What You Need to Know about Ransomware Attacks and Office 365

You’ve likely seen the headlines by now:

These are some pretty alarming stories. Just as organizations have begun to trust putting their collaboration applications – and data – in the cloud – we are reminded that the bad guys are gunning for your data in the nebulous reaches of your SaaS provider.

But let’s step back for a moment. What is really going on here? Can ransomware infect Office 365 files? Would it just be safer to keep all important information out of the cloud?  Should you just keep all important information out of the cloud?


These latest headlines were all generated from a report from  cloud-security firm, Avanan researcher Steven Toole. The payload for this malware was Cerber, a new ransomware virus. This Microsoft article explains why the ransomware is named after Cerebus, the mythical three-headed hound of Hades.

According to Toole, the attack on Office 365 started on June 22 and lasted for more than 24 hours. This was an email attack, which is the primary way a virus is delivered to an organization’s infrastructure. This technique isn’t new, hackers have been phishing with email since at least 1996. That means sysadmins have been blocking known attacks and educating their users on why they shouldn’t click certain links or open attachments for twenty years or so. That’s why most orgs have macros blocked, and why the phishing emails provide instructions on how to enable macros so the target can have access to the “critical” document that was delivered in the email.

But how widespread was this attack on Office 365? Avanan estimated that 57% of  organizations using their service who also used Office 365 had at least one user who received an email with the malware in their inboxes. So in all honesty, this wasn’t a very widespread event. Since this was a new attack, it took Microsoft more than 24 hours to identify and block this particular thread. Many third-party security applications caught it sooner.

So what if your organization was in the 57% that had one user who received this threat? What if that one user followed the email’s instruction to enable macros? What would actually happen?

It’s actually pretty nasty. The latest strain of Cerber is being offered as RaaS (Ransomware as a Service). This means someone does the hard work of building the virus and the ransom infrastructure. People subscribing to the service can customize how they want the implementation of the virus to look, and the RaaS services will take a percentage of the ransom as a fee.

According to Malwarebytes Labs, once the malware is deployed (because your user was tricked into enabling macros or clicking on a link), it installs the malware in a hidden folder, creates a link in Programs → Startup, and changes several Registry Keys. Once the user logs into Windows, the virus executes and begins to encrypt files.

According to bleepingcomputer.com, Cerber will then scan and encrypt not only the data on the device and mapped drives, but unmapped drives as well (if the virus is able to access the shares). For Office 365, this means that the vulnerable points are Office 365 and SharePoint data that is being synced to a user’s laptop. All bets are off for your organization’s on-premises data – if the infected laptop can access it, Cerber is going to encrypt it.

Maybe the attack really wasn’t all that widespread, but if the tenant you’re responsible for was one of the 57% targeted, and the one user who received the email was duped into downloading Cerber, the size of the attack won’t matter. The fact of the matter is that you have to be prepared for these sorts of attacks.The NIST Cybersecurity Framework is a good place to start if you don’t already have a plan in place. The three pillars highlighted below are the ones that must be evaluated when you move your critical business data to a SaaS application.


Backup and Recovery Chart

We’ve been dealing with these sorts of threats as an industry for at least 20 years, so it’s important not to get distracted by the hype of one event. However it’s vital to have healthy process in place to protect critical business data before an attack happens. Having a good backup and recovery plan is the last line defense in protecting your data and your organization’s productivity from cyber attacks such as Cerber.

Spanning by EMC has you covered if you experience a cyber attack, and find you need to quickly and effectively recover files from a point prior to becoming infected by ransomware. If the infection impacts a user’s OneDrive for Business site, Spanning Backup can restore those files from a backup prior to the infection. And EMC’s Isolated Recovery Systems can help you build an environment that ensures you’ll always be able to recover your on-premises mission critical data.  
Don’t leave your data at risk.

Protect yourself — start a FREE trial of Spanning Backup today.