What Google Workspace and Office 365 Admins Need to Know Now About Ransomware Attacks

According to data from the US Justice Department, ransomware attacks have increased from 2015 to 2016 at a rate of roughly 300% a year.

“On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015.”

Further, new distribution methods for ransomware—“Ransomware as a Service,” making it cheap and easy for even unskilled hackers to profit from ransomware—mean more attacks are likely in the future. Projections are that ransomware will continue to be an issue in 2017-18, in part as hackers find new vectors for attack.

But Google and Microsoft protect our data, right?

Collaboration platform vendors like Microsoft and Google provide some strong capabilities to help protect their customers’ data, but customers must also protect themselves. SaaS providers focus on preventing cybersecurity attacks, with data security scanning, malware detection and prevention, but these controls cannot fully prevent cybersecurity attacks that lead to data loss. Microsoft and Google will also protect your data against hardware or software failure, natural disasters, or power outages, but SaaS applications can’t fully protect customers from data loss caused by Ransomware, sync errors from integrations, or human error.

Why not?  When data gets encrypted, changed or deleted by Ransomware, sync errors, or other destructive activity, to the SaaS provider, it looks just like data was changed or deleted by their customer for legitimate reasons. This is why you must protect yourself against the data disasters that continue to occur every day.

What are the ways Team Drives data can be lost?

The alarming growth in ransomware poses a particular threat for those organizations using SaaS collaboration platforms like Google Workspace and Office 365. Because the responsibility for data protection falls to the customer, and because these platforms speed collaboration by making files and folders easy to share, automatically syncing changes—a ransomware attack can lock shared files at compute speed. One Spanning customer recently told us that a ransomware attack locked nearly 950 files in a few minutes. (See below for more details on this situation.)

The risks are financially significant as well. Assuming you have no “good to restore from” backup, you have to trust that paying ransom will enable you to access the locked files – and this is not always the case.

“Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom … [after paying,] some victims were asked to pay more to get the promised decryption key.” – US Justice Department

Even if paying the ransom works for decryption, IT often finds that file names have been changed, and files are no longer findable in their original folders – adding hours of work and lost productivity to recovery time. And with SaaS collaboration tools in sync, organizations suffering an attack may find their customers and vendors have been locked as well, wreaking havoc with business relationships, and adding legal risks.

Here’s more of a story we heard from a customer about a recent ransomware attack. We’ve anonymized the detail, but the most salient points are applicable to any SaaS collaboration platform customer.

“At about 7:50 AM, one of our users saw a message open on their screen, saying their files had been encrypted and locked, and they needed to pay ransom to access their files. By 8:00 AM – ten minutes later! – a number of other users called our IT support desk saying file names had been changed.

“The malware went through complete hard drives in seconds and encrypted EVERYTHING. And as shared documents in synced folders became encrypted, other docs in those folders were encrypted. In just a few minutes, the ransomware attack on one synced folder alone encrypted almost 950 files!”

What to do now

For on-prem applications, IT routinely performs backups in order to meet compliance / business continuity requirements for the fast restoration of data. As we’ve seen, SaaS applications like Google Workspace or Office 365 still need protection, and part of that protection is once again IT’s responsibility. Some best practices include:


  • Train end users to be more phishing-resistant and hack-savvy
  • Identify high-value spear-phishing targets, and review / restrict their folder and file sync to limit the impact if ransomware infects your organization
  • Evaluate and acquire an enterprise grade cloud-to-cloud automated backup solution with robust restore capabilities; monitor backup status
  • Periodically test the restore process to ensure restored files from backups are usable


  • Isolate the infected assets quickly – if needed, unplug physical PCs, turn off all syncing for SaaS applications, and shut down network access
  • Determine whether the infection is “scareware,” or a low-level hack causing a browser screen “law enforcement warning” without true file encryption – if so, use Windows Task Manager to close the browser, or force quit on Macs
  • If not scareware, research whether there is a known decryptor app – however, it may not be possible to recover your files if the ransomware has robust encryption
  • Run an antivirus program on the infected devices to remove the malware

If you HAVE prepared by subscribing to an automated, point-in-time cloud-to-cloud backup solution like Spanning, your first steps post-ransomware will be isolation and malware assessment / removal. But recovery is now possible, even for ransomware with robust encryption.

The customer story noted above has a happier ending than most ransomware stories.

“Fortunately, we had Spanning deployed. The infection wasn’t robust – but it did make a mess that I estimate it would have taken the IT team a full two days to recover from. With Spanning, the time it took to recover was about 3 hours – about 100% faster than we could do without Spanning. We are very glad we had Spanning backing us up prior to this attack!”

If you’re not using Spanning Backup to protect your Google Workspace or Office 365 data, now is the time to evaluate whether it would improve your RTO before ransomware infects your organization.

Whitepaper: Preventing a Ransomware Disaster