Ransomware – Recover better, faster!

In our last two articles on Ransomware we discussed what it was, the impact it can have on your business and some quick steps you can take to ready your business for a Ransomware attack.  Hopefully, these quick wins were of value and you are already much better prepared to fend off your next Ransomware attack. 

If not, feel free to re-cap on our Ransomware Series via our Cyber Security Index

We also emphasised the need to reduce your Recovery Time Objective (how quickly can you get back to doing what your customers need you to do) and Recovery Point Objective (how much data you accept you will lose). The RPO can be a strange concept, but it is important to understand that if you take a backup of some services at 6 am and suffer an attack at 9 am, you will lose 3 hours of data on those services. If we take hourly backups, we shorten the RPO and if you can restore from that backup quicker, you shorten the RTO. Quantifying RTO/RPO requirements for each business-critical service can be a complicated task, and one we are happy to assist with, but in this article we are going to share some low cost (maybe even free) advice to minimise the impact of your next attack.

Reducing your RTO/RPO

Whilst traditional enterprise customers have to work hard to reduce these periods, it is very likely that you already consuming products that provide, (as an added bonus) the ability to significantly cut down your RTO and RPO for business-critical services.  Exchange online, the email product within Microsoft365, provides a 14 day deleted item retention by default.  This can be configured up to 30 days, but by default, you have two weeks to realise and recover those items.

A not unlikely scenario is a standard user loses control of their credentials and a hacker can access that mailbox and delete mail and/or evidence of their activity. A Microsoft365 admin can quickly restore that mail and in this scenario, your RPO is zero and your RTO will depend on how well trained and practiced your Microsoft365 admins are.

It is important to note that this is not immutable storage. An attacker with admin rights could delete all this mail, blowing away the 14-day retention, but this itself is unlikely.  If you want that immutable storage, you need backups that can guarantee immutability and feel free to reach out if you would like more info on that.

But what about files?  These are the typical attack vector for Ransomware, not emails.

Don’t lose a single important file, for free!

Ok, so strictly speaking it isn’t free but if your users have a Microsoft365 business/E1 license or better, you have OneDrive.  A lot of businesses are still using this amazing service for a few ad-hoc manually synchronized files when it could provide a far greater advantage in the event of an attack. Microsoft has integrated a lot of features into OneDrive such as the capability to alert you if it detects Ransomware like activity and to restore the entire OneDrive instance to any moment in time.  Yes, that RPO is back down to zero and it probably didn’t cost you a penny.

What you absolutely need to do is to ensure all your business-critical data is protected by virtue of being synchronised into OneDrive and it is really easy.  There are various methods of telling devices to synchronize key areas to OneDrive and it’s beyond the scope of our article, but here are some articles we’ve found useful and you can reach out to us for further information if needed.

Are you an intune user?


Do you utilise Group Policies in Azure or on-premise AD?


Do you have Apple Mac devices?


But are these policies effective?

This is a little trickier to see.  By default, Microsoft365 admins cannot see inside the OneDrive sites of their users, either through the Office portal or with PowerShell.  This makes it difficult, or maybe even impossible, to centrally track how successful you have been at synchronizing all those files into OneDrive.  Have 100% of your users now got some files in OneDrive?  Do 80% have a lot of files?  What files are they synchronizing?  Microsoft provides some great eDiscovery functionality, but it is not going to produce those management dashboards.  For that, we turn to automation utilising some of our favourite tools, PowerShell and ELK.  We do this regularly for our clients, with sensitive data redacted, and we’ve open-sourced our tooling so you can do it yourself.

Who has what? 

To conclude this article, we are releasing our OneDrive inventorying script so you too can generate rather large CSV files containing key information about every file, in every OneDrive instance, within your Office365 tenant.  In a follow up next week, we will take this CSV output and ingest it into the opensource ELK stack so we can visualise the data.  We considered combining the articles but we’re grateful you made it this far!

We have decided to share our PowerShell script on https://github.com/sqa-consulting/OneDrive-Inventory-Module.  Its premise is simple, and a full ReadMe is provided on Github. 

Ransomware 1

When provided with admin credentials, it will crawl every OneDrive site in your tenant for every file and capture key details like who owns it, how big it is, the extension and when it was created.  With this inventory, you can use your own favourite tooling to see which users are synchronizing to OneDrive like how many files are they synchronising, what extensions are being synchronized, which folders are being synchronized etc. You can rapidly answer key management questions such as:

  1. What’s our rate of adoption across devices?
  2. How many users are now synchronizing their desktops?
  3. What are the key business hours for data creation?
  4. Are we seeing any known malicious extensions on our devices?

The tooling is incredibly verbose, letting you know exactly what it is doing at every step and producing a full audit log. 

Ransomeware 2

We do advise you run it with a purpose-built account though, so you can quickly include or exclude its activity when reviewing your Microsoft365 logs.

Ransomware 3

Stay tuned for next week’s article on visualising this data with ELK.  We will be processing this output with Logstash, storing the data in Elasticsearch and producing those management dashboards with Kibana

Here is a quick sneak peek of one visualisation showing broad adoption across the organisation.  This simple time chart shows the count of users who have synchronized at least one file, per week, over the last decade!  Can you spot the holiday periods?

Ransomware 4

What can SQA Consulting do for you?

Do you have an ongoing incident? 

SQA Consulting can rapidly mobilise an on-site team to contain and eradicate the threat, minimising impact and protecting data.  Our analysts can dig into that malware, looking for any weaknesses you can exploit to recover your data.

Not been hit? 

It is often only a matter of time until your business is disrupted.  Book your ransomware readiness audit now to have our team assess your risk against industry recognised frameworks.   It includes in-depth analysis, such as the OneDrive guidance and adoption analysis discussed here, alongside traditional framework driven risk reduction. By being prepared, you can be assured that you will reduce the likelihood, minimise data loss and shorten your recovery period.


Contact  SQA Consulting for further information on:

  • Reducing the likelihood of an attack
  • Mitigating the impact of a successful attack
  • Significantly reducing the time to recovery

Get In Touch

Technology Consulting Partners