Massive Ransomware Attack Hits Millions of Microsoft Office 365 Users


Avanan researchers recently detected a massive ransomware campaign targeting Office 365 users, which was first launched on June 22, 2016.

The attack used phishing emails to distribute the Cerber ransomware, which encrypts users' files and demands a ransom (via both a warning message and an audio file) of 1.24 bitcoins (approximately $790) to decrypt the files.

"This attack seems to be a variation of a virus originally detected on network mail servers back in early March of this year," Avanan chief marketing officer Steven Toole wrote in a blog post examining the attack. "As it respawned into a second life, this time Cerber was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account."

"Many small business move to systems like Office 365 as an easy way to offload the IT burden of managing a mail system," Lastline vice president of products and business development Brian Laing told eSecurity Planet by email. "What they do not understand is that as good as the cloud solutions are at scaling mail, they do not typically handle security as well."

"They use generic AV systems to keep speed high, instead of focusing on keeping detection high," Laing added. "In general, Lastline has seen that these all-in-one solutions handle executable files reasonably well (missing 20+ percent of malicious files). With Word documents, we have seen far higher miss rates."

Microsoft started blocking the ransomware just over 24 hours after the attack was first launched, but in the meantime, the researchers estimate that approximately 57 percent of all organizations using Office 365 received at least one email delivering the malware (SC Magazine notes that Microsoft claims to have 18.2 million Office 365 subscribers).

A recent IDT911 survey of 1,035 U.S. small- or medium-sized business owners found that fully 84 percent of respondents said they wouldn't pay a ransom in the event of a ransomware attack, even though 33 percent said they can't afford to go without access to critical business systems for any length of time.

Just 10 percent of respondents said they would pay between $1 and $100 to regain access to files following a ransomware attack, and only 3 percent said they would pay $10,000 or more.

Strikingly, almost a quarter of respondents said they're unsure of how to, or aren't aware of the need to, back up their systems and files.

More than half of respondents have no cyber insurance protection, and 65 percent said they aren't budgeting extra funds to regain access to critical data in the event of a ransomware attack.

"Ransomware is the Zika virus of the business world and there is absolutely no telling how far and wide this will spread," IDT911 founder and chairman Adam Levin said in a statement. "Training alone isn’t enough, cyber insurance alone isn’t enough and, sure as heck, backed-up data alone isn't enough."

"We're talking about complete and utter paralysis of systems that could spell lost revenue, viciously impacted customers and a potential near-extinction level event for a business," Levin added. "Businesses need a comprehensive cyber security strategy that includes prevention, monitoring and damage control."

A recent eSecurity Planet article examined the growing threat of ransomware.