How To Prevent Ransomware Attacks In Microsoft Office 365
Ransomware is one of the most prevalent forms of malware targeting organizations today, and a successful attack can have disastrous consequences for Microsoft Office 365 users. So how can you protect your organization against ransomware attacks?
By Caitlin JonesUpdated Mar 28, 2022
In 2020, the COVID-19 pandemic caused a surge in the popularity of remote and hybrid work, and the Microsoft 365 (formerly Office 365) application suite became a core enabler of remote productivity for many organizations. While this meant that businesses were able to continue offering their services, it also gave cybercriminals a new target at which to aim their attacks.
Threats in Microsoft Office 365 have been increasing steadily over the last two years, with more and more cybercriminals finding ways to infiltrate 365 accounts or impersonate Microsoft in the hope of stealing user credentials. And in a recent report, Microsoft announced ransomware as being the most common reason behind their incident response engagements.
A successful ransomware attack can bring even the most established organization to its knees as they suffer financial loss, data loss and operational downtime that encourages their customers to search elsewhere for the service they need.
But to prevent a ransomware attack against your Microsoft Office 365 environment, you need to know how cybercriminals infiltrate your systems in the first place. In this guide, we’ll explore what ransomware is and how it works, as well as highlight some of the most business-critical consequences of a successful attack. Finally, we’ll share our top tips on how to prevent the spread of ransomware in your Microsoft Office 365 environment.
What Is Ransomware?
Ransomware is a type of malware which, once downloaded to its target device, spreads through the network, locking users out of data or encrypting it so that it becomes unreadable. The attacker then effectively holds this data hostage and gives their victim an ultimatum: pay a ransom for the safe return of their data, or risk it being publicized or permanently deleted. But it’s important to remember that paying the ransom doesn’t always mean the safe return of your data.
In fact, more than twice as many organizations manage to recover their data after an attack using backups than by paying the ransom, and, on average, paying the ransom doubles the cost of a ransomware attack. That’s because organizations still have to deal with the other consequences of the attack, such as downtime and data loss.
How Does Ransomware Work?
Usually, ransomware is distributed via a trojan. A trojan is a type of malware that spreads through a network undetected by disguising itself as legitimate software. Trojans are primarily installed by unsuspecting users who click on a malicious link or download a dangerous attachment in a phishing email.
Once the trojan is downloaded, the attacker can use it as an entryway to deploy more malware, such as TrickBot or Qbot, which spreads through the company until it reaches the domain controller (DC). When it reaches the DC, the attacker deploys their ransomware.
There are two main types of ransomware:
Crypto-ransomware encrypts an organization’s data. The attacker demands a ransom for the files to be decrypted.
Locker-ransomware, as the name suggests, locks users out of their files. The attacker demands a ransom for the data to be “unlocked”.
Once either type of ransomware has successfully rendered its target’s data undecipherable, the attacker demands their payment.
Why Do You Need To Protect Your Microsoft Office 365 Accounts Against Ransomware?
Ransomware incidents within Microsoft Office 365 environments are on the rise, targeting all organizations irrespective of size or industry. And a successful attack can have enormous consequences for your business:
From 2020 to 2021, the average ransomware payout climbed by 82% to a huge 570,000 dollars as attackers employed increasingly aggressive methods to force businesses to pay. As well as data encryption and the threat of publicizing data if the ransom isn’t paid, we’re now seeing cybercriminals contacting their victims’ key partners and stakeholders to tell them they’ve been hacked and damage their reputation, and carrying out Denial of Service (DoS) attacks that shut down their victims’ websites.
And in terms of total cost, ransomware is one of the most expensive forms of cyberattack to recover from. Malicious attacks that destroy or wipe data and ransomware attacks specifically cost an average of 4.27 and 4.44 million dollars respectively, making them more expensive than the average malicious breach, which costs 4.27 million dollars, and notably more expensive than the average data breach, which costs 3.86 million dollars.
Losing that amount of money can be a huge blow to established enterprises, and devastating for smaller businesses. While many SMBs believe themselves to be too low-profile to be targeted by a cybercriminal, the threat is in fact very real: 47% of SMBs have experienced a ransomware attack, making them almost as likely a target as large enterprises, 54% of which have suffered an attack. Ransomware distributors don’t discriminate based on size; in fact, they often see smaller businesses as being easy targets for their exploits, due to their lack of security infrastructure.
Financial loss isn’t the only consequence of a successful ransomware attack: they also often involve lost or stolen data. In fact, 70% of attacks involve a threat to release stolen data, and many cybercriminals also threaten to permanently delete encrypted data if the ransom isn’t paid. Some types of ransomware, such as MongoLock, delete files as soon as the machine is infected instead of encrypting them,—while promising the safe return of those files once the ransom is paid.
This is where a ransomware attack on a Microsoft Office 365 environment can cause permanent damage, because Microsoft doesn’t provide native backup for Microsoft Office 365. The default settings across the 365 suite only protect data for an average of 30-90 days, after which it’s deleted. This means that, if your organization doesn’t manage its own file backups outside the MS 365 environment, a successful ransomware attack could result in the permanent loss of critical corporate data.
There are two parts to this one. First, comes the immediate downtime caused by dealing with the ransomware attack, from notifying the authorities to cleansing your systems and restoring your data. The average company affected by ransomware experienced around 21 days of downtime.
The second part is influenced by data loss. If your organizations lost critical data during the attack—be that the contact details of your partners, the billing information of your customers or even data critical to the development of the services you provide—you’re likely to experience an extended period of downtime while you try to re-build the databases that have been lost.
And the longer you’re unable to provide the service your customers rely on you for, the more likely they are to search elsewhere for that service.
How Can You Prevent Ransomware Attacks In Your Microsoft Office 365 Environment?
With ransomware incidents involving Microsoft Office 365 on the rise, it’s important that you take steps to secure your business. This is both in terms of preventing malware from infiltrating your network in the first place, but also detecting and preventing it from spreading if a user does click on that password reset link from “Micr0soft” urging them to update their account details.
With that in mind, here are our top tips to preventing—and mitigating—ransomware attacks in your Microsoft 365 environment:
Secure Your Endpoints
Endpoint security solutions and antivirus software secure user endpoints by scanning them for malicious files. Once found, these files are blocked or quarantined. Traditional antivirus software is best suited to securing individual endpoints at a consumer level; endpoint security solutions are designed to protect a network of devices and often offer dedicated management and reporting functionality that enables administrators to investigate threats and respond to security incidents more effectively.
Secure Email Gateways (SEGs) are a type of email security that scan inbound and outbound email communications for threats, then block any malicious content before it reaches its intended recipient.
However, cybercriminals today are using increasingly targeted spear-phishing campaigns to lure users into opening a malicious link or attachment. In fact, email is the number one delivery channel for ransomware, accounting for a staggering 54% of all ransomware attacks. These campaigns often involve layers of research and the investment of a considerable amount of time, with which the attacker earns the trust of their victim, making them more likely to fall for an attack. This also makes these emails much more difficult for a traditional SEG to detect.
That’s where cloud-based email security solutions come in. These solutions use artificial intelligence to scan inbound, outbound and internal email communications for signs of malicious activity. This means that, if a spear-phishing attack slips through your SEG or a user’s account is compromised, the cloud email security solution will identify the abnormal behavior and automatically delete or quarantine the message.
Multi-factor authentication is a method of digital identity verification that requires users to prove their identities in two or more ways before they’re granted access to their account. They can do this using something they know, like a password or secret answer, something they have, like an authentication token, or something they are, i.e., using their biometric information, such as a fingerprint scan.
MFA helps to reduce the risk of a ransomware infection by preventing account compromise, which is when a threat actor gains access to a user’s account by stealing their credentials in a phishing attack, or cracking their password with brute force. Preventing attackers from accessing corporate accounts makes it much more difficult for them to deploy ransomware. MFA can also make it more difficult for attackers to access certain network areas by enabling role-based access, which can help prevent them from reaching the domain controller and limit the spread of their malware.
To find the right method of authentication for your organization and secure your users’ accounts, check out our guide to the top MFA solutions for business.
Secure Your Users’ Login Credentials
Password managers are another key component when it comes to securing your users’ accounts and strengthening their login credentials. They add an extra layer of security by encouraging your users to use stronger passwords and to store them in an encrypted vault, rather than an Excel spreadsheet or—worse—on a post-it note on their desk.
While good password practices won’t stop the spread of ransomware once it’s entered your system, it can help prevent an attacker from compromising an account and deploying the malware in the first place. And when 21% of ransomware attacks are caused by weak passwords and 10% by lost or stolen credentials, it’s better to be safe than sorry. The Colonial Pipeline attack, for example, was reported to have been caused by just one compromised password.
No matter how many technical prevention methods you have in place, your users will always be your last line of defense against phishing emails that contain malicious links or attachments. But how can you expect your employees to correctly respond to a phishing attack if they don’t know what such an attack looks like?
Security awareness training (SAT) solutions train users how to identify and respond to suspicious emails. They usually require users to take virtual training courses, comprising scenario-based videos and quizzes, then enable those users to put what they’ve learned into practice in a safe environment via simulated phishing campaigns. By implementing SAT, you can transform your employees into a robust layer of defense against potential ransomware attacks, while identifying areas of the business where users may need further training.
Our last recommendation is less about preventing ransomware attacks, and more about mitigating the consequences of a successful attack.
Cloud backup and recovery solutions capture a point-in-time copy of your files, databases and servers, then write those copies out to secondary storage facilities that are isolated from your local computers. When choosing this secondary facility, we recommend that you follow the rule of “3 2 1”: you should keep three copies of your data in two separate locations, and at least one of those copies should be stored in a different medium to the other (e.g., on a disk vs. in the cloud). This means that, if anything happens to your local computers, your data will remain secure in the secondary storage facility, ready for you to restore.
By giving you the assurance that your data is securely stored elsewhere, backup and recovery solutions give you the power to say “no” to any attacker demanding a ransom from you.
No matter the size of your business, the likelihood is that your Microsoft Office 365 environment is going to be the target of a ransomware attack at some point. But whether that attack is successful or not, is something that you can take into your own hands.
By implementing a combination of technical and human-centric security solutions as we’ve outlined in this article, you can protect your users, systems and data against malicious attacks. Say “yes” to security, and remember: always say “no” to the ransom.
Caitlin Jones is Deputy Head of Content at Expert Insights. Before joining Expert Insights, Caitlin spent three years producing award-winning technical training materials and journalistic content. Caitlin holds a First Class BA in English Literature and German, and currently provides our content team with strategic editorial guidance as well as carrying out detailed research to create articles that are accurate, engaging and relevant.