Skip to main content

How can we help you?

Druva Documentation

Ransomware Recovery for Microsoft 365

License editions: To understand the applicable license editions, see Plans & Pricing.

Introduction

The risk of a cybersecurity failure is no longer limited to the reputation of a company or something to be borne by its customers but is an existential risk to the company itself. Ransomware extorts the business with the one universal thing all businesses value – their own data. Needless to say, you need to be well prepared for this danger.

In this article, we will help you understand how Ransomware Recovery by Druva can help save the day in case you are unfortunately attacked by ransomware.

In case of an infection, to quarantine is to isolate the infected parts in order to contain the infection and not allow it to spread. To this effect, Ransomware Recovery enables you to quarantine infected snapshots on the impacted resources, which helps safeguard your system from further infection by barring users or administrators from downloading or restoring data to other resources.

To reduce downtime and loss of productivity, you can restore the data from the latest secure snapshot that you deem safe and get the resource operational again.

Here's how you can use Ransomware Recovery to quarantine infected snapshots in the following ways:

  • Manually search for the impacted resource and quarantine the infected or all the snapshots.
  • Integrate Ransomware Recovery with third-party security and incident response solutions and automate the response to quarantine the resources using Ransomware Recovery APIs.

Know the impact of quarantining 

  • After you quarantine snapshots, access to the quarantined snapshots is blocked for the administrators and the users of that resource.
  • Administrators and users cannot download data or restore data from the quarantined snapshots.
    You can identify quarantined snapshots by the lock icon (Quarantine_Snapshot_icon_1.png) displayed beside the snapshot creation timestamp in the Restore Data window. For more information about quarantined snapshots restore, see

Restore OneDrive Data

Download OneDrive Data

Restore SharePoint Online Data

Download SharePoint Online Data

OneDrive_restore_quaratned snapshot_marked_resized.png

 The data in the unquarantined (clean) snapshots of the resource are still accessible and can be viewed, downloaded, or restored by administrators and users.

Decide your approach

Druva enables you to set up your response to the Ransomware Recovery. You can either manually quarantine snapshots on an impacted resource or automate the quarantine process by integrating with third-party security and incident response solutions using Ransomware Recovery APIs.

Manually quarantine infected snapshots

The manual way of quarantining the snapshots on a resource is helpful when you get to know about an impacted resource (OneDrive/SharePoint site) from a trusted source such as the user himself or alerts raised by your security infrastructure and antivirus software about a potential risk.

Prerequisites
Identify the potential date when the resource was infected by ransomware. It helps you decide from which date onwards you want to quarantine the snapshots on the resource.

Note: If you are unaware or not sure about the date, you can start quarantining the snapshots of the impacted resource from the current date or from November 10, 2019, a system-defined limit, before which you cannot quarantine snapshots in Druva.

You can always talk to the people in your organization whose resources are impacted and track their potential activities such as the files they downloaded or interacted with on a particular day that infected the resource.

Choose the best way to quarantine the resource

You can manually quarantine resources using any of the following available methods -

  • Search and then quarantine a resource - Use this option when you want to search for an impacted resource, identify the snapshots, and then take quarantine action on the snapshots. To use this option, see Search and quarantine a resource.
  • Quarantine resources in bulk using CSV (For OneDrive) - Use this option when you have to quarantine multiple resources and have the following information available with you to save on your efforts.
    • Email - Email address of the users whose snapshots need to be quarantined.
    • Resource Type - The type of the data source - OneDrive.
    • From Date - The date from which you want to quarantine the snapshots, in the YYYY-MM-DD format. This should be the date on which the resource was impacted. If you do not enter date, Druva will start quarantining all snapshots of the resource from November 10, 2019.
    • To Date -  The date till which you want to quarantine the resource, in the YYYY-MM-DD  format. If you want to quarantine snapshots in a specific time period, enter the date till which Druva should quarantine snapshots. If you do not enter date, Druva will keep quarantining snapshots indefinitely. 
      To use this option, see Quarantine snapshots in bulk using CSV for OneDrive.
  • Quarantine resources in bulk using CSV (For SharePoint) - Use this option when you have to quarantine multiple resources and have the following information available with you to save on your efforts.
    • Site Title - The details of the SharePoint site that needs to be quarantined.
    • URL - The URL of the SharePoint site that you want to quarantine.
    • From Date - The date from which you want to quarantine the snapshots, in the YYYY-MM-DD format. This should be the date on which the resource was impacted. If you do not enter date, Druva will start quarantining all snapshots of the resource from November 10, 2019.
    • To Date -  The date till which you want to quarantine the resource, in the YYYY-MM-DD  format. If you want to quarantine snapshots in a specific time period, enter the date till which Druva should quarantine snapshots. If you do not enter date, Druva will keep quarantining snapshots indefinitely. 
      To use this option, see Quarantine snapshots in bulk using CSV for SharePoint sites.

Search and quarantine a resource

Use this option when you want to search for a resource, identify the snapshots, and then quarantine it.

Procedure

  1. Log in to Druva Cloud Platform (DCP) Console
  2. On the DCP Console dashboard, under Cyber Resilience, click the Ransomware Recovery service.
  3. On the left pane, click Quarantine Bay to view a list of all quarantined resources.
  4. Click Add Resources > Find Resources. Select the resource type as per your requirement.
  • For OneDrive: Select User's Datasources resource type.
  • For SharePoint: Select SaaS Org Apps as resource type and SharePoint as the app type.
  1. Search for the impacted resources. You can search for resources using either or a combination of the following based on the data source:
  • For OneDrive: Profiles and Users 
  • For SharePoint: Site Title or Site URL

Find Resources_onedrive_marked.png

  1. Select the resource for which you want to quarantine the snapshots and click Next. For OneDrive,  select Device Name. For SharePoint, select SharePoint Site.
  2. On the Quarantine Response page, select one of the following based on the information available to you -
    • Quarantine all snapshots from the impacted date - Choose this option only if you are sure about the date when the resource was impacted. If you are not sure about the date choose the next method, Quarantine all snapshots.
      When you choose - Quarantine all snapshots from the impacted date - you can specify a particular date from which you want to quarantine all the snapshots. Druva will keep quarantining all the snapshots formed on resources due to backups. Select a date from which you want to mark all the snapshots as quarantined.
      •  You can select snapshots for quarantine not earlier than November 10, 2019.
      •  Druva uses UTC timezone to quarantine a resource. For User's  Data Sources (OneDrive), you must factor in the difference between the device time zone and UTC zone while selecting the dates. 
    • Quarantine all snapshots - Choose this method to quarantine snapshots if you are not sure about the exact date when the resource may have been impacted. When you choose - Quarantine all snapshots - Druva will quarantine all the snapshots after November 10, 2019 (a system-defined limit) and keep quarantining all the snapshots formed on the resources due to backups.

      quartine all snapshots from selected date.png

7. Click Finish.

Druva starts quarantining the snapshots from the mentioned date and also quarantines the snapshots created as part of the regular backups. See What's next to take the suggested course of action.

Quarantine snapshots in bulk using CSV (For OneDrive)

Use this option when you want to quarantine snapshots for multiple OneDrive users.

Procedure

  1. Log in to Druva Cloud Platform (DCP) Console
  2. On the DCP Console dashboard, under Cyber Resilience, click the Ransomware Recovery service.
  3. On the left pane, click Quarantine Bay to view a list of all quarantined resources.
  4. Click Add Resources > Import CSV.  The Import from CSV dialog box appears.
  5. Download the sample CSV file.
  6. Open the CSV file and provide the following information in the required format:
    • Email - Email address of the users whose snapshots need to be quarantined. 
    • Resource Type - The type of the data source - OneDrive. 
    • From Date - The date from which you want to quarantine the snapshots, in the  YYYY-MM-DD  format. This should be the date on which the resource was impacted.

      If you do not mention any date, Druva will start quarantining all snapshots of the device from November 10, 2019.

    • To Date -  The date till which you want to quarantine the resource, in the YYYY-MM-DD  format.  If you want to quarantine snapshots in a specific time period, enter the date till which Druva should quarantine snapshots.

      If you do not mention any end date, Druva will keep quarantining snapshots indefinitely.

    SampleCSV_OneDrive.png

  1. Save the CSV. 
  2. On the Import from CSV dialog box, select the CSV file and click Import.

Quarantine snapshots in bulk using CSV (For SharePoint)

Use this option when you want to quarantine snapshots for multiple SharePoint sites.

Procedure

  1. Log in to Druva Cloud Platform (DCP) Console
  2. On the DCP Console dashboard, under Cyber Resilience, click the Ransomware Recovery service.
  3. On the left pane, click Quarantine Bay to view a list of all quarantined resources.
  4. Click Add Resources > Import CSV.  The Import from CSV dialog box appears.
  5. Download the sample CSV file.
  6. Open the CSV file and provide the following information in the required format:
    • Site Title - The details of the SharePoint site that needs to be quarantined.
    • URL - The URL of the SharePoint site that you want to quarantine.
    • From Date - The date from which you want to quarantine the snapshots, in the  YYYY-MM-DD  format. This should be the date on which the resource was impacted.

      If you do not mention any date, Druva will start quarantining all snapshots of the Sharepoint site from November 10, 2019.

    • To Date -  The date till which you want to quarantine the resource, in the YYYY-MM-DD  format.  If you want to quarantine snapshots in a specific time period, enter the date till which Druva should quarantine snapshots.

      If you do not mention any end date, Druva will keep quarantining snapshots indefinitely.

    CSV_Sharepoint.png

  1. Save the CSV. 
  2. On the Import from CSV dialog box, select the CSV file and click Import.

After the validation of CSV, Druva starts quarantining the snapshots on the devices of the OneDrive users and SharePoint sites mentioned in the CSV.

You have successfully quarantined the infected resources, which will now help contain the ransomware attack. Refresh the Ransomware Recovery page to view the quarantined list of resources.

What’s next?

Now that you have now quarantined the infected snapshots, you might be wondering what to do next? You can take the following actions to contain the ransomware and bring up the resource to resume productivity. 

 We highly recommend that you work with your Data Security and IT teams to take appropriate steps to resolve such a situation.

  •  Share the impacted device/Sharepoint site with the Data and Information security team of your organization for further analysis of the infected data and the resource.
  • (For OneDrive) Exclude the suspected files and folders from being backed up. Once you identify the name, file type, or file extension impacted by the ransomware, you can create an exclusion list of files and folders and restrict them from being backed up from other user devices.
  •  (For OneDrive) Provide a new device to the user. When you are replacing the infected device with a new device, you can restore the last clean snapshot to the new device during the device replace process. Once you replace the device, ensure that you unquarantine future snapshots of the impacted device. Otherwise, Druva will keep quarantining the snapshots even in the new device. To unquarantine a resource, see Unquarantine a resource.
  • (For SharePoint) Exclude the suspected subsites from being backed up. Once you identify the SharePoint site impacted by the ransomware, you can use the Relative URL Paths option to exclude specific site data and restrict them from being backed up.
  • (For SharePoint) Provide a new site for backup. When you are replacing the infected site with a new site, you can restore the last clean snapshot to the new site. Once you replace the site, ensure that you unquarantine future snapshots of the impacted site. Otherwise, Druva will keep quarantining the snapshots even on the new site. To unquarantine a resource, see Unquarantine a resource.

Unquarantine a resource 

After you have completed the required inquiry into the impacted resources with the help of your Data Security and IT teams, you may find that some resources were falsely marked as ransomware impacted. In this case, you might want to remove the resource and the snapshots from the quarantined state and mark it as clean!

After you unquarantine the snapshots, inSync administrators and users can again securely restore and download data from those clean snapshots resulting in no loss of data.

Procedure

  1. Log in to Druva Cloud Platform (DCP) Console
  2. On the DCP Console dashboard, under Cyber Resilience, click the Ransomware Recovery service.
  3. On the left pane, click Quarantine Bay.
  4. Select the Resource Name that you want to remove. 

    Q_bay_listing_March21.png
  5. Click more options > Remove from Quarantine Bay

Once removed, users and administrators can access the data in the unquarantined snapshots and can download and restore it.

Delete infected snapshots of a resource

 You cannot delete snapshots of a resource if Data Lock is enabled for that resource in the backup configuration.

You might have to clean the existing device/SharePoint Site or provide a new device/SharePoint Site to the user after your Data or Information Security teams have completed their analysis of the impacted resource. 

Snapshot delete is an irrecoverable activity. You cannot access and recover any data from the deleted snapshots.  The deleted snapshots are not displayed in the Restore window in the inSync Management Console. Also, they are not displayed in the inSync Client and Web Restore window. 

Note : You cannot delete the last clean snapshot of the resource. The last clean snapshot is denoted with an info icon that tells you that the snapshot cannot be deleted.

OneDrive_latest quarantined snapshotcannot be deleted_marked.png

Procedure

  1. Log in to Druva Cloud Platform (DCP) Console
  2. On the DCP Console dashboard, under Cyber Resilience, click the Ransomware Recovery service.
  3. On the left pane, click Quarantine Bay.
  4. Click the resource name to view the snapshots of that resource. 
  5. Click the Snapshots tab. The list of all the infected snapshots is displayed.

    Qurantined Snapshots_delete.png
  6. On the Confirm Deletion confirmation pop-up, specify the reason for deletion (the reason is mandatory with a character limit between 10-150) and then click Delete. Data once deleted cannot be retrieved. The reason for deletion will be captured in the Audit Trail for auditing purposes.

Automatically quarantine infected snapshots using APIs

You can use APIs to integrate Ransomware Recovery with your existing security tools or build custom scripts to automatically take action if there is a ransomware attack. 

Here are a few links to help you get started:

The following is a probable workflow if you know the IDs of the infected devices and the date of infection and want to quarantine snapshots using APIs. 

workflow.png