RansomCloud: Ransomware Operations in Microsoft 365

On-prem ransomware is a crowded business: lots of competition, and when defenders do things right, backups are hard to kill. That pushes attackers to look for easier wins — and Microsoft 365 is an appealing target. Many organizations still rely mainly on “on-prem era” security technologies like AV/EDR, NGFW, sandboxes, or network-based IPS. Those tools can be great for endpoints and networks, but they don’t cover cloud services — which creates a blind spot. And it’s not a small one: Microsoft 365 isn’t a marginal service anymore, it’s a core part of the infrastructure for a majority of organizations.

I believe cloud-focused ransomware is coming, and it’s worth understanding how it could work in practice. In this talk I’ll share the current state of the art and how attackers could evolve it.

Ransomware has to adapt to work in a cloud environment. The key difference is that Microsoft 365 is mostly SaaS: attackers can’t just land on a hypervisor, stop VMs, and run one executable to encrypt everything. The cloud introduces real constraints (limited APIs, throttling, and platform guardrails), but it also gives attackers advantages: fewer traditional defensive controls in the way, high bandwidth for exfiltration, and options to disrupt response by cutting defenders off from admin access.

I’ll walk through a practical end-to-end “RansomCloud” playbook: where the data lives, what’s realistically destructible in Exchange/OneDrive/SharePoint and Azure, how cloud backups become a prime target, why endpoint caches can still matter, and how admin lockouts can create chaos and buy time.

The focus is the attacker’s perspective and operational constraints — what’s fast, what’s noisy, what tends to fail in practice, and which built-in safeguards actually slow an attacker down (or don’t). I’ll support it with demos of individual steps.