Can Ransomware Hit Your Microsoft 365 Data?

Ransomware is a very real threat for on-premises IT infrastructure because the hardware storage used in physical servers typically has no built-in versioning, immutability and anti-malware.

Unlike on-premises infrastructure, Microsoft 365 cloud applications have native versioning, data recovery tools, and anti-malware built into them.

So do these capabilities make Microsoft 365 data immune to ransomware attack? The short answer is, as of right now, yes, in most cases.

In this blog post we will review evidence from 2015-2022 ransomware attacks, discuss the scope of Microsoft 365 ransomware protection and the evolution of ransomware which threatens Microsoft 365 data.

We at afi.ai develop a Microsoft 365 backup service and one of the reasons our customers use our service is to protect their M365 data against ransomware.

As part of our business we observe ransomware attacks and how they impact organizations. Oftentimes we see that organizations decide to implement a Microsoft 365 backup after they experience an attack.

There has so far been no knows cases of ransomware attacks targeting Microsoft 365 data or other cloud applications. While some ransomware strains target specific data types (backup tapes, enterprise database servers, etc), no ransomware specializes in cloud data sources or M365 yet.

Many ransomware strains are human-operated. When such ransomware is deployed, criminals are manually directing the attacks and decide which machines to infect or encrypt.

The criminals operating ransomware usually prioritize on-premise data sources because they are less protected, and contain valuable information. The typical on-premise targets normally include:

1. SQL database servers
2. Tape libraries & backup repositories
3. SMB & other file sharing servers

For example, Ryuk ransomware (see section 2 for details) is known to target financial data and database servers in an attempt to encrypt the most valuable data. Other ransomware strains, such as Netwalker, are known to attack backup data repositories in order to inhibit the victims’ ability to recover without paying the ransom.

Although ransomware doesn't specifically target Microsoft 365 data, it can affect Exchange Online, Sharepoint Online and other cloud applications, as well as use Microsoft 365 to spread inside organizations.

Files encrypted locally can be synched to M365 Site/OneDrive

We've seen cases when ransomware encrypted local files on user desktop machines and the encrypted versions of the data were synched by the OneDrive application to Microsoft 365 cloud.

There is no evidence, however, that the criminals intended or cared if the encrypted files are uploaded to the cloud.

OneDrive application normally uploads data to Microsoft 365 at around 2MB/sec, which is 10-15x slower than the speed of data encryption operations on local machines. This often means that only a small share of encrypted data is synched from local machines to Microsoft 365 cloud before the attack is discovered.

When encrypted files get uploaded to OneDrive accounts or SharePoint sites, they can usually be recovered using the standard Microsoft 365 versioning (see section 3 for more details on M365 built-in anti-ransomware tools).

Microsoft 365 can be a point of entry for ransomware

Email phishing in one of the most important ransomware attack vectors. Criminals often use Microsoft 365 Exchange Online (along with other email services) to infect their victims by sending messages with infected attachments or links to malware.

Cerber ransomware is a notable example where attackers focused on Microsoft (Office) 365 users to deliver phishing emails. In 2016 Cerber infected multiple enterprises by sending infected email attachment that was able to bypass the built-in Exchange Online filtering, so users who opened the attachment infected their local machines.

Cerber ransomware uses Exchange Online to penetrate networks; but it isn't focused on Microsoft 365 or Exchange data

Importantly, Cerber and other similar strains use Exchange Online only for the initial infection. The ransomware doesn't attempt to encrypt Microsoft 365 data itself. It instead spreads locally within infected organizations and encrypts on-premises data sources.

Microsoft 365 help ransomware spread within organization

After infecting the first machine (via Exchange Online or another attack vector), ransomware spreads further within the organization - this process is termed "lateral movement".

Most ransomware strains rely on the following ways to spread:

1. Harvesting credentials and passwords stored on the infected machine(s) in order to access other computers
2. Network scanning to identify & prioritize critical data sources to target
3. Exploiting local network protocols vulnerabilities to attack other local machines

In addition, ransomware may plant infected files (including Microsoft Office documents) to local file sharing servers and to SharePoint Online sites - if ransomware has access to a machine that is synched to SharePoint using OneDrive application.

However, the method of ransomware propagation using shared file servers is slower and less reliable than harvesting credentials or exploiting network protocols/software vulnerabilities. Planting infected files requires users to notice and open them on machines that run old/vulnerable OS versions that will not detect ransomware.

To sum up, SharePoint Online may be used to spread ransomware within organization (as a secondary lateral movement option), in case infected files are synched from an infected machine to a SharePoint site.

Can ransomware be executed in Microsoft 365 cloud?

It is important to note that Microsoft 365 itself cannot run or execute ransomware. An infected file must be opened on a local machine (Windows/Linux/Mac, etc) to be executed.

SharePoint Online and other Microsoft 365 apps can only act as storage media for ransomware executable files. Ransomware can only perform encryption & infect systems when it's downloaded and opened on a server or a user machine.

We analyzed data from more than 350 ransomware attacks that happened in 2020 and 2021. In this section we will discuss the main characteristics of the ransomware strains and how they evolved.

Trend #1: Data Leaks in Addition to Encryption

Egregor (formerly Maze) became the largest ransomware gang in 2020 and it was the first to introduce a new extortion tactic. They came up with the idea (in addition to encryption) of stealing sensitive data and threatening their victims to leak the data publicly.

All other ransomware operations quickly followed the example and by te end of 2021 virtually all ransomware attacks involved stolen data leaks or threats of thereof.

Trend #2: Division of Labor & RaaS Business Model

All major ransomware operations, rely on the multi-tier distribution model (Ransomware as a service or RaaS). In this model, the ransomware software is licensed by its developers to other criminals specialized in deploying it and executing the attacks.

The RaaS business model first emerged in 2016 and in 2020 it gained strong traction with major RaaS software vendors trying to establish their brands and recruit affiliates through ads in the dark web. For example, Sodinokibi / REvil group made a $1 million PR stunt trying to acquire partners to deploy their ransomware - a move more typical for legitimate software vendors.

Trend #3: Criminals Moving Upmarket

Ransomware criminals are increasingly targeting enterprises and large organizations to increase the chances of large payouts.

For example, multiple Ryuk ransomware attacks showed evidence that the operators perform extensive research of their targets before the attacks, and execute carefully planned operations in multiple stages. The approach enabled Ryuk to acheive some of the highest payouts (millions or 10s of millions dollars per attack).

Given that the criminals' tactics continue to evolve, we belive it is likely that in 2022:

1. One of the criminal gangs will realize the need to focus on Microsoft 365 to target victims' most critical & sensitive data
2. Other ransomware gangs will replicate the tactic and most ransomware attacks will at least in some way target M365

To attack Microsoft 365 effectively cloud-focused ransomware will need to have access to Microsoft API. To get it criminals have two major options:

1. Steal Microsoft 365 admin credentials, then grant their ransomware application access to M365 domain and then encrypt the data, deleting/overwriting old versions so they cannot be restored using standard Microsoft recovery tools (see section 5)
2. Trick Microsoft 365 users & admins into granting a ransomware application access to their M365 data

The first scenario — stealing Microsoft 365 admin credentials — can be executed via a phishing attack, or by getting access to admin's machine through a software vulnerability.

The second scenario — receiving API access permissions (auth token) — will require criminals to create a fake application mimicking a legitimate app that could reasonably request write access to Microsoft 365.

In an example demonstrated by KnowBe4's Kevin Mitnick future criminals send a phishing email and trick a user into granting a security application access to her Microsoft 365 data (see below).

Fake cloud app may request M365 auth token to encrypt Microsoft 365 data via API (example below by KnowBe4)

We belive that the example above illustrates a realistic attack scenario for ransomware focused on Microsoft 365 data. After the fake application receives API access permissions, it can then steal M365 data and encrypt SharePoint Online and Exchange Online.

So far we haven't seen such attacks in real life, but it's likely we will.

Overall Ransomware Trajectory: Growing Again

In its annual Internet Crime report FBI shows the number of ransomware cases reported to FBI in the US and internationally.

The total number of reported ransomware cases grew in 2013-2016 and peaked at 2,673. In 2016-2018 it dropped 44%, which in our opinion is the result of organizations' investments in cybersecurity following the major wave of ransomware in 2016.

In 2019-2020 the number of ransomware cases grew at 66% GAGR. In our view this reflects more sophisticated ransomware technology and multi-tier criminal organization (developers vs operators) which enables software developers to focus on building the tools while it lets operators to focus on deploying the tools and planning & managing the attacks.

There are four built-in mechanisms that protect Microsoft 365 data from ransomware:

1. Detection and filtering is included and enabled in all Microsoft 365 plans. Exchange Online Protection (EOP) scans receives emails and filters out phishing and infected messages. SharePoint/OneDrive built-in anti-malware engine scans suspicious files when they are uploaded or accessed later; it then deletes/blocks them if malware is detected.
2. File Versioning are available for SharePoint and OneDrive in all M365 plans. The standard versioning has limitations (any user who has edit rights to the file can delete the version history). The limitations can be resolved by leveraging Compliance Center retention policies (available only in premium plans, see more about compliance retention here).
3. (Post-deletion) recovery capabilities enable admins to recover permanently deleted Exchange Online, SharePoint and OneDrive data within 25-30 days after deletion.
4. Sandboxing and other advanced protection measures are available in Microsoft Advanced Threat Protection (also known as ATP or Microsoft Defender for Office 365). Among other features ATP monitors suspicious email attachments in a safe environment (Sandbox), to detect unknown (zero-day) threats. The additional protection is available in more expensive Microsoft 365 Business Premium and Office 365 E5 plans; it can also be purchased as an add-on.

		Native Protection
Microsoft 365 app	Data types	Detection & Filtering	File Versioning	Post-deletion Recovery	Sandboxing & ATP
Exchange Online	Email messages, attachments.
SharePoint Online	Shared documents, web pages
OneDrive	Individual users' files
Teams Chats	1-1 and Teams channel messages
Calendars, contacts & other	-

Included in all plans Partial support Not supported

Malware detection & filtering built into Microsoft 365 protects against phishing (which is often the first step of a ransomware attack) and limits the spread of ransomware inside an organization (infected files stored on OneDrive and SharePoint online are detected and deleted/quarantined).

While SharePoint Online and OneDrive for Business cannot prevent encryption, their built-in versioning capabilities help recover from ransomware. Before 2017 the versioning worked only for for native (docx, xlsx, etc) data types. Starting from 2017 versions from all types of files (including non-native) are retained.

Versioning is enabled by default for document libraries and OneDrive. It retains the last 500 versions of files (though you can increase the limit to 50,000 - see details here).

Microsoft 365 also has post-deletion recovery capabilities embedded in SharePoint Online and OneDrive. It enables administrators to roll back the entire document libraries and OneDrives to any point in time within the last 30 days. The drawbacks of using these capabilities to recover from ransomware are:

1. If you’re late (30+ days) to notice that your files got encrypted (possible if ransomware affects rarely used data), then you will not be able to use the tool
2. The recovery will roll back all data to a recovery point that you choose. This may lead to partial data loss as some edits between the recovery point and the encryption event may be lost.
3. If a file or a folder is deleted and then created/uploaded again, the recovery will skip it.

Ransomware criminals have so far focused on on-premise data sources that are easier to encrypt and contain more data. However some of the most important organizational data already resides in public cloud (shared files, email, messaging, accounting, etc.).

It is very likely that ransomware will chase the valuable data and will focus on cloud applications in the future. We believe that this ransomware transition to the cloud will happen relatively soon, within 1-2 years.