Ransomware is a real threat for traditional IT infrastructure because the hardware storage used in PCs, servers and NAS devices have no built-in versioning and protection mechanism against malware.
Unlike the on-premise infrastructure, Microsoft 365 cloud applications have native versioning, recovery tools, and anti-malware built into them. Does this make M365 data immune from the ransomware? The short answer is yes, in many cases.
In this blog post we will review the existing evidence from 2015-2020 ransomware attacks, analyze the scope of Microsoft 365 ransomware protection and discuss how ransomware may circumvent these built-in protection & recovery mechanisms.
Check this post if you want to learn about Microsoft 365 backup tools and how they help protect your M365 data.
Does Ransomware Affect Microsoft 365?
There has been no knows cases of ransomware encryption attacks on Microsoft 365 data or other cloud applications. While some ransomware strains target specific data types (backup tapes, enterprise database servers, etc), no ransomware specializes in cloud data sources or M365 yet.
There is no evidence of any successful ransomware attacks on Microsoft (Office 365) or other SaaS applications
Many ransomware strains (see the next section for details) are human-operated, where criminals are manually directing the attacks and select what machines ransomware infects first.
They usually choose to prioritize on-premise data sources (which are less protected compared to the cloud) and contain valuable information, such as:
- SQL database server machines
- Tape libraries and other backup repositories
- SMB and other file sharing servers
For example, Ryuk ransomware is known to target financial data and database servers in an attempt to focus on the most valuable data. Other ransomware strains such as Netwalker attack backup data repositories in order to inhibit victims’ ability to recover data without paying the ransom.
Files encrypted locally can be synched to M365 Site/OneDrive
We've seen cases when ransomware encrypted local files on user desktop machines and the encrypted versions of the data were synched by the OneDrive application to Microsoft 365 cloud.
There is no evidence, however, that the criminals intended or cared if the encrypted files are uploaded to the cloud.
OneDrive application normally uploads data to Microsoft 365 at around 2MB/sec, which is 10-15x slower than the speed of data encryption operations on local machines. This often means that only small share of encrypted data is syched from local machines to Microsoft 365 cloud.
Cloud upload speed is too slow to encrypt Microsoft 365 (SharePoint and OneDrive) data at scale.
In cases when encrypted file versions get uploaded to OneDrive accounts or SharePoint sites, they can usually be recovered using the standard Microsoft 365 versioning (see section 3 for more details on M365 built-in anti-ransomware tools).
Microsoft 365 as a source of initial ransomware infections
Email phishing in one of the most prominent ransomware attack vectors. Criminals often use Microsoft 365 email (as well as other email services) to infect their victims by sending messages with infected attachments or links to malware.
Cerber ransomware is a notable example in which the attackers focused on Office 365 users to deliver the phishing emails. Their infected attachment was crafted in a way that allowed it to bypass the built-in Exchange Online filtering, so users who opened the attachment infected their machines.
In case of Cerber and other known strains, Exchange Online is only used for the initial infection. Ransomware does no encrypt Office 365 email, instead spreading further within the organization and ecrypting local storage.
How Microsoft 365 helps ransomware spread within organization
After they succesfully infected the first machine, most ransomware use harvested credentials and local network protocols volneurabilities to spread to other computers within the organization (i.e. lateral movement). Ransomware performs:
- Network scanning to identify critical data sources to target, and machines running old/volnerable software that is succeptable to an attack
- Infected machine search to find credentials and access permissions in order to connect to other computers and infect them
In addition to the steps above ransomware may place infected files (including Office documents) on local file sharing servers and on SharePoint Online sites (if ransomware has access to a machine that is synched to SharePoint using OneDrive application).
However, this method of propagation using shared file servers is slow and less reliable than the three methods harvesting credentials or exploiting software voulnerabilities. It requires other users to open infected files using machines that run old/voulnerable OS versions that will not detect ransomware.
Therefore, SharePoint Online may be used to spread ransomware within organization (as a secondary lateral movement option), which will rely on infected files being synched from an infected machine to a SharePoint site in a hope that another user will open them.
Can ransomware be executed in the Cloud?
It is important to note that Microsoft 365 itself cannot run or execute ransomware. An infected file must be opened on a local machine (Win/Linux/Mac, etc) to be executed.
SharePoint online and other Microsoft 365 apps can only act as storage media for ransomware executable files which can only perform encryption & infect systems when they're downloaded and opened.
M365 & Evolution of Ransomware
We analyzed data from more than 350 ransomware attacks that happened in 2020 and were reported publicly. In this section we will discuss the main characteristics of the ransomware strains and how they evolved.
Trend #1: Data Leaks in Addition to Encryption
Egregor (formerly Maze) became the largest ransomware gang in 2020 and it was the first to introduce a new extortion tactic. In addition to encrypting files it started to steal sensitive data and threaten its victims to leak the data publicly.
All other ransomware types quickly followed the example and as of 2021 virtually all ransomware attacks involve stolen data leaks or threats of thereof.
- Microsoft 365 built-in data retention and versioning helps recover from data encryption but does not prevent data theift.
- The new data exfiltration tactic makes M365 significantly more voulnerable to ransomware and warrants additional security measures, including strict access control and 2FA enforcement (see section 3 for details).
Trend #2: Division of Labor & RaaS Business Model
All major criminal organizations, including the top 4, rely on the multi-tier distribution model (Ransomware as a service or RaaS). The ransomware software is licensed by developers to other criminals specialized in deploying it and executing the attacks.
The RaaS business model first emerged in 2016 and in 2020 it gained strong traction with major RaaS vendors trying to build their brands and recruit affiliates through ads in the dark web. For example, Sodinokibi / REvil group made a $1 million PR stunt trying to acquire talent - a move more typical for legitimate software vendors.
- RaaS model enables much greater scale and specialization for ransomware developers - helping them gain tech expertise and build more sophisticated malware.
- Ransomware is likely to adop the same technologies that are revolutionizing the legitimate software:
- machine learning (including deep fakes for phishing and initial infection, AI capabilities to avoid detection)
- high-performance container architecture (for faster & scalable deployment on the victim's infrastructure)
- target IoT and edge workloads' software stacks in order to cause more damage & interruption during the attacks.
Trend #3: Criminals Moving Upmarket
Ransomware criminals are increastly targeting enterprises and large organizations to increase the chances of large payouts.
For example, multiple Ryuk ransomware attacks showed evidence that the operators perform extensive research of their targets before the attacks and execute carefully planned operations in multiple stages. The approach enabled Ryuk to acheive some of the highest payouts (millions or 10s of millions per attack).
- They'll realize cloud has more critical data as cloud migration in enterprise contineus
The Future of Ransomware
Given that the criminals' tactics continue to evolve, we belive it is likely that:
- In 1-2 years one of the criminal gangs will realize the need to focus on Microsoft 365 to target victims' most critical data
- In 3-6 months other major ransomware strains will replicate the tactic and most ransomware attacks will in some way target M365
Overall Ransomware Trajectory: Growing Again
In its annual Internet Crime report FBI shows the number of ransomware cases reported to FBI in the US and internationally.
The total number of reported ransomware cases grew in 2013-2016 and peaked at 2,673. In 2016-2018 it dropped 44%, which in our opinion is the result of organizations' investments in cybersecurity following the major wave of ransomware in 2016.
In 2019-2020 the number of ransomware cases grew at 66% GAGR. In our view this reflects more sophisticated ransomware technology and multi-tier criminal organization (developers vs operators) which enables software developers to focus on building the tools while it lets operators to focus on deploying the tools and planning & managing the attacks.
How Microsoft 365 is Protected from Ransomware
There are four built-in mechanisms that protect Microsoft 365 data from ransomware:
- Detection and filtering is included and enabled in all Microsoft 365 plans. Exchange Online Protection (EOP) scans receives emails and filters out phising and infected messages. SharePoint/OneDrive built-in anti-malware engine scans suspicious files when they are uploaded or accessed later; it then deletes/blocks them if malware is detected.
- Versioning and data recovery are available for SharePoint and OneDrive in all plans. The standard versioning has limitations (any user who has edit rights to the file can delete the version history), but they can be overcome by using compliance retention available in premium plans (see more about compliance retention here).
- (Post-deletion) recovery capabilities enable admins to recover permanently deleted Exchange Online, SharePoint sites and OneDrive items within 25-30 days after deletion. You can extend this windows using compliance retention policies.
- Sandboxing is an additional protection layer provided by Microsoft Advanced Threat Protection (also known as Microsoft Defender for Office 365) feature available in more expensive Microsoft 365 Business Premium and Office 365 E5 plans; it can also be purchased as an add-on.
|Microsoft 365 app||Data types||Detection||Sandboxing||Versioning||Recovery|
|Exchange Online||Email messages, attachments.|
|SharePoint Online||Shared documents, web pages|
|OneDrive||Individual users' files|
|Teams Chats||1-1 and Teams channel messages|
|Calendars, contacts & other||-|
SharePoint online and OneDrive for Business do not prevent ransomware attack, but their built-in versioning capabilities help recover from ransomware. In early 2017 Microsoft 365 versioning began to work not only for native (docx, xlsx, etc) but also for non-native files.
Versioning is enabled by default for document libraries and OneDrive. It retains the last 500 versions of files (though you can increase the limit to 50,000).
Administrators and the users that have access to the files can use versions to manually recover OneDrive and SharePoint document library data after a ransomware attack. This is the most precise way to recover from an attack – you’ll be able to review each file, determine if it was affected, and fall back to the latest unaffected version if it was. But the time and effort required makes it impractical in case of massive encryption.
Microsoft also provides the recovery capabilities in SharePoint and OneDrive. It enables administrators to roll back the entire document libraries and OneDrives to any point in time within the last 30 days. This is MS recommended way to recover Microsoft 365 data from ransomware (see Microsoft documentation for more details - link). The drawbacks of Microsoft 365 native recovery are:
- If you’re late to notice that your files got encrypted (possible if ransomware affects rarely used data), than you will not be able to use the tool
- The recovery will roll back all the changes to a recovery point that you specify. This may lead to partial data loss as some edits between the recovery point and the encryption event may be lost.
- If a file or a folder is deleted and then created/uploaded again, the recovery will skip it