Detection overview

Triggers

  • A series of file modifications typically associated with ransomware.

Possible Root Causes

  • An account is being used to access an organization’s cloud storage and encrypt and rewrite files.
  • In some cases, automated jobs or services that perform widespread file renaming may trigger this detection.

Business Impact

  • Ransomware attacks directly impact access to the organization’s data and are popular among attackers due to the possibility of a quick transition from attack to monetization.
  • After files have been encrypted, the attacker will ask the organization to pay a ransom in return for a promise to provide the encryption key which would allow the files to be decrypted.
  • Even if an organization is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker or that the decryption process will work.
  • Absent the encryption key, an organization must rely on restoration of files from backups.

Steps to Verify

  • Review the integrity of the affected files and determine whether they appear encrypted.
M365 Ransomware

Possible root causes

Malicious Detection

Benign Detection

M365 Ransomware

Example scenarios

M365 Ransomware

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

M365 Ransomware

Steps to investigate

M365 Ransomware

MITRE ATT&CK techniques covered

M365 Ransomware

Related detections

No items found.

FAQs