The endpoints that are often targeted by ransomware attacks are local drives, although this may be changing. Although cloud storage has traditionally been seen as a secure storage device against ransomware assaults, new study from Proofpoint raises concern.
A feature in the Microsoft 365 software that could be abused to encrypt files kept on OneDrive and SharePoint has been found by Proofpoint researchers. In reality, if the ransomware attack is severe enough, you won’t be able to restore your files without special backups or decryption keys obtained directly from the perpetrators. Let’s investigate this ransomware attack on OneDrive and SharePoint files in more detail. Let’s first take a quick look at ransomware, though.
One form of malware called ransomware commandeers the victim’s account or system to obstruct access and encrypt data. Attackers using ransomware have a variety of techniques to gain access to the victim’s system. The most common method is phishing, in which the user is duped into sharing login information or clicking a malicious link or file that infects the machine with malware. Alternately, system flaws may be used to access the user’s system or account.
Once ransomware attackers have gained access to the system, they can perform a variety of tasks, such as block access, encrypt data, mine bitcoins, and more. The majority of the time, the data is encrypted by the attackers, who then demand a ransom to unlock it. Additionally, many attackers even give discounts for early payments to encourage the victim to pay the ransom immediately and without hesitation. The attackers also give the victim a thorough, step-by-step tutorial on how to finish the transaction.
Your files in OneDrive and SharePoint can now be locked thanks to a new vector.
The OneDrive and SharePoint data in the accounts of infected users can be encrypted by ransomware attackers thanks to a risky feature in Microsoft 365, according to Proofpoint. The files could then only be accessible again by purchasing the decryption key or retrieving the prior dedicated backup.
The research by Proofpoint indicates the “AutoSave” feature of Microsoft 365 as a potential threat. This feature is meant to make copies of older versions of files stored on OneDrive/SharePoint. The attack chain as pointed out by Proofpoint could go as follows:
Attackers begin by initially acquiring access to the OneDrive or SharePoint account(s) of the user(s) by stolen login information, convincing the victim to grant third-party OAuth apps, or taking over a logged-in user’s web session.
Once an attacker has gained access to a user’s account, they can view all of the files that person has saved in OneDrive or SharePoint.
Set the file’s version limit to a low value, such as “1,” and then encrypt the file more than the version limit allows, for example, twice if the version limit is set to 1. Attackers can also use the encrypted files to exfiltrate information, which is a second kind of extortion.
The attackers can then demand a ransom to unlock the data if the original versions of the files are lost but the encrypted versions are still present in the user account.
PowerShell scripts, command line interface scripts, and Microsoft APIs can all be used to automate the aforementioned tasks.
One property that determines how many saved versions a user can edit is used to build the document library in OneDrive and SharePoint. When a user lowers the document library version limit, it signifies that new changes to the file will make reverting to earlier versions very challenging.
Attackers can therefore either construct a large number of file versions or modify the version limit to simply “1” and then encrypt each file more than the allowed number of times. For instance, the typical OneDrive account has a 500 version limit. As a result, hackers have 501 chances to modify document library files. Every file’s initial version is thus the 501st version file, which is no longer available. As an alternative, they may encrypt the file twice and set the version limit to 1.
There are definite indications that ransomware attacks can happen in your cloud storage based on the aforementioned Proofpoint research and the weak “AutoSave” feature of Microsoft 365. When Proofpoint brought up this issue with Microsoft, the latter responded that older versions of the files could be restored for an additional 14 days with the assistance of Microsoft Support. Proofpoint did adhere to that, but it was unable to restore earlier versions.
Therefore, the only quick solution if you become a victim of a ransomware attack and your data is encrypted on your cloud account or local disk is to pay the ransom and obtain the decryption key. However, this method is not advised because you can never be sure that the decryption key will work, that you will recover the data, or that the attacker won’t demand more money. Additionally, it incites perpetrators to carry out additional similar attacks.
Following the ransomware assault, you should take the following actions, which are advised:
In conclusion, you must take all reasonable steps to restore the data without paying the ransom.
Today, there is a real danger from ransomware and other intrusions. By 2025, cybercrimes will cost the global economy $10.5 trillion annually, according to Cybersecurity Ventures. Therefore, it is crucial now more than ever to save our data and files safely. The following are some practical methods for safely storing files on your computer:
In conclusion, you should take all precaution you can to secure the contents on your PC. While these precautions cannot completely ensure security from intrusions, they can significantly reduce the likelihood.
Now that 2023 has arrived, it is once more anticipated that this will be a…