How Ransomware Works (& How to Combat It)

Post Date: 11/10/2022
feature image

Business as Usual

You’re sitting in your favorite spot, working away on your laptop, when you receive an email. It just so happens that you are already working through a long queue of urgent emails, so you think, “What’s one more?” and smile. What you don’t know is that the last urgent email you received was sent by an attacker. This attacker is weeks into a complex Business Email Compromise (BEC) campaign. Their campaign involves compromising business accounts – like your M365 account – and then sending malware to the contacts in those accounts’ contact list.

The contacts are completely unaware that the sender’s account has been compromised. You read the attacker’s email, thinking it’s from a trusted contact. The email instructs you to open the Word Document attached. Instead of opening it, you just roll your mouse’s cursor over the document for a preview of the Word Document. That’s all it took to infect your device. Simply previewing the maliciously crafted Word document was enough of an action to begin the exploitation of native Microsoft logic.

Excuse me…what happened?

Ransomware strikes without notice. A small piece of software commonly called a dropper was downloaded using social engineering. Reported on Twitter by security researcher Kevin Baumont and dubbed MS-MSDDT “Follina.”

CVE-2022-30190 is a Microsoft Windows Security Vulnerability which allows for remote code execution by using a native Microsoft feature called a custom template. Security researcher John Hammond shows the power of Follina in this GitHub commit. Droppers often use logic bombs to trigger the download of the main payload having malware. Once the dropper is downloaded to a device it waits for the designated condition(s) to be met, this could be as simple as waiting for a specific date and time or even a combination of conditions. After the dropper executes, it sends a request to an HTTP server hosting the payload. In this case, the payload is ransomware. Did you feel that? Before you realize it, you have been infected. You have just unknowingly introduced malware into your organization’s secure network.


SharePoint Online and OneDrive for Business

Most organizations enable OneDrive for Business synchronization. This common configuration allows for local files as well as Microsoft 365 content created with the desktop version of Microsoft Office apps to seamlessly synchronize with the account’s OneDrive for Business in Microsoft 365. Another customary practice is to map a shared drive to a SharePoint Online Document Library. This way teams can work together through file shares while benefiting from the collaboration and storage SharePoint Online offers. These two configurations provide a link from local network-attached devices to their organization’s Microsoft 365 Cloud investment.

Through these pipelines, cloud-focused malware traverses the local device looking for a way to spread to the organization’s cloud environment. Within the time it takes to blink, the malware has found the right directories and has begun copying itself to them. Once the copy action has finished, the native synchronization between the cloud resources and the local device kicks off. The result is the malware has now established a beachhead in the organization’s OneDrive for Business and SharePoint Online resources.

Versioning Will Protect Me From Ransomware… Right?

Once the ransomware has found its way to your organization’s Microsoft 365 environment, it begins to encrypt each file. Most attacks have resulted in files being encrypted 500 or more times in order to negate any protection provided by versioning. By doing this, the attackers make it nearly impossible for you to revert to an older, unencrypted version of the file. This is a genuine problem, as it puts your organization at risk of losing valuable data.

Content Ransomed

AvePoint Cloud Backup is an easy-to-use, cost-effective solution that can protect your data from ransomware, accidental deletion, and other data loss scenarios. AvePoint Cloud Backup stores your data in an off-site location, so it can’t be tampered with or deleted by malicious software. In case of a ransomware attack, you can quickly restore your data to its original state, minimizing the impact on your business.

AvePoint Cloud Backup is an ideal solution for businesses of all sizes who want to protect their data without breaking the bank. In addition to being affordably priced, Cloud Backup is easy to use, so you can get started protecting your data right away. And in the event of a ransomware attack or other data loss scenario, you can rest assured knowing that your data is safe and can be quickly restored. Request a free demo today.

For more ransomware insights don’t forget to subscribe to our blog.

Share this blog

Subscribe to our blog