Updated: Millions of Microsoft Office 365 users were potentially exposed to a massive zero-day Cerber ransomware attack last week that not only included a ransom note, but an audio warning informing victims that their files were encrypted.
Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers on Avanan’s platform received at least one phishing attempt that contained the infected attachment and Avanan extrapolated that the same number of all Office 365 users were involved. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers.
Toole said it took Microsoft more than 24 hours to detect the attack and start blocking the attachment.
A Microsoft spokesperson, in an email to SCMagazine.com, offered up a slightly different timeline on how quickly the issued was spotted and addressed.
“Office 365 malware protection identified the attack and was updated to block it within hours of its origination on June 22. Our investigations have found that this attack is not specific to Office 365 and only a small percentage of Office 365 customers were targeted, all of which have been protected,” the spokesperson said.
In a unique twist, the ransom note was accompanied by an audio file explaining the attack and how to regain access to the files. The attacker asked for a ransom totaling 1.4 bitcoin, or about $500, for the decryption key.
“This attack seems to be a variation of a virus originally detected on network mail servers back in early March of this year,” Toole wrote. “As it respawned into a second life, this time Cerber was widely distributed after its originator was apparently able to easily confirm that the virus was able to bypass the Office 365 built-in security tools through a private Office 365 mail account.”