). Once the malware has been detected, it should be quarantined and removed. Organisations should also scan devices that are synchronizing data.
Some malware attempts to evade detection or turn off anti-malware scanners, so if these options don’t work, try Windows Defender Offline or Troubleshoot problems with detecting and removing malware.
Step 4: Recover files on a cleaned computer or device
After removing the malware, organisations can use File History in Windows 10 and Windows 8.1 to recover local files and folders. However, file history cannot be used if the backup has also been encrypted with malware, in that case, organisations can use backups on external devices or OneDrive if they’ve not been encrypted with malware.
Step 5: Recover deleted email
In most cases, deleted emails can be recovered after a ransomware attack. For more information, see:
Step 6: Re-enable Exchange ActiveSync and OneDrive sync
Organisations can re-enable Exchange ActiveSync and OneDrive sync after they’ve cleaned their devices and recovered their data.
Step 7: Get support
Although this may be a painful step for your organisations, you are legally required to report any personal data breaches within 72 hours of becoming aware of them to the ICO. For more information, see Responding to a cybersecurity incident. You can also report phishing messages through Microsoft. For more information, see Report messages and files to Microsoft.
Softwerx offers a Microsoft Security Operations Center (SOC) that helps to manage your security needs from a Microsoft First perspective by deploying the latest Microsoft security stack to protect your organisation against the latest evolving threats. Get in touch to learn more about how our SOC services and proactively defend your organisation from the next strain of ransomware. You can also signup for a free Microsoft Security Assessment where Softwerx’s qualified Microsoft security experts will assess your ransomware recovery capability and develop a bespoke ransomware defense roadmap.
Ransomware might be on the rise, but by taking the steps above you will help to ensure your organisation’s ransomware resilience utilising a Microsoft First approach.
– By Adriaan Bekker, Technical Director, Softwerx
About the author:
Adriaan Bekker is Technical Director of Softwerx. He has worked with Microsoft and at corporate ‘C-level’ clients for over 10 years. This extensive experience, combined with his IT and business degree qualifications, means he is well placed to bridge the gap between technical, commercial and compliance requirements.
Responding to a cybersecurity incident (ico.org.uk)
Mitigating malware and ransomware attacks – NCSC.GOV.UK
Recover from a ransomware attack – Office 365 | Microsoft Docs
Follow Softwerx on LinkedIn and Twitter for the latest updates:
Back to Blog