Ransomware and G Suite


It seems like there are more and more ransomware attacks popping up throughout the world everyday. It may come as no shock that schools are often prime targets. The reason for this is simply the number of users we have and the amount of data that we store. While there is no magic checkbox we can select to solve our problem, we can definitely use as many preventive practices as possible to mitigate our associated risk. G Suite is great for this because of its Global Visibility into content around the world and its ability to utilize security at scale.

It’s important to know about the different vectors that attackers use in order to get the user to install their malware. The first and most popular is via email, where the choice of provider can determine a user’s potential exposure. An on-premise email server may appear, at surface level, to be a viable solution. However, if you look at the features you leave on the table, it may be the cause of your problem. Gmail scans your emails prior to populating them in your inbox. G Suite’s global visibility can detect and resolve these issues for you automatically. So should you find yourself subjected to an email with malware attached, when utilizing Gmail, you may never even see this email arrive in your inbox. Furthermore, should you have G Suite Enterprise for Education, you can utilize the Gmail Security Sandbox (Beta), which actually opens and scans all incoming emails and any attachments in a virtual sandbox. Gmail Security Sandbox then performs dynamic malware analysis on those attachments; once again protecting users prior to these emails ending up in their inboxes. In addition to this ability to scan and detect dangerous threats, Google keeps the Gmail Servers constantly up to date. Most Malware out there use known security exploits. You may remember the big one a few years ago, WannaCry, which actually used an exploit that was patched 3-months prior to its first attack. With on-premise servers, you run the risk of missing those updates or opening up the option of end-users choosing to not install them.

For those emails that do make it through, G Suite’s built-in security does not end there. Google’s Safe Browsing will detect dangerous links in emails or show warnings if dangerous links are clicked. Google Safe Browsing goes further and helps protect users from the second most popular vector: web-based attacks.

Web-based attacks are instances where the attacker will try to fool a user by presenting a website that appears to be legitimate, but is actually malicious. Safe Browsing prevents access to these sites and warns users to return to safety. Fraudulent pages are flagged daily and Google is constantly updating its lists of dangerous sites. You can see how Google ranks risky sites by using its transparency tool to see exactly what Google determined to be unsafe about that site.

Suggested article: Your systems weakest link & safeguarding Gmail usage.

Our last vector attackers use to spread malware is by exploiting the Operating System itself, as lots of malware and Ransomware ultimately spreads via this vector. Whether your users have administrative privileges on their local machines, they are using an unsafe web browser, or are running machines without applying updates, they are operating at a high risk. These high-risk issues can be solved simply by having your users utilize ChromeOS. On ChromeOS, the actual OS is verified on every boot to ensure it has not been modified. In addition, each user profile on the Chrome device (if its a multiple-user device), is encrypted and partitioned, blocking it from being accessed by other users. Lastly, ChromeOS has built-in protection so that each process and tab runs in a siloed environment. This means that an App or website with compromised code cannot affect any other tab or process. Updates are centrally controlled and don’t rely on other vendors to submit patches that may take extended periods of time to apply. ChromeOS releases a new major stable version roughly every 6 weeks, so your Chromebook will always be up to date. Additionally, should Google discover a security threat that cannot wait until the next major release to be addressed, they will introduce a security patch as soon as possible, once again ensuring you are protected before the exploit is even well known! Most users utilizing ChromeOS will predominantly be using Google Drive files (Docs, Sheets, etc.), even further minimizing their exposure risk.

So what happens to our data if, despite all our proactive methods, our systems were still hit with Ransomware? Well, this is where utilizing G Suite can again step in to help with such a problem. Even if local machines are compromised and local data and files are potentially lost or encrypted, all Google Drive files would remain unaffected (Docs, Sheets, Slides, etc…) as they have many replicated versions, which can be easily rolled back if the current version becomes compromised. Even if our Google Docs and Sheets were to be modified, we have revision history to be able to restore these items back to a previous state. While this part does not help our legacy files, it may be a reason to start switching to using Google formats as your primary method of file creation. Drive also helps provides some tools to help, should your legacy files stored in Drive be affected. These files also are granted revision history for the last 100 versions. For files under 100MB, upon downloading, Drive will automatically perform a virus scan. If a virus or malware is found, only the original owner will be able to download the file, preventing others from accidentally downloading it. Drive also keeps all files on the web in a non-executable format, saving you from accidentally opening a PDF that was really a .EXE. Opening on the web is generally safer than opening locally, where you run the risk of possibly having something unknowingly executed on your device.

Where does Drive File Stream and Backup and Sync come into play with ransomware? First, let’s talk about how each one works and how it plays into potential exposure.
Drive File Stream does exactly what its name implies, it streams the content down from your Google Drive in real time as the files are accessed, the files are never stored locally on your machine (unless you chose to keep select legacy files offline, you can not store Google Drive files offline). The hot topic question, how does Drive File Stream play into our exposure to ransomware? I have done some small testing to show my research into this topic to show the safety features that File Stream implements and show how common attack vectors are not usable against File Stream.

For this demo (you can access the code I created for this blog post) I have setup a Windows system with a user who has Drive File Stream installed. An assumption for the purpose of this demo: the user has been affected by ransomware from an unknown source. This ransomware is specifically looking to see if Google File Stream is installed, and is only going to try to encrypt these files in file stream.

First let’s look at our files that are in Google Drive.

By extension we have the same files listed in File Stream

Now we run the ransomware. For this example I used a simple symmetric key encryption to encrypt these files. The first thing that this testing confirms, is that any Google Drive file(i.e a Google Doc) is unable to be modified by ransomware. One reason for this is that it is impossible to open this Google File without utilizing the appropriate online tool, such as Google Docs, there is no way we can open this file locally. Furthermore, any google drive file that appears in file stream is actually not a file sitting on the drive(you also can’t make the file available offline from File Stream). Your local file system also treats these file as a directory, not a file, further making off the shelf ransomware unable to modify this file.Even if you built a driver to exploit file stream and successfully modified the file, all you would have done is encrypt the link to the file, not the file directly. All you would have done is essentially encrypted a link and the original file would safely remain untouched in Google Drive.

The ransomware has run, on our other files however, now what! Well that depends on the flavor of ransomware that was used, mainly what happened to our original file. One technique is to simply modify the file and add on a new file extension, in this example, I have appended a .ENC to the end of the file name. File Stream detects this change and syncs it up to the cloud.

We are now unable to access these files as they have been encrypted. However, since the file was stored in Google Drive previously, we get file revisions, even for non google drive type files.

So if I right click on my PDF example and click ‘Revisions’ I am able to download up to the last 100 revisions of this file (within the last six months). Now you might think, what if the ransomware where able to modify the file 101 times, making it so we no longer have file revision history. To test this, I have written to the file in question, random bytes of data, 200 times and saving after each write, triggering file stream to upload this change each time. Thankfully, Google Drive is smarter than this, and stored all 200 times of writing, plus the final encrypted version of this, as one file write. The easiest way to explain how and why this happens, is to look at a Google Doc, it does not store every single letter change as a file revision, simply it determines that after a certain “idle” time it can successfully save that as a revision. In order for Ransomware to fully utilize this, it would require it to run for a significant amount of time, slowly waiting for that idle time, before writing again. Ransomware typically does not take this avenue because part of what makes ransomware so effective is how quickly it is able to run. It is also likely should you encounter something that does take this slow approach, you can likely detect it and shut down the source computer before it continues its changes.

Another method ransomware utilizes is deleting the original file as it writes the new file into memory and then saves that end result in the same name convention as used before. This avenue is utilized to “delete” any local revision history software that is in use. Should this happen to you, this would put you in an even better place than before, as any file that is deleted via Drive File Stream, is automatically placed into your Google Drive. This can be seen here by a before and after picture of our test Google Drive accounts Trash.


And After:

We would simply be able to restore these files back into our Google Drive.

Now what happens if ransomware places itself in File Stream? Is it able to infect other systems that are also connected with File Stream? The answer is, not directly. All it can do is place the executable (including if it tried hiding with a fake file name).

Once it is in Google Drive, it’s stored as a non executable file – meaning it can not run while accessing it via the web. While it can now show up on another machine with file stream, it will not automatically be able to be executed since it is only a link and not the actual file. At this point the only risk of it spreading via this vector is that the user would click on the ransomware again, which hopefully the user will have more awareness after being infected once, this is equivalent to downloading the email that gave this in the first place again.

Do I need a backup solution then if G Suite offers all of this revision history? The answer is… it depends. While it is true that having your information can save you from a ransomware attack, it doesn’t really reflect the time it can take to roll back to a previous version for everything. A G Suite backup solution can, with a click of a button, restore files to a previous version, so if time is of the essence, a backup solution can really save your bacon.

So what about Backup and Sync? Well it does one thing really well, synchronization. However, with nearly real-time synchronization, we get a new potential threat to our data. That is because if a desktop become compromised the tool will associate this change and upload the now encrypted files automatically, often before you get a chance to disable the sync. This synchronization can happen both ways, from local storage to Google Drive, and from Google Drive to local. This can also be further exploited by using this vector to download the ransomware to your other Backup and Sync tools, and now leaving the full executable file on that machine. While it would still need to find another OS weakness to automatically run, by using this, at least gives it a chance to spread further. It’s with this reasoning that I would suggest staying away from Backup and Sync for our G Suite Users.

What can be done for legacy files, application hosting, and local databases such as your SIS? This is where looking at Google Cloud Platform can really further help with making sure you are as secure as possible. An unfortunate truth is these last major ransomware attacks, have all affected local on premise solutions, and not cloud solutions. Google Cloud Platform (or GCP for short) can mitigate risks based on its capacity, having enough resources to scale as needed and automatically.

Physical Security: Have you ever seen the inside of a Google Data Center? Not likely, Google implements strict physical controls to prevent unauthorized access into its data centers and those controls further helps to protect your assets.

Network Infrastructure: GCP is run on the same backbone that supports Google’s production network, you also have access to world class, components such as firewalls and load balancers.

Support: I mean support not only from trusted partners like us (Amplified IT) but also skilled technicians on Google’s side to help troubleshoot and address issues.

Redundancy: With multiple points of presence across the globe, your data can be mirrored automatically across multiple locations.

Compliance: Google undergoes third-party audits that insure GCP is in alignment with all security,privacy and compliance regulations and best practices. In addition should you move your databases to the cloud, you also have the ability to create disaster recovery tools to help even further protect your data.

While prevention of ransomware is key, some schools can not make the jump to a full cloud-based collaboration tool and still have legacy files in use in the district. For this, the only true fail-safe system for the protection of ransomware is investing in offsite backups. If your school/district should succumb to ransomware, a tool that can instantly restore your user’s data could be worth its weight in gold. You can laugh at the thought of paying ransom, since your files are nice and safe, ready to be restored. While there are costs associated with backup solutions, the loss of data, time, and public trust will end up costing you much, much, more.

In an ever changing world it is always best to stay current with recent updates, new methods of protection, and best practices, as there are always new malicious programs, applications, and methodologies that are attempting to compromise our users and systems. The above article is an evaluation of current best practices and does not guarantee or ensure protection from malicious programs.

If you are interested in learning more or having your environment reviewed, contact our team to get started. 

  • Andrew Giggey
    Google for Education Consultant

  • About the Author:

    Andrew Giggey has been a G Suite for Education Consultant for Amplified IT since 2018. Prior to joining Amplified IT, Andrew has spent time working for school districts as a Network And Systems Administrator. His hobby is having hobbies and has tried just about everything. Utilizing his tinkering and computer science knowledge, Andrew is constantly working to discover things hiding in plain sight and help inform the community of uncovered issues. Andrew continues to try to find unique problems that school districts face and finding them the best possible solution.