Protect Ransomware with Microsoft Cloud App Security
Ransomware attacks grow and cripple cities and businesses. Hackers are locking people out of their networks and demanding a big payment to get back in.
New data shows just how common and damaging the attacks have become.
Blue teamers and defenders try to prevent and “rub off” on cyber-attacks to stop ransomware attacks in any way.
With Microsoft 365 Security, there are various ways to protect and minimize the attack area, thereby making a ransomware attack isolated and minimal.
For example, the Microsoft Defender for Endpoints, or the Microsoft Cloud App Security (Cloud only or CASB Endpoint scenario), or the Endpoint Security by Microsoft Endpoint Manager.
And of course, you can unite all the security tools and minimize the attack area excellently.
This blog post will focus on protecting and mitigating ransomware with Microsoft Cloud App Security with a specific scenario for Microsoft 365.
Ransomware continues to grow as a major threat.
Nation-state actors engage in new reconnaissance techniques that increase their chances of compromising high-value targets. Criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services. Attackers have developed new ways to scour the internet for systems vulnerable to ransomware.
Ransomware is the most common reason behind our incident response engagements from October 2019 through September 2020.
The Department of Homeland Security, FBI, and others have warned us all about ransomware, especially its potential use to disrupt the 2020 elections. What we’ve seen supports the concerns they’ve raised.
Encrypted and lost files and threatening ransom notes have now become the top-of-mind fear for most executive teams.
Attack patterns demonstrate that cybercriminals know when there will be change freezes, such as holidays, that will impact an organization’s ability to make changes to harden their networks.
They’re aware of business needs that will make organizations more willing to pay ransoms than incur downtimes, such as during billing cycles in the health, finance, and legal industries.
Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system, compromising, exfiltrating data, and, in some cases, ransoming quickly, apparently believing that there would be an increased willingness to pay as a result of the outbreak.
In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes.
At the same time, we also see that human-operated ransomware gangs perform massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they “bank” access – waiting for a time is advantageous to their purpose.
More information at Microsoft Digital Defense Report
While individual campaigns and ransomware families exhibited distinct attributes described in the sections below, these human-operated ransomware campaigns tended to be variations on a common attack pattern.
They unfolded in similar ways and generally employed the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice.
While we’ve got hundreds of Ransomware types and versions, we need to make sure that we’ve got the right tools to achieve the goal – minimize the attack surface area!
Microsoft Cloud App Security Discovery
How can Microsoft Cloud App Security (MCAS) assist with protecting and mitigating ransomware attacks?
Cloud Discovery analyzes your traffic logs against Microsoft Cloud App Security’s cloud app catalog of over 16,000 cloud apps.
The apps are ranked and scored based on more than 80 risk factors to provide you with ongoing visibility into cloud use, Shadow IT, and the risk Shadow IT poses to your organization.
App connectors allow you to onboard the following cloud SaaS platforms and monitor your organization’s data that is being shared with each platform:
- Office 365
- G Suite
- And more
For example, using App Connectors allows enabling Conditional Access App Controls.
App Controls use a reverse proxy architecture that integrates natively with Azure AD’s Conditional Access feature.
After onboarding apps, you can then create rich access management rules that behave as though the data is stored natively in Microsoft’s cloud even though it’s already left your Office 365 tenant.
Office 365 Apps from Cloud Discovery dashboard and the relevant data.
Once Microsoft Cloud App Security discovers the Office 365 apps, any file will be scanned.
If some file is infected or a file changes abnormally, MCAS will alert, show detailed information, and mitigate based on MCAS policies and Power Automate.
How is MCAS working with files? It’s important to know how MCAS works with files because of the policies based on file queries.
Within Microsoft Cloud App Security, there are two scans. The first scan is called the “at rest scan,” which is ongoing and will scan your files from the oldest to the newest.
The second scan called the “near real-time scan,” and once a file has been changed or added, it will be scanned through this queue, then it will go through the content scan engine or the third party DLP engine, and depending on what you choose after your files have been scanned.
Then it will be able to gather information and then take the appropriate governance actions when needed.
If there is a policy match, you’ll see these alerts within Microsoft Cloud App Security, so you could also get a text or email notification, and we can also send these alerts to your SIEM.
The following architecture describing the main components and actions for Data and File Control.
Now we’ve got the Cloud Discovery for Office 365, including user OneDrive for Business folders, SharePoint Online sync folders, and we know how the file works in MCAS.
We can create the MCAS policies and even add the Power Automate to mitigate the attack by specific actions.
Protect Ransomware with MCAS Policies
To alert and mitigate Ransomware attacks with Microsoft Cloud App Security, we need some requirements. We need two policies – one policy for the ransomware file changes, and the second policy is for the ransomware note file.
Before starting with Microsoft Cloud App Security policies, we must make sure that we’ve got the following requirements:
- Microsoft Cloud App Security License
- Cloud DIscovery for Office 365 Apps
- OneDrive for Business for user folders (common folders)
- Power Automate with a dedicated user.
Once we’ve got all those requirements, we can continue with MCAS policies.
Potential Ransomware Activity
The first policy is the policy for infected files and alerts when a user uploads files to the cloud that might be infected with ransomware.
The policy is based on File and Threat detection.
The filter needs to be with the following settings:
- Repeated Activity with Minimum repeated activities with 50 and within a timeframe of a 1 minute
- Count unique target files or folders per user
- The Activity matching required the following settings:
- Activity type with upload actions
- Files and folders name with all ransomware extension
Note: The repeated activities based on Ransomware encryption speed
Tip: Relevant Ransomware extension list
Once the extension is configured, we need to configure the alert with a specific email group and provide a Daily alert limit.
You can also send the alert to Power Automate and take actions on the alert, for example, to quarantine all infected files.
The last actions are the Governance actions, and you can Suspend the user to Request the user to sign in again or Confirm the user compromised.
TIP: If you’re working with Power Automate or Governance Actions, you must make sure the policy is accurate to avoid user work disruptions.
Ransomware Note Alert
The second policy is to identify if the Ransomware put some note files with decrypt and recover instructions.
The ransomware note file is located on My document or C drive, so the alert will only occur if the ransomware note will be with the OneDrive sync folder, such as My Documents.
The Ransomware Note Alert policy based on file queries and Threat detection
The filter will be with Single activity and with upload actions for OneDrive for Business and SharePoint Online.
The Files and Folders name will be for all ransomware notes, and you can add a relevant note from the Ransomware Note.
TIP: You can check if you don’t upload a ransomware file with Preview result.
Once you’ve configured both policies, you can simulate ransomware very carefully to ensure that both policies are configured correctly.
Once you perform a ransomware simulation, the MCAS portal’s alert will look like the following example.
In conclusion, MCAS’s policy allows for ransomware identification and user mitigation without additional security tools.
If there are additional security tools such as Microsoft Defender for Endpoint, you can get an additional option of machine isolation and app blocked, and other prevention on the user side.