Researchers on Thursday reported they had discovered a potentially dangerous functionality in Office 365 or Microsoft 365 that lets ransomware encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker.
In a blog post, Proofpoint researchers focused on SharePoint Online and OneDrive within the Microsoft 365 and Office 365 suites to show that ransomware actors can now target corporate data in the cloud and launch attacks on cloud infrastructure.
The researchers said once executed, the attack encrypts the files in the accounts of the compromised users. Just like with endpoint ransomware activity, those files can then only be retrieved with decryption keys. Proofpoint advises security teams to consider a cloud access security broker (CASB) and increase security hygiene around ransomware.
Overall, cloud infrastructures are more resilient to ransomware attacks, said Andrew Hay, COO at LARES Consulting. However, Hay said this versioning configuration feature removes a user's ability to have multiple versions of the same file available for restoration. If anything, Hay said this should make more organizations take a closer and more frequent look at their configurations of important mitigating controls. “Note that this isn't a vulnerability,” Hay said. “It's a feature that’s simply being exploited by an attacker with access to the user's account.”
Jason Middaugh CISO at MRK Technologies, added that Proofpoint’s findings show that threat actors can attack unsecured files in SharePoint and OneDrive and even ransom them if security teams don’t properly secure their environments. Middaugh said the recommendation to secure all accounts with multi-factor authentication, turn on/increasing monitoring/alerting, and increases back-ups all makes sense.
“I would also advise that organizations should also restrict access to Office 365 from authorized locations/countries and have a third-party assess the security posture of your Office 365 environment for enhancements/features that you can use to further secure your [organization],” Middaugh said.