O365

How to prevent ransomware encrypted files to sync to OneDrive for Business

On premise we can use File Server Resource Manager (FSRM) component File Screening Management that is a part of Windows Server operation system.

But when we are moving to the cloud we also need to do something – and this is one way. Many companies are using  OneDrive for Business and then we can prevent the encrypted files to be synced to OneDrive for Business with a minimal admin effort and a low user impact.

 

This is an example of a site that have a updated list of file extensions used by ransomware:

Anti-Ransomware File System Resource Manager Lists
https://fsrm.experiant.ca/
Here is some information from FBI:

How to setup “Block syncing of specific file types” with OneDrive for Business

Start OneDrive Admin Center at https://admin.onedrive.com

Click Sync

OneDrive - Dont sync Cryptolocker - 01

Select “Block syncing of specific file types”

OneDrive - Dont sync Cryptolocker - 02

Click “Add file name extentions”

OneDrive - Dont sync Cryptolocker - 03

Insert the list of file extensions you dont what to sync to OneDrive for Business

This list of file extensions need to be updated when the bad guys using a new file extensions.

OneDrive - Dont sync Cryptolocker - 04

Click save

OneDrive - Dont sync Cryptolocker - 05

And now the file extensions in your list will not be synced to OneDrive.
This will also work on devices that you dont have any management control over.
This is not a way to prevent Ransomware – but a way not to get already encrypted file uploaded to OneDrive for Business.
Please remember to backup your company data.
Dont stop patching your Windows.
Where it is possible use only white listing of application.

2 thoughts on “How to prevent ransomware encrypted files to sync to OneDrive for Business

  1. Hi Per,
    Thanks for a great post – any change you would share the file name extensions you have blocked?
    Thanks
    /Nicklas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: