EFSS Spreads Ransomware; Endpoint Backup Guarantees Recovery
Blog Article Published: 09/14/2016
By Kyle Hatlestad, Principal Architect, Code42 One of the objections I’m hearing more and more is, “Why do I need backup when I have Microsoft OneDrive for Business (or Google Drive, Box or Dropbox for Business)?” On the surface, it may seem like endpoint backup isn’t needed because with an enterprise file sync and share (EFSS) tool, a copy of the data is in the cloud. But if you dig a bit below the surface, you’ll find there are several distinct differences. We cover those in our Top 3 Iron-Clad Reasons Why File Sync/Share is Not Endpoint Backup, so I won’t go into them here. Instead, I thought I would illustrate a situation in which it’s painfully obvious why it’s important to have modern endpoint backup. Every organization today is facing ransomware. No matter how sophisticated your defenses, ransomware invariably finds a way through. For example, Jeff, a recruiter from the Human Resources team, is reviewing resumes to fill a new position. He receives an email with a link to download a resume in Microsoft Word. As part of his process, he downloads the resume to his OneDrive “Job Postings” folder which is shared with his HR co-workers. The document is automatically uploaded to OneDrive and synchronized to his co-workers’ devices. Unfortunately, this is no ordinary resume. It contains a crypto-ransomware. When Jeff opens the resume, the ransomware takes hold and begins encrypting the files on his local device as well as network shares. Because Jeff saves a lot of files in his OneDrive folder, as the ransomware encrypts those files, OneDrive then syncs them to the cloud. And for any shared/team folders he has, the encrypted files are synced to his co-workers as well as to any publically shared files/links. And even though Jeff is supposed to save all of his files to OneDrive, he keeps a bunch on his desktop where he likes to work. He’s also got a big .PST email archive sitting on his device as well. All of those files are being encrypted by the ransomware to lock out access. Because Jeff saved the file to a shared HR folder, the ransomware file now appears on his co-worker Julia’s laptop. Julia takes a peek at the resume and now the ransomware starts attacking her device. At this point, Jeff tries to open one of his files and gets the dreaded ransom note. For just one bitcoin, he can get his data back. He contacts the help desk to let them know what happened and get help. OneDrive keeps previous versions, so no problem, right? Help desk then informs Jeff that he can get his earlier file versions, but he has to do it file-by-file! And for those files that were saved outside of OneDrive, he’s out of luck. Next up is Julia who calls up help desk and is in the same boat as Jeff. Not only did EFSS not help with recovery, it actually spread ransomware! Well, that’s when it becomes clear that EFSS is not a true backup solution. EFSS leaves it up to the user to pick the right spot to save his data. And when it comes time to remediate from an event like ransomware, EFSS is not equipped to handle large restores. Even EFSS vendors themselves recommend having a true backup of the data to recover from an event like ransomware. Hopefully this real-world scenario makes it easier to distinguish the differences between file sync & share and modern endpoint backup—and the advantages of true endpoint backup when recovering from ransomware.