Detecting Ransomware with Defender for Cloud Apps

Ransomware attacks grow and cripple companies, cities, and businesses. Attackers are locking people out of their networks and demanding significant payment to get back in. The case is that many organizations still pay attackers in order to get their data back.

Security teams are trying to prevent and stop ransomware attacks – Many times, it’s on the good side, and sometimes less. Additionally, global reports show the damages and the rise of ransomware alongside other types of attacks. Still, adversaries are several steps ahead of security teams. What can we do about it?

We can add the Microsoft Defender for Cloud Apps (MDA) to this battle. Defender for Cloud Apps can help you with many situations in order to minimize the attack area, create friction, and provide an investigation chain, thereby making ransomware attacks isolated and minimal.

This blog post will focus on detecting and mitigating ransomware with Defender for Cloud Apps with a specific scenario.

Ransomware is Here to Stay

Nation-state actors use new reconnaissance techniques that increase their chances of compromising high-value targets. Criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services. Attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

Ransomware is the most common reason behind incident response engagements from October 2019 through September  2022. The Department of Homeland Security, FBI, and others have warned us about ransomware, especially its potential use to disrupt the 2022 elections. What we’ve seen supports the concerns they’ve raised.

Encrypted and lost files and threatening ransom notes have become the top-of-mind fear for most executive teams.

Attack patterns demonstrate that cybercriminals know when change freezes, such as holidays, and will impact an organization’s ability to make changes to harden its networks.

They know of business needs that will make organizations more willing to pay ransoms than incur downtimes during billing cycles in the health, finance, and legal industries.

Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system, compromising, exfiltrating data, and, in some cases, ransoming quickly, apparently believing that there would be an increased willingness to pay as a result of the outbreak.

In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes. At the same time, Microsoft saw that human-operated ransomware gangs perform massive, wide-ranging sweeps of the internet, searching for vulnerable entry points as they “bank” access – waiting for a time is advantageous to their purpose.

More information at Microsoft Digital Defense Report

While individual campaigns and ransomware families exhibited distinct attributes described in the sections below, these human-operated ransomware campaigns differed on a standard attack pattern. They unfolded in similar ways and generally employed the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice.

Ransomware groups continue to target healthcare and critical services; here’s how to reduce risk.

While we’ve got hundreds of Ransomware types and versions, we need to make sure that we’ve got the right tools to achieve the goal – minimize the attack surface area!

“Ransomware continues its reign as one of the top Action types present in breaches, and while it did not actually grow, it did hold statistically steady at 24%. Ransomware is ubiquitous among organizations of all sizes and in all industries.”

Another great report is the DBIR Report 2023 which mentions ransomware attacks.

Defender for Cloud Apps in a Nutshell

The big question is, how can Defender for Cloud Apps assist with detecting and mitigating ransomware attacks? Microsoft Defender for Cloud Apps delivers full protection for SaaS applications, helping you monitor and protect your cloud app data across the following feature areas:

  • Fundamental Cloud Access Security Broker (CASB) functionality
  • SaaS Security Posture Management (SSPM)
  • Advanced Threat Protection
  • App-2-App protection

Cloud Discovery analyzes your traffic logs against Defender for Cloud Apps catalog of over a thousand cloud apps. The apps are ranked based on more than 80 risk factors to provide you with ongoing visibility into cloud use, Shadow IT, and the risk Shadow IT poses to your organization.

App connectors allow you to onboard the following cloud SaaS platforms and monitor your organization’s data that is being shared with each platform:

  • Microsoft Cloud (Microsoft 365 and Azure)
  • AWS
  • GCP
  • Okta
  • Salesforce
  • And much more

Defender for Cloud Apps enhances the security of cloud-based applications by automating the detection and remediation of malware and other security threats. By continuously monitoring cloud applications, the service can identify potentially malicious files and provide automated options for remediation when such files are detected.

The key benefits of such a service would likely include:

  • Reduced Human Error: Automation helps eliminate the risk of human error in identifying and responding to security threats. This can lead to more consistent and accurate threat detection and response.
  • Real-time Monitoring: Continuous monitoring ensures that potential threats are detected as soon as they arise, allowing for rapid response and mitigation.
  • Efficient Remediation: Automated remediation options can help address security issues promptly without requiring manual intervention, which can be especially important for fast-moving threats.
  • Scalability: Cloud applications often scale quickly, and traditional manual security measures might struggle to keep up. Automated solutions can adapt to the changing scale of cloud environments more effectively.
  • Threat Identification: The system’s ability to identify malicious files and activities can provide insights into emerging attack vectors and patterns, enhancing overall security posture.
  • Time and Resource Savings: Automating security processes can save time and resources that would otherwise be spent on manual threat detection and remediation.
  • Consistency: Automation ensures that security protocols are consistently applied across the cloud environment, reducing the risk of oversights or inconsistencies.
  • Integration: Depending on the service’s capabilities, it might integrate with existing security tools and platforms, providing a more comprehensive security ecosystem.

Files, Malware, and Scanning

How is Defender for Cloud Apps working with files? Knowing how Defender for Cloud Apps works with files is essential because of the policies based on file queries. Defender for Cloud Apps runs a few scans. The first scan is called the “At Rest Scan,” which is ongoing and will scan files from the oldest to the newest.

The second scan is called the “Near Real-Time Scan,” Once a file has been changed or added, it will be scanned through this queue. Then it will go through the content scan engine or the third-party DLP engine, depending on what you choose after your files have been scanned. Then it will be able to gather information and then take the appropriate governance actions when needed.

If there is a policy match, you’ll see these alerts within Defender for Cloud Apps, so you could also get a text or email notification, and we can also send these alerts to your SIEM.

The following architecture describes the main components and actions for Data and File Control.

The Cloud Discovery for Office 365, including user OneDrive for Business folders and SharePoint Online sync folders, and we know how the file works in Defender for Cloud Apps. We can create the Defender for Cloud Apps policies and even add the Power Automate to mitigate the attack by specific actions.

More about File policies in Microsoft Defender for Cloud Apps and Malware Detection.

Ransomware Policy

The anomaly detection policies are automatically enabled, but Defender for Cloud Apps has an initial learning period of seven days, during which not all anomaly detection alerts are raised. After that, as data is collected from your configured API connectors, each session is compared to the activity, when users were active, IP addresses, devices, and so on, detected over the past month, and the risk score of these activities. Be aware that it may take several hours for data to be available from API connectors.

Defender for Cloud Apps extended its ransomware detection capabilities with anomaly detection to ensure wide coverage against sophisticated Ransomware attacks. If Defender for Cloud Apps identifies, for example, a high rate of file uploads or file deletion activities, it may represent an adverse encryption process. This data is collected in the logs received from connected APIs and is then combined with learned behavioral patterns and threat intelligence, for example, known ransomware extensions.

This approach allows the system to go beyond traditional signature-based methods and leverage behavioral patterns and threat intelligence to detect potential threats.

Here’s a breakdown of the process you described:

Anomaly Detection: The integration of anomaly detection is crucial for identifying unusual patterns of activity that might indicate ransomware attacks. By monitoring activities such as high rates of file uploads or file deletions, the system can identify deviations from normal behavior.

Behavioral Patterns: Leveraging your security research expertise, the system identifies and analyzes behavioral patterns associated with ransomware attacks. This can include studying how ransomware typically behaves in terms of file manipulation, encryption processes, and other activities.

Logs and API Data: The system collects data from connected APIs and logs, which provide valuable information about user activities and interactions within the cloud environment. Analyzing this data helps to build a comprehensive view of the ongoing activities and potential anomalies.

Threat Intelligence: Integrating threat intelligence involves utilizing known information about ransomware variants, tactics, techniques, and procedures. This could include identifying common ransomware file extensions, command and control server domains, and other indicators of compromise.

Data Fusion: The collected data from logs, APIs, learned behavioral patterns and threat intelligence are combined to form a holistic view of the environment. By correlating different data points, the system can accurately detect potential ransomware-related activities.

Adverse Encryption Process Detection: As a result of the analysis, if the system identifies a combination of behaviors and patterns that align with known ransomware activity, it can flag this as an adverse encryption process. This serves as an alert to potential ransomware attacks.

Ransomware Simulation

A ransomware simulation is a tool that mimics the behavior of real ransomware without causing any actual harm to the system or the files. It can be used for testing purposes to evaluate the effectiveness of the existing security measures and identify any potential vulnerabilities. Some of the features that a ransomware simulation tool should have are:

  • It should simulate different types of ransomware infection scenarios, such as file encryption, file deletion, file exfiltration, C2, etc.
  • It should not use any of the user’s own files but rather create dummy files or download them from the internet.
  • It should not alter any existing files on disk or interfere with any system processes or services.
  • It should be harmless and easy to remove after the test is completed.
  • It should provide a detailed report of the test results, showing which scenarios were blocked and which were allowed by the security tools.

One example of a ransomware simulation tool is RanSim, which tests 25 types of infection scenarios and shows if a workstation is vulnerable. Another example is the Carbonsec Ransomware Simulator, which tests 20 types of scenarios and checks for the presence of revealed passwords. Both tools are free and designed for Windows-based workstations.

Note: If you are going to test this tool, you need to play it carefully.

Another important point is the encryption speed. The Ransomware speed is crucial, and some of the ransomware types can encrypt data in less than five minutes – Data is gone in “x” minutes.

The comparison table by LockBit gives you a sneak peek into some facts about ransomware activity and their behavior.

Running Simulation

The ransomware simulation is needed in order to get the correct alerts and incidents and to know 100% that you have the correct information that allows you to do an investigation.

In this example, we should use sample data, and we need to create 50,000 files with the following command:

1..50000 | foreach {New-Item -Path “C:\Users\eadmin\OneDrive – Elli Shlomo\Documents\$_.xls”}

Then we should run the ransomware simulation that encrypts more than 50,000 files in less than five minutes. In my testing, it took around four minutes. The command is: .\RanSim.ps1 -mode encrypt -TargetPath “C:\Users\eadmin\OneDrive – Elli Shlomo\Documents”

Once it’s running, you should receive a ransomware alert in Defender for Cloud Apps. The ransomware alert is based on the policies. Let’s go to the policies is check how to configure it correctly.

Detecting Ransomware with Defender for Cloud Apps

Like everything else, we need to ensure that we’ve got the requirements.

The requirements will be the basic configuration and a few policies:

Configuration and general stuff

  • Defender for Cloud Apps license
  • Cloud Discovery for Office 365 Apps
  • OneDrive for Business with user folders (common folders)

Defender for Cloud Apps Policies:

  • Ransomware activity
  • Potential for Ransomware Activity
  • Potential for Ransomware Note

Once we’ve got these requirements, we can continue with Defender for Cloud Apps policies once we’ve got all those requirements.

Ransomware activity

As part of the anomaly detection, there is a built-in anomaly detection policy. This policy profiles your environment and triggers alerts when an activity pattern is detected that is typical of a ransomware attack. After the policy is created, it takes a week to learn your baseline before this policy generates alerts.

Potential Ransomware Activity

Additional policy will be in the Policy templates. The policy needs to be added and configured. The Potential ransomware activity policy intends to Alert when a user uploads files to the cloud that might be infected with ransomware.

The first policy is the policy for infected files and alerts when a user uploads files to the cloud that might be infected with ransomware. The policy is based on File and Threat detection.

The filter needs to be with the following settings:

  • Repeated Activity with Minimum repeated activities with at least 2,500 and within a timeframe of a five-minute
  • Count unique target files or folders per user
  • The Activity matching required the following settings:
    • Activity type with upload actions
    • Files and folder names with all ransomware extension

Note: The repeated activities based on Ransomware encryption speed

Tip: Configure the extension types based on the Ransomware extension list.

Once the extension is configured, you need to configure the alert with a specific email group and provide a Daily alert limit. You can also send the alert to Power Automate and take action on the alert, for example, to quarantine all infected files.

The last actions are the Governance actions, and you can Suspend the user to Request the user to sign in again or Confirm the user compromised.

TIP: If you’re working with Power Automate or Governance Actions, you must make sure the policy is accurate to avoid user work disruptions.

Ransomware Note Alert

The second policy is to identify if the Ransomware put some note files with decrypt and recover instructions.

The ransomware note file is located on My Document or C drive, so the alert will only occur if the ransomware note is with the OneDrive sync folder, such as My Documents.

The Ransomware Note Alert policy is based on file queries and Threat detection.

The filter will be with Single activity and upload actions for OneDrive for Business and SharePoint Online. The Files and Folders name will be for all ransomware notes, and you can add a relevant note from the Ransomware Note.

TIP: You can check if you don’t upload a ransomware file with the Preview result.


Once you’ve configured both policies, you can carefully simulate ransomware to ensure that both policies are configured correctly.

Once you perform a ransomware simulation, the Defender for Cloud Apps portal’s alert will look like the following example.

MDA Hunting

The part about hunting is my favorite one. Because Defender for Cloud Apps is part of the Microsoft 365 Defender and the Advanced Hunting Query (AHQ), you can search, hunt, and look into many potential activities.

The following queries will search, hunt, and detect a potential ransomware or real-life scenario.

General information for sync anomaly based on FileSyncUploadedFull.

| where ActionType == @”FileSyncUploadedFull”
| where Application == @”Microsoft OneDrive for Business”
| extend ExtName = RawEventData.SourceFileName
| project Timestamp, ActionType, Application, DeviceType, OSPlatform, IsAnonymousProxy, ExtName

Detect ransomware with with file name that is part of the external extension list.

let RansomwareList = externaldata(RansomwareList:string)[@””%5D
with (format=”txt”, ignoreFirstRecord=True);
| extend SourceFileName = RawEventData.SourceFileName
| where SourceFileName has_any (RansomwareList)

Detect FileSyncUploadedFull and summarize the actions.

| where ActionType == @”FileSyncUploadedFull”
| where Application == @”Microsoft OneDrive for Business”
| extend ExtName = RawEventData.SourceFileName
| summarize RenameActions = count(ActionType) by AccountDisplayName, Application
| where RenameActions > 1000

Detect ransomware by external extension list and count with a timeframe.

let RansomwareEXT = externaldata(RansomwareEXT:string)[@””%5D
with (format=”txt”, ignoreFirstRecord=True);
| where Timestamp >= ago(1d)
| extend EXTFileName = RawEventData.SourceFileName
| where EXTFileName has_any (RansomwareEXT)
| summarize Action=count() by ActionType, AccountDisplayName, Application, bin(Timestamp, 15m)
| where Action >= 2000

Microsoft Sentinel

Another way to hunt this scenario is to integrate the CloudAppEvents with Microsoft Sentinel and combine additional tables. If we look into the basic alerts and incidents, we should look at the entities, alerts, and similar incidents and provide useful data for the investigation. Below is a Microsoft Sentinel brief on the same alerts and incidents.

Notes and Tips

While Defender for Cloud can do a great job in the Ransomware battle, there are a few notes and tips that need to be known. Below are the highlights:

  • The device must sync Onedrive’s known folders. Windows known folders move to Onedrive is highly recommended for all the users in any organization.
  • Any other sync folders can be part of the detection.
  • The Potential Ransomware Activity policy needs to be configured with a specific repeated activity.
  • The ransomware activity speed settings are crucial in order to detect a potential or a real-life scenario.
  • Onedrive for Business activity can raise an alert with this policy, so make the correct fine-tuning to avoid a false positive alert.
  • The Potential Ransomware Note policy should be part of this configuration.
  • CASB Endpoint – the integration between Defender for Cloud Apps and Defender for Endpoint can provide and full picture of Ransomware detection. Adopt whenever it’s possible.
  • Microsoft Purview and DLP settings can expand those detections – especially with data at rest and in data in transit.
  • Endpoint DLP can be part of this effort because he knows how to look for additional folders.

In conclusion

Ransomware is here to stay, and the battle of detecting and creating friction with any potential ransomware activity is crucial. Microsoft Defender for Cloud Apps provides additional ways to look at ransomware detection, and, therefore, it should be part of the effort. Defender for Cloud Apps policy allows ransomware identification and mitigation without additional security tools.

More Defender for Cloud Apps blog-posts

Anomaly Detection Policies in Defender for Cloud Apps

Protect organizations from ransomware

You may also like...

2 Responses

  1. Patrick says:

    Awesome post, very useful! Can you also share the power automate flow that is linked to it?

    Many thanks!

Leave a Reply

error: Content is Protected !!
%d bloggers like this: