Ransomware Hackers Are Coming For Your OneDrive & SharePoint Files – Here’s How To Protect Yourself

Ransomware Hackers Are Coming For Your OneDrive & SharePoint Files – Here’s How To Protect Yourself

In today’s blog, hackers are coming after your Office 365 and the data stored within it. So, let's get into it.

There is this misconception about the cloud. Basically, what cloud does, and what cloud doesn't do. Unfortunately for a lot of people, they don't understand that when they move things to the cloud, and in this case, let's talk about Microsoft 365, OneDrive, and SharePoint; these places where you now store files that traditionally either store on your computer or file server at your office.

Now, companies are moving this information to M365, making it convenient and doing a good job. Like previously stated, through COVID, companies should embrace the M365 and the Azure platform. So, when companies move there, what they don't realize is that they sign these things called terms of services, the little fine legal print. Probably not little, probably very big, that you sign when you sign up for these services.

What most people are surprised to find out is that Microsoft is not responsible for your data backups, protecting your data, and your security, resulting in hackers knowing this information. So, here's what's going on. Hackers, if they're able to get your login information for Office 365 are taking advantage of this and they know it. They do not need to break into your network. All that the hackers need is a username and password which they can then infect one user to possibly many, varying on the access levels.

People are self-managing their M365 or having employees sign up for these accounts where there is no IT professional or cybersecurity professional advising them. Many of times, companies have given global admin rights to regular users throughout their Azure and M365 environment. This is significant because you're giving your employees and users, what's equivalent to domain admin rights or high-level admin rights for the entire environment.

If you think about this from the perspective of pre-cloud, this would be somebody who's a network administrator and can do whatever they want on your network. Well, the same thing exists in the cloud. You can have these administrators with very specific rights or very broad rights do whatever they want in your environment, allowing the hackers to know and take advantage of. Now, the question is what they're doing is once they get access to your cloud? Remember these hackers do not need to be on your computer or network, they just must have a valid login, username and password to get to this data.

These hackers going in and encrypting this data. They also are dropping ransomware notes into the OneDrive account where messages are being sent through email letting you know that this information has been encrypted. Passwords are not being changed but, they letting you get back into them and they're letting you see like, "Hey, we've encrypted this information." Now, most people think that Microsoft is protecting them, that they can go to Microsoft and get these files back.

Well, there's a couple things you need to know which are important. Number one, Microsoft has versioning in things like OneDrive and SharePoint. You can set that versioning to let's say 500, meaning you can go back 500 versions of this file and potentially retrieve it. So, if the hacker's not smart and encrypt one version or only do the encryption one time or change the file one time, then theoretically you could go back to the original version.

However, cyber criminals’ kind of know what they're doing and are rewriting these files over 500 times or whatever the limit is. Depending on the level of access they have in your environment, they may be able to change that to one version. This is a big deal because hackers know how to do this. As long as they can get rid of these versions, this really leaves you high and dry with very little options to get your files back other than paying the cyber criminals who encrypted your files and cause this problem.

Your other option is to go to backups. Now, here's the other important thing you need to know. Microsoft does not do these backups. Microsoft is claiming that you can call Microsoft support and get assistance on these recoveries, and they can go back further up to 14 days back but security researchers have proven otherwise. Quite frankly, if you've ever dealt with Microsoft support, do not put all of your eggs in that basket where all of my backups are going to be there and will be taken care of.

The last company you should call is Microsoft support with the 18 years-plus running this company and 20-plus years in IT experience. There are a few other companies that are right behind them on that list, but Microsoft is at the top of the list for companies that is a big fat waste of time. This is what you need to do. You need to ensure that your cloud applications are backed up.

Anything that exists in the cloud that you rely on to make money, like the things that you want to consider so you don't lose clients, you must look at in the cloud. Let's just talk about Kronos. Kronos Cloud was infected with ransomware at the end of 2021 and bled into early 2022. This company could not operate. Their software could not get up and running for months, impacting their customers who used this HR platform to manage HR for various companies.

These companies could not do their HR and perform this function within their business. So, it's not just about the files and the data, it's about looking at all the things in your business. If you're an HR or payroll company, and you resell these services to your clients and the bigger company like Kronos is down, what does that mean to your business? How do you continue to provide a service for something that you don't even control?

These are all things that you should be looking at as part of your incident response plan. If you need help, please contact Xact It Solutions Inc. Xact It Solutions Inc. helps companies all the time with these issues. The other piece is that you also need to have a good data backup plan for your cloud applications. Make sure your OneDrive's backed up. Make sure that your SharePoint's backed up. Make sure you have a way to get that downloaded locally. What if M365 is down? What if SharePoint is down? What if OneDrive is down?

Whatever file sharing service you're using, these services needed to operate your business to work every day, what's your backup plan for those things? Things can go down and can go down for extended periods of time. If these things are data or systems that are going to impact your business, these are the things to have a backup plan for when these events do occur. Whether it's ransomware, fires, floods, internet outages, it’s important that you have a backup plan, and this is all tied to that.

Hackers go where the data is. They go where they know they can make money and know that it is getting harder to break into corporate networks. However, they can target one employee at a time and target them for credentials to log into things like M365 and cloud applications. Hackers can hold one employee hostage, or they can hold an entire company hostage. They just don't care.

Obviously, the bigger things, the more things that they can encrypt, the more things they can get their hands on, the higher the ransom demand's going to be. It's important that you start looking at cloud applications from the aspect of, how do we have a backup? Because you don't want to rely on the vendor. That's proven to fail time and time again. You need to be responsible for your own assets, data, and systems to ensure you have a way to continue to operate if these things are not available to you.

Same thing goes if your own data gets encrypted. Now, the other last thing I want to mention to you is there's two attack vectors that we're seeing around. These a kind of M365 breaches where ransomware gets deployed. One of them is PureCloud where they just steal the information, credentials and log in as you, getting into the system and encrypting the files.

You want to make sure that you have two-factor turned on. If you have two-factor turned on, at least you have a chance to stop them before they get to the data if everything is done properly. The other thing is not only do you want to have multifactor turned on but also make sure that you're not giving massive amounts of rights to people to do various things within your Microsoft or Azure environment. Make sure that you only give the rights that the individual needs to do their job.

The final thing is that your cloud data is backed up. Xact IT Solutions Inc. can provide you with services and solutions that will get your M365 or items in the cloud backed up somewhere external so should that service does not work, have a problem, it’s backed up.

Rarely do we see somebody's computer get encrypted along with the cloud, but that is a possibility depending on the level of access they have. Typically, the computers and data locally get encrypted. While on the other hand, they don't look at or touch the cloud, or get access to the cloud. Cyber criminals are starting to turn their sites on once we get into an environment. Where can we find the cloud stuff? Where is the cloud stuff?

This is where they're starting to look. The reason I want to bring this up is because traditionally this has not been the way that they've operated. There is going to be a big change soon with how cyber criminals go about deploying things like ransomware, getting paid, and encrypting files. It's not only going to affect local data, but also the cloud.

Get yourself protected, get your incident response plan in place, but make sure you're backing up your cloud data. Make sure you have backup systems, or failover systems for when your cloud applications and those types of systems are not available. If you have any questions, drop them down below or contact our company, www.xitx.com.