Backup Software

Does Cloud Backup Protect Against Ransomware?

As businesses aggressively move to the cloud for housing business-critical data, the cloud is becoming a target for hackers launching ransomware attacks. Since the onset of the global pandemic, organizations have accelerated the move to the cloud and are leveraging cloud applications more than ever before to provide access to essential applications for remote workers. In general, businesses may have gaps in the protection of their cloud environments, cloud applications, and cloud data in general. As businesses look to backup their cloud environments, does cloud backup protect against ransomware? Is the cloud as vulnerable to traditional ransomware attacks? What is the future of ransomware affecting cloud SaaS environments?

Ransomware attacks against on-premises environments are easier for now

Attackers are still focusing largely in attacking on-premises environments for now. On-premises resources are often easier for cybercriminals to compromise and encrypt data quickly. Ransomware can churn through an on-premises environment and massive amounts of data rather quickly. Cloud uploads and file transfers are rather slow by comparison. So the rate at which current ransomware variants can infect cloud environments is limited in the traditional sense.

However, new ransomware variants for cloud will undoubtedly concentrate on stealing cloud credentials for API write access for more efficient and quick encryption of critical data. There are already ransomware and malware variants that have been shown to gain access to a cloud environment using an OAuth token, unwittingly granted by an admin or end-user duped into thinking they are adding a legitimate application.

Microsoft 365 OneDrive provides enterprise storage in the cloud
Microsoft 365 OneDrive provides enterprise storage in the cloud

Once the ransomware has a legitimate OAuth token, it can easily perform malicious behavior on the resources it has access to very quickly using directly API access. Kevin Mitnick demonstrated how ransomware can easily infect Microsoft 365 Exchange Online email in what he dubbed “Ransomcloud.” The Ransomcloud attack uses a malicious OAuth token to encrypt a user’s email account in real-time.

Ransomware will focus on the cloud in the near future

Attackers realize that businesses are moving more of their production data to the cloud. If the focus of ransomware remains in on-premises environments, attackers will undoubtedly be missing out on a huge opportunity to target critical data and the prospect of forcing businesses to pay the ransom.

We are certainly on the cusp of a paradigm shift in ransomware targets. See the article here: Can ransomware hit your Microsoft 365 data? It details this likely shift in ransomware attacks from 2021 onward as a strong possibility.

Current built-in protection provides good but not bullet proof protection

When you look at the built-in protection provided in Microsoft 365. as an example, it provides the following four protections that help to protect the environment from ransomware. These are:

  • Built-in detection and filtering – In all the Microsoft 365 plans, Microsoft provides scanning and filtering of phishing emails, infected messages, and also SharePoint and OneDrive buit-in anti-malware features. When a user accesses a file or uploads a file it deletes and blocks malware if it is detected.
  • Built-in versioning – Microsoft has versioning built into all the plans for both SharePoint and OneDrive services. Versioning keeps a history of changes made for specific files that can be restored if needed. However, there is a downside to versioning in that any user who can edit the file can also delete the version history! This is not ideal at all. However, it is one of the major shortcomings of the versioning strategy as a means for business-critical recovery.
  • Recover deleted items – IT admins can recover Exchange Online, SharePoint Sites, and OneDrive items within a 30 day window ones items are deleted. The 30 day limitation can be extended if Compliance retention is also turned on.
  • Sandbox functionality – One of the advanced features provided by Microsoft Advanced Threat Protection allows suspicious attachments to be executed in a safe “Sandbox” environment to detect unknown threats, such as zero-day vulnerabilities. However, this is a feature of the higher priced M365 plans such as Business Premium and Office 365 E5.

What are some of the downsides to the recovery mechanisms mentioned above that can lead to data loss?

  • Versioning history is limited. It is possible that if ransomware affects rarely accessed, but critical files, the version history may have already reached the threshold and the item may be unrecoverable.
  • Restoring your OneDrive account to a known good point in time means that you may have legitimate edits and updates that will be lost. This will result in data loss of all the changes made by end-users after this point in time.
  • If a file or folder is deleted and then created and reuploaded, the recovery mechanism will skip it, leaving this particular set of data at risk for data loss.

Why are cloud backups necessary

With the greater protection that comes by default in cloud SaaS environments when compared to on-premises, organizations may assume that backups are still not necessary. However, as ransomware variants evolve to specifically attack cloud SaaS environments, businesses want to be able to take the protection of their data into their own hands and not rely on the built-in mechanisms that we have already discussed as being good, but not bullet proof.

You don’t want to leave your critical data to chance by simply relying on what is provided by default. If you are like me, the defaults are never what you want to stick with long term as there is usually a downside, limitation, or other undesirable outcome in doing so. Leveraging cloud backups along with the built-in recovery means in Microsoft 365 helps to fill the gaps of protection if the damage is not recoverable using the built-in versioning or deleted items recovery.

Also, it goes against best practice to store your backups in the same environment as your production data. This is essentially what you are doing if you use Microsoft to backup Microsoft. In my opinion, this is a bit like storing a backup of your virtual machine on your production SAN. What happens if Microsoft’s Cloud is unavailable and has is suffering from degraded service? You may essentially lose access to production and backups in one fell swoop.


If your business is migrating to the Microsoft 365 cloud or another cloud SaaS environment, do leverage the built-in data recovery capabilities to the extent that works without impacting your business. However, make sure you use a third-party backup solution on top of the native functionality provided. You will certainly thank yourself later when you have access to your backups and have a seamless way to recover your data, outside of the built-in file versioning provided by Microsoft, Google, and others.

Checkout backups as an example of a modern cloud SaaS backup solution that allows protecting your critical data effectively.

Back to top button