Ransomware attacks grow and cripple companies, cities, and businesses. Attackers are locking people out of their networks and demanding significant payment to get back in. The situation that many organizations still pay attackers in order to get their data back.

Security teams, blue teamers, and defenders try to prevent and “rub off” cyber-attacks to stop ransomware attacks. Many times it’s on the good side. Global Reports shows how damaging the attacks have become and the rise of ransomware alongside other types of attacks.

Microsoft Defender family is part of this battle. It can help you with many situations in order to minimize the attack area, create friction and provide an investigation chain, thereby making ransomware attacks isolated and minimal.

Some examples are the Microsoft Defender for Endpoints and the Microsoft Defender for Cloud Apps. This blog post will focus on protecting and mitigating ransomware with Microsoft Cloud App Security with a specific scenario for Microsoft 365.

Ransomware is Here to Stay

Nation-state actors engage in new reconnaissance techniques that increase their chances of compromising high-value targets. Criminal groups targeting businesses have moved their infrastructure to the cloud to hide among legitimate services. Attackers have developed new ways to scour the internet for systems vulnerable to ransomware.

• Ransomware is the most common reason behind incident response engagements from October 2019 through September  2022. The Department of Homeland Security, FBI, and others have warned us about ransomware, especially its potential use to disrupt the 2022 elections. What we’ve seen supports the concerns they’ve raised.
• Encrypted and lost files and threatening ransom notes have become the top-of-mind fear for most executive teams.
• Attack patterns demonstrate that cybercriminals know when change freezes, such as holidays, and will impact an organization’s ability to make changes to harden its networks.
• They’re aware of business needs that will make organizations more willing to pay ransoms than incur downtimes during billing cycles in the health, finance, and legal industries.
• Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system, compromising, exfiltrating data, and, in some cases, ransoming quickly, apparently believing that there would be an increased willingness to pay as a result of the outbreak.

In some instances, cybercriminals went from initial entry to ransoming the entire network in under 45 minutes. At the same time, Microsoft saw that human-operated ransomware gangs perform massive, wide-ranging sweeps of the internet, searching for vulnerable entry points as they “bank” access – waiting for a time is advantageous to their purpose.

More information at Microsoft Digital Defense Report

While individual campaigns and ransomware families exhibited distinct attributes described in the sections below, these human-operated ransomware campaigns differed on a standard attack pattern. They unfolded in similar ways and generally employed the same attack techniques. Ultimately, the specific ransomware payload at the end of each attack chain was almost solely a stylistic choice.

Ransomware groups continue to target healthcare and critical services; here’s how to reduce risk.

While we’ve got hundreds of Ransomware types and versions, we need to make sure that we’ve got the right tools to achieve the goal – minimize the attack surface area!

Discovery Method

How can Microsoft Cloud App Security (MCAS) assist with protecting and mitigating ransomware attacks?

Cloud Discovery analyzes your traffic logs against Microsoft Defender for Cloud Apps catalog of over 16,000 cloud apps. The apps are ranked based on more than 80 risk factors to provide you with ongoing visibility into cloud use, Shadow IT, and the risk Shadow IT poses to your organization.

App connectors allow you to onboard the following cloud SaaS platforms and monitor your organization’s data that is being shared with each platform:

• Office 365
• Azure
• AWS
• Box
• Dropbox
• G Suite
• Okta
• Salesforce
• ServiceNow
• And more

For example, using App Connectors allows enabling Conditional Access App Controls.

App Controls use a reverse proxy architecture that integrates natively with Azure AD’s Conditional Access feature.

After onboarding apps, you can create rich access management rules that behave as though the data is stored natively in Microsoft’s cloud even though it’s already left your Office 365 tenant.

Office 365 Apps from the Cloud Discovery dashboard and the relevant data.

Once Microsoft Cloud App Security discovers the Office 365 apps, any file will be scanned.

If some file is infected or changes abnormally, MCAS will alert, show detailed information, and mitigate based on MCAS policies and Power Automate.

How is MCAS working with files? Knowing how MCAS works with files is essential because of the policies based on file queries.

Within Microsoft Cloud App Security, there are two scans. The first scan is called the “at rest scan,” which is ongoing and will scan your files from the oldest to the newest.

The second scan is called the “near real-time scan,” Once a file has been changed or added, it will be scanned through this queue. Then it will go through the content scan engine or the third-party DLP engine, depending on what you choose after your files have been scanned.

Then it will be able to gather information and then take the appropriate governance actions when needed.

If there is a policy match, you’ll see these alerts within Microsoft Cloud App Security, so you could also get a text or email notification, and we can also send these alerts to your SIEM.

The following architecture describes the main components and actions for Data and File Control.

We’ve got the Cloud Discovery for Office 365, including user OneDrive for Business folders and SharePoint Online sync folders, and we know how the file works in MCAS.

We can create the MCAS policies and even add the Power Automate to mitigate the attack by specific actions.

Ransomware Policy

We need some requirements to alert and mitigate Ransomware attacks with Microsoft Cloud App Security. We need two policies – one for the ransomware file changes and the second for the ransomware note file.

Before starting with Microsoft Cloud App Security policies, we must make sure that we’ve got the following requirements:

• Microsoft Cloud App Security License
• Cloud Discovery for Office 365 Apps
• OneDrive for Business for user folders (standard folders)
• Power Automate with a dedicated user.

We can continue with MCAS policies once we’ve got all those requirements.

Potential Ransomware Activity

The first policy is the policy for infected files and alerts when a user uploads files to the cloud that might be infected with ransomware. The policy is based on File and Threat detection.

The filter needs to be with the following settings:

• Repeated Activity with Minimum repeated activities with 50 and within a timeframe of a 1 minute
• Count unique target files or folders per user
• The Activity matching required the following settings:
  • Activity type with upload actions
  • Files and folders name with all ransomware extension

Note: The repeated activities based on Ransomware encryption speed

Tip: Relevant Ransomware extension list

Once the extension is configured, we need to configure the alert with a specific email group and provide a Daily alert limit.

You can also send the alert to Power Automate and take action on the alert, for example, to quarantine all infected files.

The last actions are the Governance actions, and you can Suspend the user to Request the user to sign in again or Confirm the user compromised.

TIP: If you’re working with Power Automate or Governance Actions, you must make sure the policy is accurate to avoid user work disruptions.

Ransomware Note Alert

The second policy is to identify if the Ransomware put some note files with decrypt and recover instructions.

The ransomware note file is located on My document or C drive, so the alert will only occur if the ransomware note is with the OneDrive sync folder, such as My Documents.

The Ransomware Note Alert policy is based on file queries and Threat detection.

The filter will be with Single activity and upload actions for OneDrive for Business and SharePoint Online.

The Files and Folders name will be for all ransomware notes, and you can add a relevant note from the Ransomware Note.

 

TIP: You can check if you don’t upload a ransomware file with the Preview result.

 

Once you’ve configured both policies, you can carefully simulate ransomware to ensure that both policies are configured correctly.

Once you perform a ransomware simulation, the MCAS portal’s alert will look like the following example.

In conclusion, MCAS’s policy allows ransomware identification and user mitigation without additional security tools.

Suppose there are additional security tools, such as Microsoft Defender for Endpoint. In that case, you can get a different option for machine isolation, app blocking, and other prevention on the user side.

More MCAS blog-posts