Proofpoint has discovered a feature in the Microsoft cloud that allows hackers to encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable. This is a deviation from the norm as cloud drives are typically considered to be more resilient to ransomware attacks owing to features such as autosave, versioning, and recycle bin, that would provide sufficient backups in the case of a data breach.
For a hacker to hold cloud files ransom, they must first establish access to a user’s SharePoint or OneDrive account. Access can be achieved through tactics such as phishing, brute force attacks, hijacking of web sessions or live API tokens of SharePoint or OneDrive, and tricking users to authorize third-party OAuth apps. Once access has been achieved, the hacker can then reduce the versioning limits of files to a lower number, and then encrypt the files more than the versioning limit, thus deleting the original file. Once this is done, only the encrypted files will be in the cloud, with all the original versions deleted, and only the hacker has access to the encrypted files. In a nutshell, the hacker encrypts the files in the user’s account, and those files can only be retrieved with decryption keys. It is at this point that the hacker can proceed to demand a ransom for the release of the encrypted files.
It is advised that users should practice good security hygiene regarding ransomware, turn-on detection of risky file configuration, use multi-factor authentication, and save sensitive data on external backups.
Written by: Kelly Lekaise
Edited by: Prakhar Tripathi