What You Need to Know about Ransomware Attacks and Office 365
Over the past two years the rise in number and sophistication of ransomware attacks has been meteoric. A recent report released by the U.S. Department of Justice revealed that ransomware attacks quadrupled from 1,000 attacks per day in 2015 to more than 4,000 attacks daily in 2017.
While Microsoft products and services have been targeted by hackers for decades, now that Office 365 is the company’s fastest-growing solution, it has become a primary target. According to Jason Rogers, Microsoft’s lead threat protection Program Manager for Office 365, in 2016 alone, Microsoft saw malware attempts targeted at Office 365 increase 600 percent. See the recent news below:
- Cerber ransomware targets enterprises via Office 365
- Microsoft Office 365 hit with massive Cerber ransomware attack, report
- Wanna Cry Ransomware: Everything You Need to Know
Ransomware attacks are not cheap. Cybersecurity Ventures predicts that ransomware damage costs will exceed more than $5 billion in 2017. Yes, that’s $5 billion. These costs include but are not limited to:
- Damage and/or data loss
- Downtime and lost productivity
- Ransom (cryptocurrency) if an organization decides to pay the hacker
- Forensic investigation
- Restoration and deletion of hostage data and systems
- Brand and reputation
With such great risk for loss at the hands of hackers, every member of your organization— from your COO to each individual employee —must take proactive measures to protect their data.
The Anatomy of a Ransomware Attack
At the highest level, there are three main components to most ransomware attacks:
- Find a way in
- Land and expand
- Encrypt and ransom
Find a way in: Often the easiest way to trigger a ransomware attack is social engineering, which requires tricking an end user into opening an email that contains ransomware and which executes malicious code. Ransomware will masquerade as links to software updates or as macros. The Cerber ransomware attack, for example, targeted Office 365 and flooded end users’ inboxes with an Office document that invoked the malware via macros. Ransomware also commonly exploits a software vulnerability. The WannaCry attack was engineered to take advantage of a Microsoft vulnerability. Although Microsoft released a patch in March 2017 to address this vulnerability, and then released a second patch on May 13th to stop WannaCry, it was not applied by many Microsoft customers; rendering them victims of the largest ransomware attack to date. Scripting or APIs can also act as entrance points to your system if you are in the cloud. Finally, compromising a user’s password or PII, and acting as a legitimate user is a common technique for hackers to find a way into your organization.
Land and expand: Once your organization’s system has been breached, ransomware is built to expand quickly, locking down as much of your system as possible. Ransomware can be programmed to search for critical files locally, on the network, and in the cloud. It can contact command and control services, and finally, it can utilize access to spread to other machines. With Office 365 and other cloud apps, ransomware can easily propagate through sharing. Collaboration tools such as SharePoint Online and OneDrive for Business can inadvertently spread ransomware across multiple users, systems, and shared documents. The impact can be full access to your organization’s data, email, and potential data leaks or data destruction.
Encrypt and ransom: Finally, ransomware, unlike other types of malware, will encrypt your files or lock down your system. Infected end user devices will receive a message that their data is being held ransom. Hackers typically demand payment in cryptocurrency to unlock or release victims’ systems and data. However, there is no guarantee that the hacker has not damaged your data or will return control to your organization. Often as not, your data is destroyed and inaccessible even after ransom has been paid.
Data Protection and Office 365
With the number of 4,000 attacks per day looming in the back of your mind, how do you successfully prevent ransomware from breaching your organization? There is no silver bullet or single solution to protect you. For Office 365 and other cloud apps Spanning recommends a layered approach. The NIST Cybersecurity Framework is a great place to start if you don’t already have a plan in place. The three pillars highlighted below are most crucial and require evaluation when moving your critical business data to a SaaS application. End user training is also critical, as end users are often the “malware gateway” into your organization.
Backup and restore solutions
It’s vital to have healthy processes in place to protect critical business data before an attack happens. Implementing a trusted backup and recovery solution is a proactive means of protecting your data and your organization’s productivity from cyber-attacks such as the Cerber ransomware attack. If you do suffer an attack, your organization must be able to get back up and running quickly. Backup solutions such as Spanning Backup for Office 365 can restore your critical business data to the last ‘clean’ version before the attack occurred. This restore capability also minimizes the hefty cost of employee downtime as well as eliminates the need to pay ransom.
Spanning Backup for Office 365 provides enterprise-class protection for Mail, SharePoint, OneDrive for Business and Calendars. Think of it this way: most ransomware is not preventable, and new strains are identified every month. End users will always make mistakes, so even with employee security training, you are not 100% guarded against an employee accidentally clicking on what appears to be a legitimate update, macro, or email. And if you are attacked, there is no guarantee your data will be recoverable or returned to you.
Backup and restore solutions built for cloud apps ensure you can recover your data and bypass dealing with the ransomware attack all together.