By Lewis Henderson, Director, Client Engagement at Glasswall Solutions
The mass migration towards Office 365, Microsoft’s cloud-based email platform, shouldn’t come as a surprise. Offering cost-effective, global access to email and presenting businesses with an “always on” workforce, companies have begun shifting more of their communications into the cloud.
Employees are now using Office 365 to send emails, attachments, share files and access their Office documents, comforted by the notion that a tech behemoth is safeguarding their communications. Another unsurprising fact is that certain groups have followed this mass migration, using the same cloud platform for darker purposes.
Upon moving house to Office 365, CISOs have surrendered control of two very crucial parts of their companies’ infrastructure: security and email.
Rather shockingly, the recently discovered strain of Cerber ransomware, which directly targets Office 365 users, isn’t the only weapon being used by cybercriminals to exploit cloud-based solutions. This year alone has seen hackers release cuteRansomware and Petya, two new strains of ransomware developed specifically to target Google Drive and Dropbox, respectively. The reason for the sudden uptake in ransomware being developed for cloud-based software is simple; as more organisations embrace the cloud, targeting these platforms becomes a focus for cybercriminals.
It has previously been publicly reported that up to 57 per cent of Office 365 users have been targeted by a phishing attempt that included an infected attachment. While the total number of attacks is unclear, the number is likely substantial considering there were approximately 18.2 million Office 365 subscribers at the end of 2016’s first fiscal quarter. It’s important to note this isn’t simply a case of scatter gun attacks – many large enterprises have been hit with highly targeted and sophisticated ransomware attacks, directly.
As the frequency of ransomware attacks targeting Office 365 and other cloud-based platforms increases, the attack process is also changing. Cybercriminals are increasingly using ‘droppers’ in new and innovative ways to bypass traditional perimeter security measures, including Office 365’s seemingly robust proprietary antivirus measures. The dropper can be embedded into the structure of a document, hidden from view of many traditional security technologies, and can typically be hard coded into business files such as PDF, Word or Excel.
Once the malicious file containing the ‘dropper’ is sent to the target as an attachment, it is accessed by the user and activates – downloading the latest version of the ransomware to the user’s machine through an encrypted session – again, hidden from traditional security technologies. As soon as the ransomware has control of the user’s machine, it makes attempts to spread to the entire business, and seize control of the data stored on its systems.
The response by companies who have been infected with this ransomware is often to pay the person demanding the ransom, as they are too PR conscious to seek an alternative solution and feel they have no other choice, no one needs a negative headline.
This new and constantly evolving type of ransomware is particularly difficult for companies to defend against. Not only is the Office 365 security not as effective compared to normal malware, but Microsoft’s response has largely been to deny how common these attacks have become. Cybercriminals have so far been successful in staying one step ahead, constantly refining and innovating their ransomware and changing the source to ensure it stays ahead of signature and reputation based security products and services.
In order to protect against these growing ransomware attacks, organisations moving to the cloud must ensure that either they or their cloud solutions provider have the proper security infrastructure in place, before the business is migrated.
Organisations that have moved, or are planning a move, to Office 365, need to be prepared to provision their own private cloud with a cyber security strategy that will allow the adoption of innovative technologies. Infrastructures the size of Office 365 rarely allow for swift change, or adoption of technologies or services that have a greater impact the sooner they are deployed.
Focussing on Ransomware in particular, and deploying cloud security, staying one step ahead of innovative hackers is to choose a solution not based on traditional perimeter security solutions, but one that ensures only the known good gets through. This can be achieved through breaking file attachments down to byte-level and rebuilding versions with only elements that are known to be safe, and effectively engineering out any potential for bad exploits such as Ransomware ‘droppers’.
With IT departments feeling increasing pressure to reduce costs by migrating to the cloud, it’s crucial that they don’t fall into the trap of being the next victim of a sophisticated ransomware attack, and not assume their email service provider has it covered.