A ransomware attack targeted millions of Office 365 users via a phishing campaign last week, underscoring the growing threat this kind of malware poses for enterprises.
The attack started on June 22 and lasted more than 24 hours, until Microsoft began blocking the malware, according to a report by Avanan, which provides security tools to protect Office 365, Box, Salesforce, Amazon AWS, and other cloud applications.
Cerber, the ransomware used in this attack, encrypts user files like photos, videos, and documents, and plays an audio file demanding a ransom to unlock them. It typically spreads via email attachment of a document booby-trapped with malicious macros. When users are tricked into enabling macros, the embedded code infects the PC.
Avanan couldn't say just how many users were actually infected in this attack, but said 57 percent of its customers using Office 365 had at least one user who received an email with the malicious file attachment. Customers using Check Point's SandBlast Zero-Day Protection were protected from the attack before Microsoft was able to take steps, the company said.
Users who received the attachment on June 22 or June 23 and downloaded it to their systems should delete the files right away, since if opened, it could still infect their machines. Users who received the attachment but had not yet opened it, would no longer be able to access the file since Microsoft has removed it.
Ransomware started out targeting individual users, but by shifting to enterprise platforms like Office 365, it targets a larger group of users working with even more valuable data. Microsoft's own statistics show that ransomware is still very small in the grand scheme of online threats, but it just takes a single infection via a corporate inbox to cripple an enterprise.
Cerber began making its rounds in March, and it has been updated several times since with newer functionality. Cerber initially spread through malvertising campaigns relying on the Flash zero-day exploits used by Magnituted and Nuclear exploit kits. In May, Cerber was observed in spam campaigns delivering Dridex. The latest version appears to be relying on polymorphism to rapidly generate new variants to avoid detection.
The latest attack used a version of the Cerber variant from March, but Avanan didn't provide any other details regarding its functionality. It appears the attackers monetized the March variant, and now that they are done, they'll move on to try again with a new mutation. Since the malware was first seen in February and March, it seems likely the adversaries are operating on a three month cycle, said Gil Friedrich, CEO of Avanan.
Sign up for CIO Asia eNewsletters.