Understanding Microsoft 365 End-to-End Ransomware Protection (Video)

In 2019, there is an organization falling victim to a ransomware attack every 14 seconds. By 2021, it will be closer to every 11 seconds. Ransomware is growing at spectacular speeds. According to a Phisme report, there was a 97% rise in ransomware attacks over 2017 and 2018. Further, that number continues to grow rapidly as more businesses push resources to cloud servers and tech stacks continue to dominate the business space. So, how does one ensure ransomware protection?

We’re in the midst of a ransomware epidemic. This year, 81% of cybersecurity experts expect there to be a record-breaking number of ransomware attacks. For businesses, this is scary. By 2021, the total damages of cybersecurity incidents are expected to be around $6 trillion — and 50% of businesses feel entirely unprepared.

Today, we’re going to talk about how Microsoft 365 can provide ransomware protection by reducing risks and improving overall security. We’ll dive into some of the tools and resources available within the Microsoft ecosystem and discuss how you can leverage these tools intelligently within your organization.

What Is Ransomware?

Ransomware is malicious code that encrypts and locks down all of the data on your computer, cloud, or other environments — usually promoting you to pay a “ransom” to get it back. It’s essentially threat actor bullying. They lock down your assets and try to force you to pay them money to recover those assets.

Ransomware can come from almost anywhere. It could be a malicious webpage that one of your employee’s visits or a seemingly harmless email attachment. Wherever threat actors can find a way to insert malicious code is a possible threat vector for ransomware.

Further, ransomware can result in massive costs. In Riviera Beach, Florida, leaders voted to pay out $600,000 to threat actors utilizing Ryuk (a sophisticated ransomware operation). Indeed, weeks later, a Florida IT manager was fired for paying another $460,000 to the same group of threat actors utilizing the same ransomware code.

Ransomware cost Baltimore MD around $18.2 million so far, and hackers are utilizing NSA spy tools like Eternal Blue to target brands around the globe. Needless to say, ransomware is a hot business for hackers and a definitive danger for businesses and governments around the world. The data pools of entire cities are being held hostage in exchange for significant payments. Indeed, we’re in a full-blown ransomware crisis.

What is the Ransomware Defence Strategy?

Ransomware protection requires end-to-end protection of your entire IT architecture. Since ransomware has so many components (e.g., the initial download, the execution, the encryption, etc.) it can be damaging from multiple layers.

A good end-to-end ransomware defense strategy will focus on the following core components of your ecosystem.

  • Online Safety & Protection
  • Endpoint & Server Protection
  • Identity Protection
  • Detection
  • Backup & Recovery

We’ll take a moment to address that Enterprise Mobility + Security handles all of these under its umbrella. So, it’s certainly something you should be looking into. But, we’re going to focus on granular tools for the scope of this post.

Microsoft 365 and Ransomware Protection

Let’s break down Microsoft’s end-to-end ransomware protection features using the 5 core components listed above.

1. Online Safety & Protection

The first layer of your ransomware protection should be protected from malicious online elements. Whether this is email attachments, malicious links, or shady websites, you should have a way to predict and detect online threat vectors before they have a chance to run code.

Microsoft has two primary layers of protection for online safety — email protection and browser protection.

Office 365 Email Protection

Well over half of brands utilize Office 365 for email. It’s the standard, go-to email service for business needs. So, ransomware protection starts with Office 365. Sure, this is surface-level protection. But, it’s a critical component of eliminating ransomware risks before they become full-blown issues requiring rapid isolation and quarantines.

The primary defense mechanism for Office 365 Exchange is Office 365 Advanced Threat Protection (or Office 365 ATP)

Office 365 ATP will scan every single attachment that comes in via email for malicious code or activity for every single user within your organization. And, it does it in an interesting way. Instead of using a log of previously indicated threats like many traditional anti-virus or threat detection systems, Office 365 ATP uses virtual machines.

Here’s how it works.

  • An attachment is sent with an email to one of your business users.
  • Office 365 ATP will open that attachment on a set of virtual machines — each running unique versions and configurations of both Windows OS and Office 365.
  • The virtual machine will detect any issues within the attachment once it has opened and run the attachment.
  • The attachment is either deemed safe-to-use, or it’s quarantined, and users aren’t able to download the attachment whatsoever.

Azure Information Protection also allows you to assign labels that help detect sensitive data in emails, further solidifying your email protection capabilities.

Browser Protection via Microsoft Edge

Ransomware isn’t always going to pop up in your inbox. Sometimes, it’s a shady link or accidental ad click away. Luckily, Microsoft Edge (and Windows 10 as-a-whole) is the most secure Microsoft browser and OS to date. Let’s go over some of the layers of Microsoft Edge security.

  • Windows Defender ATP reduces the overall attack surface of threats reducing threat actor attack verticals.
  • Edge uses reputation-based blocking for all browser downloads — reducing the risk of employees accidentally downloading malicious code or programs.
  • Virtualization-based security (VBS) ensures that all of these critical security components (i.e., Credential Guard, Device Guard, etc.) run optimally even if an attacker gains system privileges.
  • SmartScreen helps filter out phishing websites and malicious material hiding in the crevices of Google or behind that innocent-looking ad.
  • AppContainer isolates apps from using unnecessary resources or performing malicious attacks — plus it can help with access and policy controls.

2. Endpoint & Server Protection

working on ransomware protection in Office 365 When you look at popular cybersecurity frameworks (NIST, for example), device security is always a core tenant of your overall security network. With Windows, device security comes in the form of many granular and overarching security measures and processes.

Built-in Windows 10 Protection

Let’s talk about the baseline security features baked into Windows 10 for ransomware protection.

Windows Defender

  • System Guard: This hardens your system against attack vectors using virtualization-based security.
  • Exploit Guard: This (along with Application Control) are two components that make up Windows Device Guard. Exploit guard helps protect controlled folders from malicious activity, reduces attack surfaces, and has exploit protection for apps in your environment (can be layered with 3rd party antivirus software.)
  • Application Guard: This protects all of your employees from untrusted networks, websites, apps, or resources. You can go in, and custom define trusted sources — which means that employees can only access sources on that list.
  • Application Control: The easiest way to explain Windows Defender Application Control (WDAC) is to relate it to traditional anti-virus solutions. In traditional virus software, apps, or resources that are signatured as untrustworthy are blocked. With WDAC, only resources that are listed as trustworthy are allowed to be accessed. This flips-the-script on traditional methods that are often easy to abuse with smart coding practices.

Microsoft Advanced Threat Protection (ATP)

Microsoft ATP gives you a clear, visualized look at your entire security posture. So, let’s say that Bob from accounting visited a malicious link. For some reason, the link wasn’t caught by any of Edge’s security measures. Now, someone has stolen his credentials, and they’re trying to access business data. Microsoft ATP uses machine learning to recognize that Bob is accessing resources that he’s never accessed before. Further, it will alert you to the issue and shut the operation down.

The beauty of Microsoft ATP is that it gives incredible optics. You can see what’s happening on every device in your network and set up automated workflows to prevent malicious actions. Think of ATP as the umbrella over your entire device security system. And, it gives you graphs and charts that are hyper-visualized to help you stomp out threat actors immediately.

Windows Server Protection

We won’t go too in-depth in Windows Server Protection (that’s a little beyond the scope of this post). But, there are a few features that help prevent ransomware attacks at this level. JIT/JEA (or Just Enough Access) uses the principle of Least Privilege to restrict access to Windows resources, Shielded VMs provide secure tenants for your virtual machines, and all of the features of Windows Defender play a critical role in server protection as well.

3. Identity Protection

The first component of your ransomware security umbrella is device security. But, how do you protect against ransomware attacks on the identity level? Microsoft has incredibly robust identity protection via Azure AD. Remember, the primary goal of ransomware (i.e., data encryption) relies on the ability to access systems using employee credentials or exterior entry methods. Identity protection safeguards against both.

Azure AD

To start, Azure AD acts as the identity control component of your entire Microsoft stack AND your 3rd party stack. So, you can connect all of those third-party tools to Azure AD’s identity controls and sync identity to your entire IT network. This means single-sign-on, conditional access, etc. are engrained into your whole ecosystem.

There are two goals (from a phishing perspective) that Azure AD helps you obtain.

  1. Protecting the identities of ALL users, regardless of their access level.
  2. Preventing compromised identities from abusing privileges to wreak havoc on your system.

To begin, Azure AD lets you assign policies like multi-factor authentication to help prevent phishing links from being able to log into the system once they’ve compromised an account security layer. Azure AD also detects risks that help mitigate phishing attacks. For example, Azure AD has a risk event for leaked credentials. So, Microsoft (with help from researchers, law enforcement, security teams, etc.) monitors dark web activity and scam forums to assess if any employee credentials have leaked. There are plenty of other risk detections you can see here.

Azure AD also has dashboard views for quick security posture checks and increased optics. And, it has tons of other incredible security elements (e.g., OMS Security and Audit, MFA, Identity Manager, advanced identity protection and management P2, etc.)

Note: As a general rule-of-thumb P2 licenses receive the highest level of Azure AD security.

4. Detection

Detect, Investigate, Control is the theme for this layer of security. Indeed, you want to find the ransomware attempts, investigate their source, and quarantine or control those attempts to mitigate risk and build future policies based upon the specific attack vector.

So, let’s talk about 4 Microsoft tools that help with detection, investigation, and control.

Office 365 Threat Intelligence

When it comes to detection, Office 365 Threat Intelligence works in multiple ways. First, it gives you insights into threat prevention across your organization network. Second, it identifies and informs on threats in SharePoint Online, Exchange Online, OneDrive for Business, and Microsoft Teams. Again, it’s a valuable threat detection element for your entire email service. But, in particular, we’re looking at its detection capabilities. Elements like Threat Trackers prove invaluable for staying ahead of the cybersecurity curve and being “in-the-know” on the latest attack patterns.

Cloud App Security

Let’s say that a threat actor successfully gained access to your business’s enterprise network. Further, they’re trying to encrypt files on your entire network by syncing across your OneDrive or other cloud sync platforms. Thus, with Cloud App Security, you can set up ransomware protection policies to monitor sync behaviors and stop malicious syncs from happening.

Advanced Threat Analytics

Again, let’s say that a threat actor was somehow able to bypass identity controls and device security to gain access to an account. ATP will detect abnormal behavior via machine learning and alert you to suspicious user activity. Indeed, this is business-wide optics. It gives you the ability to dive deep into every resource layer and every device to detect abnormalities. Thus, it presents those abnormalities in an easy-to-view manner via dashboards and great visualization.

Secure Score

It’s easiest to think of Secure Score as a broader security measure. It provides risk scores for your entire organization on one dashboard, and you can compare your security posture to brands around the globe to improve your overall risk reduction capabilities.

5. Backup and Recovery

Finally, we arrive at the final end-to-end security component — recovery. This is the “what if” section. If ransomware makes its way through all of those deep layers of security, you need to have a way to backup and recover data — which essentially eliminates the end-goal for ransomware attackers.

There are plenty of Microsoft tools that help with backup and recovery. OneDrive has a point-in-time recovery, and Azure Geo-redundant storage helps replicate data in multiple geolocations. But, we’re going to focus on Azure Backup — the primary backup and recovery tool.

Azure Backup

With Azure Backup you can backup, well almost anything. You can backup virtual machines, SQL servers, physical servers, cloud servers, on-premise, off-premise, etc. You can backup virtually every piece of data in your business with ease. And, you can recover all of your data almost immediately. Again, since the data is in Azure, it’s redundant on multiple levels, and it’s spread wide across tons of different server points. So, the data protected against encryption at this level.

Final Thoughts

If you’re one of the many businesses worried about ransomware protection, the solution may be baked into your Microsoft environment. With a wide suite of security tools, Microsoft helps protect you and your business. So, are you interested in creating the most secure Microsoft environment possible? Or, are you ready to take the first steps and get secured with a Microsoft license? Contact us! We’re award-winning Microsoft Partners who are ready to help you take the first steps on your journey to cybersecurity.

Request a Free Quote

Tell us a bit about your environment to get a free quote and find out how easy end-to-end ransomware defense can be with Microsoft 365.

Published on: .

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

How can we help?


Let's start a conversation

location Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

telephone-icon + 1 (619) 292-0800 mail-icon Sean.L@Agileit.com

Don’t want to wait for us to get back to you?