Proofpoint announced that they have discovered a vulnerability in Office 365 that allow attacker to encrypt files stored on SharePoint and OneDrive.
Proofpoint also has identified the attack chain as initial access, account takeover & discovery, collection & exfiltration, and monetization. “Once executed, the attack encrypts the files in the compromised users’ accounts. Like with endpoint ransomware activity, those files can only be retrieved with decryption keys” was said for the attack.
If an attacker gains access to the victim’s cloud, then he has two options; limiting the number of autosaves to one, or using the autosave feature 500 times after reaching the limit. At that point, researches explains that it is unlikely that an attacker would encrypt more than 500 files. Such an operation requires a lot of scripting work and a lot of computer resources, while significantly increasing the risk of detection.
Whichever option is chosen by the attacker, if a hacker encrypts the files until the saves work, then the victim has only two options: use backups physically isolated from the infrastructure or pay the attacker for a decryption key.