The Complete Guide to Ransomware [Updated for 2022] Download eBook

Tips to Protect Office 365 Data Against Ransomware

Aidan Simister by Updated On - 08.02.2022 Ransomware

Last Updated on August 2, 2022 by Satyendra

Ransomware remains a formidable threat to organizations worldwide. According to a recent survey conducted by Bitdefender, 75% of respondents experienced up to 5 attacks in the last 12 months alone, and organizations accounted for 42% of all ransomware infections.

Though cyber-criminals have always targeted Microsoft products, the rapid growth in the popularity of Office 365 has made it a #1 target for ransomware attacks. Cerber, a recent strain of ransomware, was used to flood Office 365 inboxes with a document containing macros which were used to infect the users’ devices. Now, with collaboration tools such as OneDrive for Business, and SharePoint Online, attacks targeting Office 365 have the ability to spread much further, resulting in far more disruption. There are essentially three key steps that organisations should take in order to protect their Office 365 environment from ransomware.

Step 1: Understand the Key Components of a Ransomware Attack

There are 4 key components that are typically associated with ransomware. These include: infiltration, encryption, propagation, and extortion.


A hacker posing as a trusted entity will try to trick an unsuspecting victim into downloading an email attachment, or clicking on a link to a compromised website, which will infect the user’s device with the malicious code. They may also try to crack a user’s password, and/or exploit a known software security vulnerability.


Once the ransomware script has been initiated, it will seek to encrypt every file on the victim’s computer/device.


A ransomware program is designed to scan your system for files to encrypt. Most sophisticated strains of ransomware will also seek to spread to other systems that are connected to your device – including cloud-based file sharing services such as OneDrive and SharePoint Online.


Once the ransomware program has encrypted all of your files, you will be presented with a message informing you that you that your files have been locked down – requesting that you pay a ransom – usually in Bitcoin. Paying the ransom may (or may not) allow you to get your files back.

Step 2: Stop the attack in its tracks

Since ransomware attacks are typically invited in by negligent users, there’s no “magic bullet” approach to preventing an attack from occurring. Naturally, it is a good idea to keep all software patched and up-to-date. There are also various tools and technologies that can minimise the damage an attack can cause. Some of which include; identity and access management (IAM), threshold alerting and Data Loss Prevention. Additionally, you will need to make sure that you have reliable backups and a well-rehearsed data restoration procedure in place. Above all, you will need to establish and maintain a security awareness training program designed to educated employees about the nature of ransomware, and how to identify potential threats.

Step 3: Restore your data

Most cloud-based service providers keep achieved backups of your files which can be restored effortlessly and in a timely manner. Not only does this mean that you will not need to pay the ransom, but it will significantly reduce the cost of recovering from a ransomware attack.

As ransomware attacks become increasingly more sophisticated, as too does the technology we can use to respond to them. Many advanced Office 365 auditing tools enable you to detect the signs of ransomware attacks in progress to help you take action to prevent the spread.

Lepide Data Security Platform, for example, is an Office 365 auditing solution that enables you audit changes to configurations, permissions, files, folders and other changes in Office 365. By getting visibility into changes taking place in key Office 365 components (including Azure AD, SharePoint Online, Exchange Online and OneDrive for Business), you can ensure that any unwanted changes taking place to data stored in Office 365, or to the permissions/configurations surrounding this data, that may be indicative of a ransomware attack do not go unnoticed.