Microsoft Office 365 feature can be used by ransomware developers

Ransomware attacks can involve cloud files if attackers hijack the Office 365 accounts

Researchers discover potentially dangerous functionality that can lead to could data encryption

Researchers revealed that threat actors can hijacker Microsoft Office 365 accounts to encode files stored in SharePoint and OneDrive services. These ransomware threats encrypt ^[1] files for the ransom payments, so this could be a way to gain money.^[2] These services are used by companies for cloud-based collaboration, document management, and storage, so malware creators can try to abuse the opportunity.

The functionality was discovered in Microsoft 365 suite that could be possibly abused by malicious actors that focus on attacks on cloud infrastructure.^[3] The cloud ransomware attack could end in file encryption malware affecting data and making files unrecoverable without the dedicated backups or decryption keys obtained from the attacker. Cloud is often used as the backup, so this can mean permanent file losses.

These infections can start with the use of a combination of Microsoft APIs, command-line interface scripts, and PowerShell scripts, according to the researchers.^[4] Cybercriminals could target organizations' files in the cloud and trigger malware attacks on the cloud infrastructure.

Possible ransomware attacks on cloud infrastructure

The research team discovered the attack chain and documented possible steps of the ransomware infection. The ransomware infects the machines and locks files by using encryption. In these cases, with the cloud infrastructure, malware once executed, encrypts files in the compromised user's account. Those files cannot be opened or retrieved without decryption keys, as normal.

Initial access can be gained to a few users on SharePoint Online or OneDrive accounts by hijacking identities. Threat actors can access any file owned by the user whose account gets compromised. One of the more unique steps to cloud ransomware is the versioning limit.

After the hijacking, attackers can rely on Microsoft APIs and PowerShell scripts to automate malicious actions on large document lists. To finish the file locking quicker and for the option to make the recovery difficult, it is possible to reduce the version numbering limit and encode all files more than that limit.

Attack chains for encpoint0based ransomware do not have such a feature. The attacker can exfiltrate the unencrypted files and rely on double or triple extortion tactics later on too.^[5] This has become a popular method used by financially motivated ransomware attackers.

Monetization – the goal of the typical file-locking attack

When the ransomware affects files on the cloud or the system, all versions of those documents, images, audio, or video files are lost. Only encrypted versions of each piece remain on the cloud account. Then attackers can demand their preferred method of payment and list options from there. Ransom can be demanded from the organization and can come up to hundreds or even tens of thousands in the chosen cryptocurrency.

These demands often come with a time limit, and threat actors can request payments promising the decryption that is not possible. Stealing original documents before encoding them can help to put more pressure on these victims.

Often the ransom is paid to avoid the leakage of the data. However, paying does not guarantee that files will be restored, so this is not the best option, especially if backups are stored somewhere else, and file recovery is possible without the decryption.