Businesses use OneDrive to store data. Because OneDrive is located in the cloud, users think that OneDrive data is exceptionally safe. Let’s admit it — users are right! OneDrive is safer than a disk drive on your local machine. The question is: Can OneDrive be hacked? The answer is affirmative. Yes, OneDrive can be attacked by cybercriminals. Ransomware can encrypt OneDrive and cause huge data loss. To help prevent such a situation, this post goes over the basic signs of ransomware, infection routes, detection methods, data protection, and recovery.

OneDrive Basic Ransomware Signs

Unfortunately, you may not notice that your computer is infected by ransomware until the last moment. One early sign that a malware attack of some sort is unfolding is a suspicious email message that carries a compromised attachment or link. Later signs include slow processing speed, the inability to open a file and changed file names and extensions.

OneDrive Ransomware Infection Routes

You may have the question: How do I know if ransomware has reached my OneDrive? To get into your OneDrive, some ransomware varieties attack your device first. If this is the case and your device’s files are synchronized to OneDrive, your OneDrive files also become affected. Obvious signs that your OneDrive is under attack include unreadable Word documents along with changed file names and extensions.

Alternatively, ransomware can target your OneDrive directly instead of the device itself via phishing mail. In this scenario, a hacker may send you a legitimate-looking message asking you to use an enclosed security app to protect your OneDrive. The message may appear to be sent from your company’s security team to trick you into going forward with the process. Let’s say you failed to recognize the signs of phishing mail and granted access to the fake security app. Your OneDrive can be now accessed directly from the hacker’s dashboard. Now the hacker can manipulate — encrypt, change a name or extension, delete — any of your OneDrive files.

A cyber-criminal can also access your OneDrive by stealing the credentials to your administrative account. From your administrative account, the hacker can easily delete, encrypt or leak your data.

OneDrive Ransomware Protection and Ransomware Data Recovery Tips

At this point, it’s clear that OneDrive can fall victim to a ransomware attack. Therefore, keeping your OneDrive data safe is of the highest priority. Follow the data protection tips below to keep your OneDrive safe:

1) Apply OneDrive ransomware detection

OneDrive has a built-in ransomware detection and recovery feature that can identify a threat and instruct you on how to handle it. Once a threat has been detected, you’ll see a notification on your OneDrive website and receive an email. This notification will state: Signs of ransomware detected. When you see this message, click the Get started button to initiate the recovery process. The recovery process has 3 main steps:

1. Confirmation of infected files. During these steps, the screen presents you with some potentially corrupted files. You may notice that some files have changed names or extensions. If you see that some files on the list are corrupted, you need to confirm it and continue the recovery process. If your files are not corrupted, you can end the recovery wizard.
2. Cleaning of all devices. If you use OneDrive on several devices, you need to clean all of these devices. There shouldn’t be any remaining ransomware once you’re done. Otherwise, your devices may become reinfected. Use antivirus software to clean your devices. After you’re done, indicate that your devices are clean and continue with the next step. However, If you can’t get rid of all the ransomware, you can try to reset your devices first.
3. OneDrive recovery. During this final step, you’ll restore your OneDrive files. The recovery wizard will automatically determine the time and date of the ransomware attack and you can restore your data to the state it was right before the incident.

2) Safeguard your credentials

Make sure to take every precaution to protect your account credentials. If hackers steal your credentials, they can access your administrative account and gain privileges over your OneDrive data. With that much power, it won’t be that hard to launch a massive ransomware attack that will affect not just your data but also the data from shared storage. OneDrive shared storage is regularly visited by multiple users. All these users are in danger of being infected with ransomware when shared storage is compromised. To protect your credentials, use two-step verification or multi-factor authentication. Implement those additional steps to verify your identity by entering a security code, passing facial recognition, or presenting a fingerprint.

3) Guard every machine

To prevent ransomware attacks, use updated software and install security patches when necessary. Remember, hackers will exploit every vulnerability they can find to get into your system. Macros — which you can find in every Word document — can distribute ransomware. Therefore, stay on the safe side by blocking your macros. Doing so won’t cause any harm since macros are rarely used in document management. There is a great chance that ransomware settles in %appdata%, %localappdata% files upon download. You can block the execution of those files to prevent ransomware from executing itself in those directories. Finally, use antivirus to protect your physical and virtual environments.

4) Foster employee education

Educate your employees about the ransomware vectors and tactics hackers use to compromise a physical machine or OneDrive. Your employees must know the basic signs of ransomware attacks to prevent the next one from happening. Explain how to check the link and URL address for spelling errors. There needs to be only one misspelled letter to indicate a compromised email. Hackers can spoof the sender’s email address or send a legitimate email with an embedded ransomware attachment. Point out the danger of following a link from an email. Such a link can lead to a fake site where your employee’s device can become infected with ransomware. Even if the site is legitimate, it may have hostile injections. Entering credentials on this type of site can put your employee’s account in jeopardy.

5) Protect your email and cloud

To make your OneDrive more secure, protect your Exchange Online email. Exchange Online has native inbuilt data protection that you can use to identify if the link or attachment is compromised. Exchange Online Protection can detect suspicious files and pinpoint untrusted senders. You can use Exchange Online Protection to block shady emails. You can also block active content in attachments such as macros, VBScript and JavaScript.

To protect your data in the cloud, use Microsoft Defender. You can use the advanced features of Microsoft Defender to detect cyber threats and prevent ransomware attacks. Microsoft Defender encompasses machine learning, automated data analysis, and advanced cyber protection for your endpoints.

6) Recover with versioning

If your OneDrive objects become encrypted by ransomware, the latest version becomes inaccessible. However, you can still recover your files by using a prior version of your document. You can recover back to any version that has been changed within the last 30 days. Version recovery may not be reasonable if you need to restore tons of data. In this scenario, backups are your best option. But before recovering files from ransomware by any method, you need to make sure that your machine is clear from ransomware. Keep an eye on Microsoft’s data retention policies. You have to know how long the deleted data remains in the recycle bin before it gets permanently erased.

7) Back up your OneDrive data

You can use OneDrive recovery to reinstate your data after a ransomware attack. However, if ransomware deletes data from your physical device and OneDrive recycle bin, you may not be able to recover your data in full. To ensure the security of your data, use a third-party backup solution. Backups guarantee the recoverability of your data after a ransomware incident. In addition, a third-party backup solution allows you to perform granular recovery, enabling you to restore just the affected files. Remember to back up your data regularly to ensure a successful recovery. An efficient backup solution allows you to run daily incremental backups, saving your time, money, and storage space.

8) Don’t Pay the Ransom

If a misfortune takes place — you get hacked — don’t pay the ransom. There’s no guarantee that you’ll get your data back even if you pay. If they do return your data, the hackers can still delete some of your data even if you pay or worse — they can sell your data on the dark web. What you can do is recover your data with Microsoft native data protection. Better yet, you can recover from backups if you have them.

Conclusion

Can ransomware infect OneDrive? The answer is yes, it can. Despite being located in the cloud, OneDrive can still fall victim to ransomware. Ransomware can get to OneDrive from a synchronized folder, or if you accidentally grant permissions to a phishing email request. To stop a ransomware attack from succeeding, safeguard your data by using the latest ransomware detection and protection methods. You can protect your data with a third-party backup solution such as NAKIVO Backup & Replication. The solution offers affordable, efficient and user-friendly backup and recovery services that can help you keep your data safe around the clock. To learn more about OneDrive ransomware recovery with NAKIVO Backup & Replication, click here.