Can Ransomware Hit Your Microsoft 365 Data?
Ransomware is a real threat for traditional IT infrastructure because the hardware storage used in PCs, servers and NAS devices have no built-in versioning and protection mechanism against malware.
Unlike the on-premise infrastructure, Microsoft 365 applications have native versioning, recovery tools, and anti-malware built into them.
Do the built-in tools make Microsoft 365 data immune to ransomware encryption? The short answer, in most cases, is yes.
In this blog post we will review evidence from 2015-2021 ransomware attacks, discuss the scope of Microsoft 365 ransomware protection and the evolution of ransomware which threatens Microsoft 365 data.
Afi develops a Microsoft 365 backup and one of the reasons our customers backup their M365 data is to protect it from ransomware. In the course of our business we observe ransomware attacks and how they impact organizations. We will draw upon this experience when discussing the evolution of ransomware below. Check the product
if you want to learn about Afi Microsoft 365 backup service.
Does Ransomware Affect Microsoft 365?
There has been no knows cases of ransomware encryption attacks on Microsoft 365 data or other cloud applications. While some ransomware strains target specific data types (backup tapes, enterprise database servers, etc), no ransomware specializes in cloud data sources or M365 yet.
There is no evidence of any successful ransomware attacks on Microsoft (Office 365) or other SaaS applications
Many ransomware strains (see the next section for details) are human-operated, where criminals are manually directing the attacks and select what machines ransomware infects first.
The criminals operating ransomware usually prioritize on-premise data sources (which are less protected compared to the cloud and contain valuable information), such as:
- SQL database server machines
- Tape libraries and other backup repositories
- SMB and other file sharing servers
For example, Ryuk ransomware is known to target financial data and database servers in an attempt to focus on the most valuable data. Other ransomware strains, such as Netwalker, attack backup data repositories in order to inhibit victims’ ability to recover data without paying the ransom.
Files encrypted locally can be synched to M365 Site/OneDrive
We've seen cases when ransomware encrypted local files on user desktop machines and the encrypted versions of the data were synched by the OneDrive application to Microsoft 365 cloud.
There is no evidence, however, that the criminals intended or cared if the encrypted files are uploaded to the cloud.
OneDrive application normally uploads data to Microsoft 365 at around 2MB/sec, which is 10-15x slower than the speed of data encryption operations on local machines. This often means that only small share of encrypted data is synched from local machines to Microsoft 365 cloud.
Cloud upload speed is too slow to encrypt Microsoft 365 (SharePoint and OneDrive) data at scale.
In cases when encrypted file versions get uploaded to OneDrive accounts or SharePoint sites, they can usually be recovered using the standard Microsoft 365 versioning (see
for more details on M365 built-in anti-ransomware tools).
Can Microsoft 365 serve as a source of initial ransomware infections?
Email phishing in one of the most prominent ransomware attack vectors. Criminals often use Microsoft 365 email (as well as other email services) to infect their victims by sending messages with infected attachments or links to malware.
Cerber ransomware is a notable example in which the attackers focused on Office 365 users to deliver the phishing emails. Their infected attachment was crafted in a way that allowed it to bypass the built-in Exchange Online filtering, so users who opened the attachment infected their local machines.
In case of Cerber and similar strains Exchange Online was only used for the initial infection. Ransomware did not encrypt Microsoft 365 data, instead spreading further within the organization and ecrypting on-premise data sources.
Can Microsoft 365 help ransomware spread within organization?
After they successfully infected the first machine, most ransomware strains use harvested credentials and local network protocols vulnerabilities to spread to other computers within the organization (i.e. lateral movement). Ransomware performs:
- Network scanning to identify critical data sources to target, and machines running old/vulnerable software that is susceptible to an attack
- Infected machine search to find credentials and access permissions in order to connect to other computers and infect them
In addition, ransomware may plant infected files (including Microsoft Office documents) to local file sharing servers and to SharePoint Online sites (if ransomware has access to a machine that is synched to SharePoint using OneDrive application).
However, the method of propagation using shared file servers is slow and less reliable than harvesting credentials or exploiting software vulnerabilities. It requires other users to notice the planted files and open them` using machines that run old/vulnerable OS versions that will not detect ransomware.
Therefore, SharePoint Online may be used to spread ransomware within organization (as a secondary lateral movement option), in case infected files are synched from an infected machine to a SharePoint site.
Can ransomware be executed in Microsoft 365 cloud?
It is important to note that Microsoft 365 itself cannot run or execute ransomware. An infected file must be opened on a local machine (Win/Linux/Mac, etc) to be executed.
SharePoint online and other Microsoft 365 apps can only act as storage media for ransomware executable files which can only perform encryption & infect systems when they're downloaded and opened on a server or user endpoint.
M365 & Evolution of Ransomware
We analyzed data from more than 350 ransomware attacks that happened in 2020 and were reported publicly. In this section we will discuss the main characteristics of the ransomware strains and how they evolved.
Trend #1: Data Leaks in Addition to Encryption
Egregor (formerly Maze) became the largest ransomware gang in 2020 and it was the first to introduce a new extortion tactic. In addition to encrypting files it began to steal sensitive data and threaten its victims to leak the data publicly.
All other ransomware types quickly followed the example and as of 2021 virtually all ransomware attacks involve stolen data leaks or threats of thereof.
- Microsoft 365 built-in data retention and versioning helps recover from data encryption but does not prevent data theft.
- The new data exfiltration tactic makes M365 significantly more vulnerable to ransomware and warrants additional security measures, including strict access control and 2FA enforcement (see section 3 for details).
Trend #2: Division of Labor & RaaS Business Model
All major criminal organizations, including the top 4, rely on the multi-tier distribution model (Ransomware as a service or RaaS). The ransomware software is licensed by developers to other criminals specialized in deploying it and executing the attacks.
The RaaS business model first emerged in 2016 and in 2020 it gained strong traction with major RaaS vendors trying to build their brands and recruit affiliates through ads in the dark web. For example, Sodinokibi / REvil group made a
trying to acquire talent - a move more typical for legitimate software vendors.
- RaaS model enables much greater scale and specialization for ransomware developers - helping them gain tech expertise and build more sophisticated malware.
- Ransomware is likely to adopt the same technologies that are revolutionizing the legitimate software:
- machine learning (including deep fakes for phishing and initial infection, AI capabilities to avoid detection)
- high-performance container architecture (for faster & scalable deployment on the victim's infrastructure)
- target IoT and edge workloads' software stacks in order to cause more damage & interruption during the attacks.
Trend #3: Criminals Moving Upmarket
Ransomware criminals are increasingly targeting enterprises and large organizations to increase the chances of large payouts.
For example, multiple Ryuk ransomware attacks showed evidence that the operators perform extensive research of their targets before the attacks and execute carefully planned operations in multiple stages. The approach enabled Ryuk to
some of the highest payouts (millions or 10s of millions per attack).
The Future of Ransomware
Given that the criminals' tactics continue to evolve, we belive it is likely that:
- In 1-2 years one of the criminal gangs will realize the need to focus on Microsoft 365 to target victims' most critical data
- 3-6 months later other ransomware strains will replicate the tactic and most ransomware attacks will in some way target M365
Ransomware targeting Microsoft 365 data will need to get write access to Microsoft API to overcome the limitations of slow upload spread that we discussed in section 1. To achieve this criminals have two major options:
- Steal Microsoft 365 admin credentials, then grant their ransomware application access to M365 domain and then encrypt the data there, deleting/overwriting old versions so they cannot be restored using standard Microsoft recovery tools (see section 4)
- Trick regular or admin Microsoft 365 users into granting a ransomware applications write rights to M365 domain (or a user account in case of non-admin users)
The first scenario, stealing Microsoft 365 admin credentials, can be executed through the traditional phishing approach, or by getting access to admin's machine via a vulnerability.
The second scenario, getting auth token, will require criminals to create a fake application mimicking a legitimate app that could reasonably request write access to Microsoft 365. In an example demonstrated by KnowBe4's Kevin Mitnick future criminals send a phishing email and trick a user into granting a security application access to her Microsoft 365 data (see below).
Fake cloud app may request M365 auth token to encrypt Microsoft 365 data via API (example below by KnowBe4)
Overall Ransomware Trajectory: Growing Again
In its annual Internet Crime report FBI shows the number of ransomware cases reported to FBI in the US and internationally.
The total number of reported ransomware cases grew in 2013-2016 and peaked at 2,673. In 2016-2018 it dropped 44%, which in our opinion is the result of organizations' investments in cybersecurity following the major wave of ransomware in 2016.
In 2019-2020 the number of ransomware cases grew at 66% GAGR. In our view this reflects more sophisticated ransomware technology and multi-tier criminal organization (developers vs operators) which enables software developers to focus on building the tools while it lets operators to focus on deploying the tools and planning & managing the attacks.
How Microsoft 365 is Protected from Ransomware
There are four built-in mechanisms that protect Microsoft 365 data from ransomware:
- Detection and filtering is included and enabled in all Microsoft 365 plans. Exchange Online Protection (EOP) scans receives emails and filters out phishing and infected messages. SharePoint/OneDrive built-in anti-malware engine scans suspicious files when they are uploaded or accessed later; it then deletes/blocks them if malware is detected.
- Versioning and data recovery are available for SharePoint and OneDrive in all plans. The standard versioning has limitations (any user who has edit rights to the file can delete the version history). The limitations can be resolved by leveraging Compliance retention functionality available in premium plans (see more about compliance retention
- (Post-deletion) recovery capabilities enable admins to recover permanently deleted Exchange Online, SharePoint sites and OneDrive items within 25-30 days after deletion. You can extend this windows using compliance retention policies.
- Sandboxing and other advanced protection measures are available in Microsoft Advanced Threat Protection (also known as ATP or Microsoft Defender for Office 365). Among other features ATP monitors suspicious attachments in a safe environment (Sandbox), to detect unknown (zero-day) threats. The additional protection is available in more expensive Microsoft 365 Business Premium and Office 365 E5 plans; it can also be purchased as an
Malware detection built into Microsoft 365 applications protect against phishing (which is often the first step of a ransomware attack) and limits the spread of ransomware inside an organization (infected files stored on OneDrive and SharePoint online and detected and deleted/quarantined).
While SharePoint online and OneDrive for Business do not prevent encryption, their built-in versioning capabilities help recover from ransomware. In early 2017 Microsoft 365 versioning began to work not only for native (docx, xlsx, etc) but also for non-native files.
Versioning is enabled by default for document libraries and OneDrive. It retains the last 500 versions of files (though you can increase the limit to 50,000).
Administrators and the users that have access to the files can use versions to manually recover OneDrive and SharePoint document library data after a ransomware attack. This is the most granular way to recover from an attack – you’ll be able to review each file, determine if it was affected, and fall back to the latest unaffected version if it was. But the time and effort required makes it impractical in case of a large-scale encryption.
Microsoft also provides the recovery capabilities in SharePoint and OneDrive. It enables administrators to roll back the entire document libraries and OneDrives to any point in time within the last 30 days. This is MS recommended way to recover Microsoft 365 data from ransomware. The drawbacks of Microsoft 365 native recovery are:
- If you’re late to notice that your files got encrypted (possible if ransomware affects rarely used data), then you will not be able to leverage the tool
- The recovery will roll back all the changes to a recovery point that you choose. This may lead to partial data loss as some edits between the recovery point and the encryption event may be lost.
- If a file or a folder is deleted and then created/uploaded again, the recovery will
Ransomware criminals has so far focused on on-premise data sources that are easier to encrypt and contain more data. However some of the most important organizational data already resides mostly in public cloud (shared files, email, messaging, accounting, etc.).
It is very likely, therefore, that ransomware will chase the valuable data and will focus on cloud applications. We believe that this cloud ransomware transition will happen relatively soon, within 1-2 years.
The relatively short history of ransomware shows us that it evolves very quickly and criminals are keen to embrace new technologies and business models. There is no reason they will delay the adoption of multi-cloud approach whereas they already embraced the benefits of cryptocurrencies, software as a service model and latest encryption algorithms.