Cloud storage is long termed as a safe storage drive from ransomware attacks, but the research by Proofpoint is ringing the threat bell. Continue reading →
Traditionally, ransomware attacks are seen to hit local drives (endpoints), but the trend might get shifted now. Cloud storage is long termed as a safe storage drive from ransomware attacks, but the research by Proofpoint is ringing the threat bell.
Researchers from Proofpoint have discovered a feature in the Microsoft 365 suite that could be misused to encrypt files stored on OneDrive and SharePoint. In fact, the ransomware attack would be so strong that you will not be able to recover files without dedicated backups or decryption keys from the attackers. So, let’s explore more about this ransomware attack on OneDrive and SharePoint files. But first, let’s take a brief look at ransomware.
Ransomware is one of the malware types that takes the control of the victim’s system or account to block access and also encrypt the data. There are many ways for ransomware attackers to penetrate the victim’s system. The most popular way is the phishing approach in which the victim is tricked to share login details or click a malicious link/file that then installs the malware in the system. Alternative, system loopholes can also be used to penetrate the user’s system/account.
Once ransomware attackers are successful in penetrating the system, they can do a lot of activities, i.e., block access, encrypt data, mine cryptocurrencies, etc. In most cases, attackers encrypt the data and then ask for a ransom fee to decrypt the data. Moreover, many attackers even offer a discount for early payments so that the victim doesn’t think much and pays the ransom quickly. In addition, attackers also provide a complete step-by-step guide on how the victim can complete the transaction.
Proofpoint has identified a dangerous feature in Microsoft 365 that empowers ransomware attackers to encrypt the OneDrive and SharePoint files in the compromised users’ accounts. Afterward, the files could only be accessed back by paying for the decryption key or recovering the dedicated backup made beforehand.
The research by Proofpoint indicates the “AutoSave” feature of Microsoft 365 as a potential threat. This feature is meant to make copies of older versions of files stored on OneDrive/SharePoint. The attack chain as pointed out by Proofpoint could go as follows:
Attackers start by first gaining access to the user(s) OneDrive or SharePoint account(s) through compromising login credentials, tricking the victim to allow third-party OAuth apps, or hijacking the web session of a logged-in user.
After successful penetration of the user account, attackers have access to all the files stored by the user in OneDrive or SharePoint.
Reduce the version limit of files to a low number, like “1” and then encrypt the file more times than the version limit, i.e., encrypt the file twice if the version limit is set to 1. Besides that, attackers can also do a double extortion tactic by exfiltrating the encrypted files.
Once the original versions of the files are lost and the encrypted versions are left in the user account, the attackers can then ask for a ransom to decrypt the files.
All the above steps can be automated using Microsoft APIs, PowerShell scripts, and command line interface scripts.
The document library in OneDrive and SharePoint is based on multiple attributes, where one attribute is the number of saved versions that the user can change. When a user reduces the document library version limit, it means that new changes in the file will make older versions quite difficult to restore.
So, what attackers can do is they can either create so many file versions or change the limit of the version to just “1” and then encrypt every file more times than the version limit. For example, the default version limit in most OneDrive accounts is 500. So, attackers can edit document library files 501 times. This way, the original version of every file is the 501st version file, which is no longer accessible. Alternatively, they can set the version limit to 1 and then encrypt the file twice.
From the above research work of Proofpoint and the vulnerable “AutoSave” feature of Microsoft 365, there are clear signs that ransomware attacks can occur in your cloud storage. When this vulnerability was discussed with Microsoft by Proofpoint, Microsoft stated that the older versions of files can be recovered by an additional 14 days through the help of Microsoft Support. However, Proofpoint did follow that but failed to restore older versions.
So, if you get a victim of a ransomware attack and your data is encrypted in your cloud account or local drive, then the one quick option is to pay the ransom and get the decryption key. But this approach is not recommended because you never know if the decryption key would work, you will get back the data, or the attacker might demand more money. Moreover, it also encourages attackers to do more such attacks.
The recommended steps you should immediately perform after the ransomware attack are as follows:
In short, you should try every possible measure that you can take to retrieve data without paying the ransom.
Ransomware and other cyberattacks are a serious concern today. As per Cybersecurity Ventures, cybercrimes will cost the world $10.5 trillion annually by 2025. So, it is important more than ever that we store our data and files securely. Below are some of the effective ways to store files securely on your PC:
To sum up, you should deploy every possible measure you could take to secure your files on your PC. These measures do not guarantee complete protection from cyberattacks, but they can minimize the chances greatly.
Those custom Velcro patches may seem like mere accessories for your uniform or team gear,…
Automation, enhanced security, AI integration, user-friendly CMS platforms, mobile optimization, and advanced analytics are reshaping…
Manage personal and business finances with essential digital tools. Streamline budgeting, expense tracking, and financial…
When done strategically, buying Instagram comments can offer a significant boost to your engagement and…
Explore popular video editor APIs today and discover how they can streamline your editing process…
From identifying your needs to improving recruitment, legal compliance, employee engagement, and company culture, an…