Data on OneDrive & SharePoint Online threatened by ransomware

IT security experts from Proofpoint have shown that files in Microsoft’s cloud storage services OneDrive and SharePoint Online are not safe from ransomware attacks.


Thanks to functions such as the automatic backup of files and the backup of multiple versions of files, users of Microsoft’s cloud storage services OneDrive and SharePoint Online have so far felt largely secure. Thanks to the measures mentioned, it became much more difficult for attackers to encrypt information and make corresponding ransom demands. However, the IT security experts at Proofpoint have now shown one way in which Microsoft’s cloud systems can still be infected with ransomware.

According to a blog post, researchers have discovered a potentially dangerous feature in Office 365 or Microsoft 365. According to the article, this makes it possible to encrypt files stored on SharePoint and OneDrive using ransomware in such a way that they cannot be restored without consulting backup copies on external backups or without decryption by the attackers.


Attack Flow

The starting point for hackers is to gain access to the SharePoint Online or OneDrive accounts of one or more user accounts – for example through phishing methods, with the help of malware or via linked third-party applications.

Once the attackers have access, they can reduce the number of versions of the automatically created backup copies (up to 500) to a single one. No special privileges such as an administrator role are required to change the number. If the only backup copy is then encrypted, the user is at the mercy of the attackers.

The attack sequence described can even be automated using Microsoft APIs, CLI and PowerShell scripts.


Protection Options

To protect against this type of attack, Proofpoint advises users to keep an eye on threatened configuration changes in Office365 accounts. According to the security experts, changes to the versioning settings are unusual and should therefore be examined more closely.

It is also advisable to always save a copy of the data saved in the cloud locally as well. If the attack is limited to the cloud and the hackers do not gain access to the local OneDrive or Sharepoint folder, the data can be easily restored.

In their article, the Proofpoint experts also point out that, according to Microsoft’s own information, support is generally able to restore older file versions (up to 14 days ago).

Source: Proofpoint