cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SharePoint Synced Files and Ransomware

jameshickey1140
Brass Contributor

‎Aug 02 2022 10:40 AM

‎Aug 02 2022 10:40 AM

SharePoint Synced Files and Ransomware

We are migrating a majority of our workflows to SharePoint and a question came up regarding security and malware.

 

If a synced folder on a PC gets encrypted by ransomware, do the encrypted files sync back to SharePoint. If so, do those files then sync out to other users' computers, or will they only sync when those users try and access them directly. 

 

Additionally, if we were to try and test this, would our IP address get banned by Microsoft? 

We were thinking about programmatically encrypting about 30 files in a synced folder to test, but don't want to lose access to our data on accident. 

 

Thank you,

 

James

 

1,816 Views
0 Likes
1 Reply
Reply
1 Reply
jameshickey1140

‎Aug 03 2022 08:44 AM

‎Aug 03 2022 08:44 AM

Re: SharePoint Synced Files and Ransomware

Just reporting back. Hopefully this info helps someone else.


We ended up syncing a folder with 6 PDFs and one zip file on two computers (one with Sophos Intercept X antivirus and one with Windows Defender) via a Document Library in a SharePoint site. Our coder used C# and DotNet 6 (sorry if I said that wrong, I'm not a coder) to flip all the bits in the files and rename the file extensions on the computer with Sophos. The antivirus picked up on the activity and stopped it immediately and then restored the files that did get "encrypted" before it had detected it. No syncing occurred to SharePoint.

Next we ran it on the computer with only Windows Defender. This yielded in troubling results. Windows did not pick up on the activity. All files were bit-flipped and then the file extensions were renamed to .test-encrypted. After the change, all files synced to SharePoint and then to the computer with Sophos. Sophos did not recognize this as an issue and did not raise any alerts. The files were, for all intents, ransomwared throughout the organization.

Microsoft has stated that version history is a way to protect end users from ransomware attacks. What we found was with a file extension change, version history restores the file to a previous version but it does not change the file extension back to what it was before the encryption. So even though the file was restored to a point before the "attack" the file extension was still .test-encrypted. There is no way to rename the file extension in SharePoint. Be that as it may, if you access the file through the synced folders locally, you can change the file extension back, but you have to know what it was before hand. pdf, docx, xlsx, zip, etc. 

 

After our testing, I did find this article by MS related to ransomware and SharePoint. 

...ransomware-in-sharepoint... 
MS does keep a copy of all data in SharePoint for 14 days. You will need to contact MS directly for support. *good luck there.

 

tldr; Unfortunately, if files get encrypted via ransomware, they will sync across the SharePoint organization. Version history can help in this case, but it is not a solid solution as one must know what the file extension was in order to change it back. Back up your data and run third party antivirus!

1 Like
Reply