Generally, you know that ransomware attack endpoint devices (such as users’ PCs) and network file shares. However, ransomware can still encrypt the data associated with a SaaS application. That also includes Microsoft 365 data! In this article, I’ll talk about how these attacks could occur. I’ll also offer some advice for protecting your Microsoft 365 resources against ransomware.
When it comes to ransomware attacks, you need to understand 2 important facts:
- Ransomware comes in different types. Basically, ransomware varies considerably with regard to its capabilities. Some ransomware is extremely primitive. This means it can only attack the default Windows document libraries. Other ransomware is far more sophisticated. It may attack network endpoints, file shares, application servers, SaaS applications, backups, etc.
- Ransomware inherits the permissions of the user who unleashed it. This means the ransomware could potentially attack anything that the user has access to. Conversely, anything that the user doesn’t have access to is essentially out of harm’s way.
So with that said, let’s take a look at two ways ransomware potentially encrypts Microsoft 365 Cloud data:
1. Direct Access to the Data
Firstly, ransomware could access the data directly to attack Microsoft 365. The ransomware probably isn’t going to be smart enough to guess the URLs associated with your SharePoint sites. However, it can still gain access in other ways.
For example, many organizations will map a network drive to a SharePoint document library. Alternatively, an organization might enable Sync. This is actually Microsoft’s preferred option. However, both options can give ransomware an entry point into your Microsoft 365 environment.
2. The ProofPoint Method
ProofPoint recently discovered an attack chain. Through this chain, ransomware could conceivably encrypt SharePoint Online or OneDrive data. Generally, this type of attack involves 3 high-level steps:
- A cybercriminal gains access to your network through a compromised account
- The attacker reconfigures the versioning limits. This way, only a small number of file versions (ideally only one) are retained
- The attacker encrypts and then re-encrypts your data. The idea is to exceed the version limits. This will make it impossible to use versioning controls to revert to an unencrypted version
Clearly then, ransomware is a threat to data stored in the Microsoft 365 cloud. That said, Microsoft does take steps to prevent ransomware from harming its data. It’s worth noting that this automated protection depends on versioning working correctly.
How Microsoft Protects Against Ransomware
Microsoft monitors Microsoft 365 cloud data for signs of a ransomware infection. For example, let’s say Microsoft detects numerous files being modified in a short amount of time. In this case, it may indicate that a ransomware attack is underway. When that happens, Microsoft displays a notification indicating that it has detected signs of ransomware.
As you can see in the figure above, recovery is a three-step process. Firstly, take a look at some recently modified files to see if they’ve become encrypted. If you see encrypted files, you should remove the ransomware from your device. Then, complete Step 3, which allows you to restore an unencrypted version of your files.
But you also can do other things to protect your Microsoft 365 data. Let me show you.
How Can You Protect Your Data?
Microsoft offers a five-step plan for protecting Microsoft 365 against ransomware. These steps include:
- Configure security baselines
- Deploy attack detection and response
- Protect identities
- Protect devices
- Protect information
These particular list items are generally “uniquely Microsoft”. But, they align well with other established best practices for ransomware prevention.
Here are some of the most important things you can do to prevent ransomware from encrypting Microsoft 365 data:
- Enable multi factor authentication for your users
- Take steps to prevent user credentials from becoming compromised. This may include passwordless authentication
- Run anti-malware software on all end-user devices
- Practice Least User Access and other zero trust principles. This ensures that users have the bare minimum permissions required to do their jobs
- Back up your data regularly. Ensure your backup allows you to perform a point-in-time restoration if you need to.
- Create an air gapped backup. This can act as a last line of defense if ransomware attacks your primary backup
The Bottom Line
Contrary to popular belief, Microsoft 365 is susceptible to ransomware attacks. Microsoft has integrated some protective measures into the Microsoft 365 cloud. But, ultimately, it’s up to you to take steps to protect your Microsoft 365 data. File versioning alone is inadequate. In fact, an attacker can potentially reconfigure the versioning settings. In turn, they’ll prevent you from recovering an unencrypted version of your data.
Instead, adopt Microsoft’s five-step plan. Additionally, implement other cybersecurity best practices. For instance, consider passwordless authentication and Least User Access.
Do you have more questions about ransomware and Microsoft 365 data? Check out the FAQ and Resources sections below!
Ransomware is generally constrained by user permissions. Does this rule have any exceptions?
Ransomware attacks come in two main categories: automated and human-operated. An automated ransomware attack is what happens when a user accidentally clicks on a malicious link. In those cases, user permissions restrain these attacks. Human-operated ransomware is planted and launched by a cybercriminal. Typically, the attacker has already acquired elevated permissions. Thus, the ransomware tends to be far less constrained.
Why does Microsoft encourage you to use Sync instead of mapping a network drive to SharePoint Online?
Using Sync and mapping a network drive are both viable options. But Microsoft recommends using sync for two main reasons. First, Sync tends to be a little bit easier to set up. Second, Sync makes files available through File Explorer without the files consuming local storage space on your PC.
The first step in the ProofPoint attack involves a cybercriminal gaining access to a compromised account. Does that mean that automated ransomware cannot perform this type of attack?
Not necessarily. As of right now, the ProofPoint exploit that allows ransomware to attack Microsoft 365 is theoretical. It’s a known vulnerability, but no real-world exploits have been publicized yet. However, an attacker could still develop an automated version of this attack.
How do you access the SharePoint Online versioning settings?
Each SharePoint document library has its own version settings. From a document library, go to the toolbar and click on Library Settings. When the Settings page appears, click on the Versioning Settings link.
Will I get a warning if ransomware attacks a SharePoint document library?
Microsoft may have a similar mechanism in place to protect SharePoint data. However, the documentation indicates that this particular protective mechanism is specific to OneDrive.
TechGenix: Article on Post-Attack Negotiation
TechGenix: Article on Anti-Ransomware Plans
Read more on how Europol is trying to put a stop to ransomware.
TechGenix: Guide to Ransomware Defense
Microsoft: Article on Ransomware Prevention in Microsoft 365
Discover Microsoft’s recommendations for preventing ransomware in Microsoft 365 .
Microsoft: Guide to Deploying Ransomware Protection
Learn how to deploy ransomware protection for a Microsoft 365 tenant.
AFI: Article on Ransomware vs Microsoft 365 Data
Read more on how ransomware can harm Microsoft 365 data.