Vulnerability in Microsoft 365 allows ransomware to encrypt files in OneDrive and SharePoint


Experts from Proofpoint have discovered a vulnerability that allows attackers to encrypt files hosted in the cloud, after which it will be impossible to restore them without a special backup solution or a decryptor key.

According to cybersecurity researchers from Proofpoint, if an attacker gets access to the victim’s cloud, then he has two options:

  1. Limit the number of auto-saves to one;

  2. Use the auto-save function 500 times, reaching the limit.

Proofpoint researchers consider the second option unlikely: “It is unlikely that an attacker will encrypt more than 500 files. Such an operation requires a lot of work on scripts and a lot of computer resources, while significantly increasing the risk of detection.”

However, whichever option is chosen by the attacker, the collaboration platform will stop making saves. If the hacker encrypts the files while the saves are not working, then the victim has only two options: use backups physically isolated from the infrastructure or pay the attacker for the decryptor key.

After the release of the research results, Microsoft disagreed with Proofpoint. According to the statement of the tech giant, everything works correctly, and even if something like this happens, the support service will be able to restore files that are stored in the cloud for no longer than 14 days. Proofpoint, on the other hand, claims that experts have tried this method and it doesn’t work.

Start a discussion …