Any sysadmin worth their salt doesn’t rely on Microsoft or Google backing up their data for them. Any time you call Microsoft to recover any files or folders, it is a 3 day minimum call back as it will need to get escalated to a L2 or L3 engineer.

Therefore you are more successful for recovery of files and folders from your own backups. I have heard tales of crypto locked files and folders in Google drive, SharePoint, and One drive. If your are cost conscious, then not getting a Managed Services provider like us to backup G suite, or SharePoint, it depends on how critical that data is to your company.

Can Google Drive become infected?

The way this would happen is that if a user clicks on a link in an email, and that link is a phishing email, then the data on their computer will become encrypted. The the Google Drive program on the PC synchronises the data with the Google Server. All of the files and folders under that users account will then be encrypted. Any files and folders shared with other staff members will then be infected, and it could spread through the whole organisations data set.

A Google Product expert recently said on a Google Product forum:

“Encrypted ransomware files will sync back to the Google Drive server. You may be able to restore the files to a previous version but unfortunately, there isn’t much of a solution besides this. Best of luck to you!”

Can G-Mail become infected?

G mail blocks incoming messages that fail a virus scan.
A virus can’t spread through your G mail account. What the risk would be though is the password getting changed, your contacts getting SPAM emails from your account, and your backup contact settings being changed, e.g. secondary email account and recovery email account.

Does SharePoint O365 need to be backed up?

Yes it does, just like Google Drive it can get encrypted. Saas applications are not immune from ransomware attacks, and most strains of ransomware attack Office 365 via ActiveSynch and Onedrive Synch.

I normally backup my clients Sharepoint Online Sites manually, by logging onto SharePoint online, going to each site, and downloading files and folders to an onsite PC, and then have that PC on a rotating external hard drive backup policy, that way the SharePoint sites are covered by 3210 backup policy.

I am currently testing O365 Veeam backup solution, and will cover this in a forth-coming O365 Veeam backup guide madBLOG.

Real-world Disaster Project

We recently completed week long ransomware project for a client. It was a nation wide franchise, and there were almost 20 franchises affected. I was contracted to help get some sites back on line and had no earlier interaction with the client. Basically the client experienced outages of 8 business days of no trading. Not all sites were infected but all sites had to be isolated (networks taken down), and then all PCs, servers, and laptops had to be checked for infection. Once reported clean, the franchise could still not commence trading, as branch manager had to report to area manager, then the area manager reported to head office. So still 8 days no trading for UNAFFECTED SITES, as such a big organisation so a lot of communication involved, lots of different people involved.

Now the affected sites took longer, as servers had to re-imaged. Installing drivers, ESXI host, creating VM’s (virtual machines), installing Server operating system, configuration of network IP addressing etc. Those sites took longer, and some sites got re-infected! Some other sites had backups infected also, so a complete disaster, with lots of cost!

The best way to prevent a scenario like this is by following the 3-2-1-0 backup policy. 3 copies of data - local hard drive, onsite external drive backup storage, cloud backup copy of data. 2 types of media - physical hard drive and cloud storage, One copy of data offsite - Either rotated external hard drive kept offsite, or cloud backup destination, 0 errors - if you follow the above policy , and even better regular disaster recovery

The disaster recovery plan is the best way to ensure minimum downtime for sites, but is not implemented enough due to cost and time involved. A proper disaster recovery plan is tested using real - world scenario’s. This can be done in a virtual environment, NOT PRODUCTION so as not to affect uptime. You simply create the virtual environment, e.g. two servers (file / print and domain controller), twenty workstations, with domain accounts. You then act out something like ransomware virus is granted domain administration access via domain admin user clicking on a phishing link.

Ideal recovery timeline:

Local files on workstation are encrypted, files and folders on servers are also encrypted.

Workstations and servers inspected for infection - POSITIVE

Onsite external backups INFECTED.

All workstations and servers taken offline.

Servers and workstations hard drives formatted.

Offsite backup drive last backup taken two weeks earlier.

Reboot off recovery media, and restore to point in time two weeks earlier (fastest recovery)

Last two weeks data missing from recovery media recovered from cloud backups.

Workstations formatted and operating systems re-installed. All user data stored on servers, accessed via network drives.

2 infected servers, 10 infected workstations expected recovery time, 4 x engineers (2 x L2 , 2 x L1), two shifts 8 hours each, approximately 32 hours support, approximately $4800 excluding GST if not covered under contract.

The affected business facing 8 hours, 1 business day downtime (not too bad).

You can test backups regularly weekly or monthly to make sure they are working OK. Acting out the scenario (via disaster recovery planning) is more thorough and helps find more details that can train-wreck a production recovery.

Listed above is a perfect scenario for disaster recovery of your production environment. If no backups in place, if no disaster recovery in place, the cost and time out of production can rise to weeks and tens of thousands of dollars in labour cost getting back online. Not too mention public disclosure to your clients that you may be liable to do, as well as damage to your companies reputation, unhappy staff, and loss of revenue etc.

References:

https://www.reddit.com/r/sysadmin/comments/50g9s1/do_you_backup_company_google_drive_or_office365/

https://www.backupify.com/blog/how-ransomware-locks-files-on-google-drive

https://www.backupify.com/blog/how-to-recover-from-a-ransomware-attack-in-office-365