Ransomware’s clear and present danger to SaaS application data

Protection April 07, 2023

Everyone who hasn’t been living under a rock for the past five years or so is aware of ransomware and the very real threat it is. (If you have been under that rock, ransomware is a specific type of malware that denies its victims access to their own data by encrypting it, and then the bad actor offers to provide the decryption key – after they receive a large payment in bitcoin, naturally.)

The thing that not everybody knows is that data in your SaaS applications, like Microsoft 365 and Salesforce, are not immune to ransomware. Let me explain.

Typically, a ransomware attack succeeds when one of your users receives a phishing email message and then clicks on a link they shouldn’t have. This triggers the ransomware to start, and it will then encrypt everything on the user’s device.


The very real threat to SaaS application data

SaaS applications like SharePoint Online and OneDrive for Business make users workdays easier by presenting the file shares to the user’s device as if they were drives installed locally on the device. This is, of course, very convenient and allows inexperienced users to start using the shared file repositories without any training required.

However, if the user’s laptop treats the SharePoint and OneDrive collections as though they were local drives, ransomware with also see all those files as if they’re on the laptop. Any one individual user is unlikely to have write access to all of those files, but they’ll have enough access to create a giant headache for your organization. Plus, giving someone write access to a folder – so they can upload files into it – also grants write access to the folder’s content – and all the sub-folders below it.

One of the things that makes a successful ransomware attack on shared file repositories even worse for you is that the only way to figure out the full list of files that the ransomware encrypted would be to go through every single folder and check every single file. It could be hundreds or thousands of affected files. Business just does not have time for that.

If only the data local to the laptop were encrypted by ransomware, the fastest, easiest, and best solution would be for IT to reformat the laptop’s drives and install a new image on it, returning the laptop to its previous safe state. Taking a similar approach to SharePoint and OneDrive would be disastrous for an organization.


Why ransomware is especially bothersome

The best defense against ransomware, naturally, would be to prevent it from happening to your organization in the first place. The best ways to do this are data security and user education.

You can set up a solution to scan all incoming emails for ransomware and other malware. The problem with this is that those solutions are only 100% certain on attacks for specific attacks they’re already aware of. Sure, you can set up your scanning to flag anomalies in messages, but the sheer volume of email messages that you want to let through would cause serious business delays if you need to check every anomaly manually. Things are made more difficult because the bad actors are constantly evolving their ransomware in order to get it past such scanning. On top of all of that, the sheer frequency of ransomware attacks – approximately 16 attacks every second in 2022 – makes things even more difficult.

User education on recognizing and avoiding phishing attempts of any sort is something all organizations should be doing. Even with the best education and most diligent students, in the end, your users are human and therefore prone to making mistakes.

I’ve always thought that the scariest thing about ransomware is that, for practical purposes, your organization is never farther away from a successful attack than a single misclick by any one of your users.


What we can do about ransomware

Since it’s unrealistic to think that anyone can ever guarantee the prevention of 100% of all ransomware attacks, what can your organization do? If you can’t prevent the problem where does that leave you?

What you can do is to be prepared to bounce back as quickly as possible should your organization fall victim to a ransomware attack. The best way to do this is to have a reliable, clean, recent backup copy of your data.

This is exactly what our solution, Veritas Alta™ SaaS Protection, provides for SaaS application data.

Veritas Alta SaaS Protection connects directly to the SaaS applications’ APIs to capture data changes in incremental backups and stores the backup data in the cloud – entirely separate and isolated from the SaaS application itself. By keeping the backups isolated, there’s a near-zero chance of ransomware even being able to find and reach the backup data.

But “near-zero” wasn’t good enough for us, so Veritas Alta SaaS Protection stores all backup data on immutable storage. This means that once stored, the data cannot be changed or deleted before the expiration of the retention period that you set. So, in the extraordinarily unlikely event that ransomware could even get close to your backup data, there’s nothing it would be able to do to it.

Veritas Alta SaaS Protection has two additional features that make it even better suited to be your “in case of emergency” solution. First, it has the ability to perform point-in-time restores. This means you’ll be able to use it to restore your SaaS application data to the last known pre-ransomware point. Restoring this known-good copy of data to replace the encrypted data will make all your data ransomware-free again.

The second important feature is Veritas Alta SaaS Protection’s high performance. This enables it to restore your data quickly and efficiently, enabling your business to be back up and running again as soon as you can following a ransomware attack. But believe it or not, that’s not the best thing about our high performance. While other SaaS backup solutions talk about backup frequency in terms like “once per day” or “up to 4 times a day”, our customers are thinking about backups in terms of multiple incremental backups each hour or terms like “every 15 minutes”.

This is a very big deal. The closer your most recent backup was to the moment just before the ransomware attack took hold, the less data you’ll lose to the attack. If you’re only backing up once a day, you have the potential to lose the last 24 hours’ worth of new and changed data. If you’re backing up every 15 minutes, you will only potentially lose data that was new or changes in the last 15 minutes. You don’t need to do the math to see how much better off you’d be with Veritas Alta SaaS Protection than with other SaaS backup solutions.

Hopefully, you’re now interested in learning more about our solution, especially in how it can help your organization achieve resiliency to ransomware. I suggest reading our solution brief on the topic and checking out our product overview. If you like what you learn, your next best step would be to contact us to schedule a demo today!

I wish you all ransomware-free days ahead.

Dave Henry
Product Marketing Manager, Veritas Alta SaaS Protection