SaaS Ransomware: Getting Ready for a New Generation of Threats 

Last month, a new SaaS ransomware had been seen “in the wild” for the first time. The attack, which affected Microsoft SharePoint software, did not come from a compromised endpoint. This fact has alarmed SaaS security experts. Nor is it good news for security managers. However, there are ways to defend against such threats.  

The Attack  

Until now, ransomware attacks on SaaS applications have followed a pattern wherein the attacker first compromises an endpoint such as a laptop or server. After encrypting the data on the endpoint, the encrypted data synchronizes across all the storage/backup services, rendering it unusable, and the attacker demands a ransom for it to be decrypted. However, that is not what happened in this case. 

In this attack, a hacker compromised a Microsoft global admin service account’s credentials. The attacker was able to compromise the credentials because the service account did not have MFA/2FA enabled. Therefore, the account could be accessed over the public internet simply with a password. Specifically, the attacker accessed the service account from a virtual private server (VPS) host. Even though the VPS had an anomalous IP-geolocation, vis a vis “normal” access patterns, the attacker was still able to access the account. 

From there, the attacker set up a new Active Directory (AD) user called “Omega” using the compromised service account. The attacker then used the compromised service account to grant, and then elevate, the Omega account’s permissions—to roles that included Global Administrator, SharePoint Administrator, Exchange Administrator, and Teams Administrator. (Wow!) The compromised service account also granted Omega site collection administrator capabilities for multiple SharePoint sites and collections.  

The attacker proceeded to remove the other 200 admins from the system within two hours. The stage was set for a massive data breach, and at that point, the attacker was able to exfiltrate files. 

Implications for SaaS security 

The SharePoint ransomware attack “in the wild” presents a new twist on an old(ish) attack. What stands out is the fact that the attack did not involve compromising an endpoint like a server. With hackers no longer needing to gain access to an endpoint, they can focus instead on SaaS services. In this case, they used an admin account to lock out other users and breach the target’s data. They could have also encrypted the data and demanded a ransom to decrypt it. While most SaaS vendors are able to help victims restore their access and possibly recover lost data, the process tends to take a long time to complete, and it will not necessarily be able to restore all the affected data. 

The attack makes it clear that SaaS applications are now targets for ransomware attacks. It also shows the importance of defining and enforcing clear and effective policies regarding administrative accounts. The SharePoint attack would not have worked if MFA/2FA, along with better geo anomaly detection and response, had been operational. 

Mitigating This New Type of SaaS Risk 

This attack is a sign of what the future holds. It may have been the first known SaaS ransomware “in the wild,” but it will not be the last. The method of the attack underscores the importance of setting up, maintaining, and monitoring SaaS security controls. Though this idea is simple enough, its execution can be quite challenging. 

For most organizations, which on average employ more than 100 SaaS apps, each with their own unique configurations and settings, the task of defending against ransomware in the wild is going to be a daunting prospect. There are simply too many opportunities for security measures to fall apart. Individual users may be able to change their security settings without anyone knowing. Admin accounts may not be configured securely, e.g., without MFA/2FA. Third-party plugins might grant access to unauthorized users, and so forth. 

A SaaS security posture management (SSPM) platform, such as Suridata, offers a way to mitigate these new risks. Suridata comprises a single, unified solution for SSPM. With this SSPM platform, it becomes possible to achieve secure configurations of all SaaS apps in an organization—and then monitor those configurations for changes that reflect a change in security posture. The SSPM platform can also tightly control access by users and plugins, while monitoring for abnormal behavior. As it works, it is able to prioritize the security problems it detects, and in some cases, automatically remediate them. 


A new era is dawning in SaaS security. Ransomware attacks are lurking in the wild. It’s time to be prepared to defend against them. An SSPM platform is arguably the best technology available to mitigate threats that exploit weaknesses in access control, configuration, and anomaly detection.  

To learn about the Suridata SSPM platform, contact us now. 

Lee Kappon

Co-Founder & CEO

Back to list

Watch also