What is cloud ransomware and how do you prevent it?

September 6th, 2023 Posted in Information Security

October is #CyberSecMonth! Visit our Cyber Security Month 2023 page dedicated to helping your organisation stay secure from social engineering tactics and download your free resources.

Ransomware attacks continue to plague companies of all sizes. Financially motivated threat actors focus much of their efforts on locking down or exfiltrating sensitive data assets and holding victims to ransom.  

With many companies now migrating their data assets and workloads to cloud environments, tailoring ransomware tactics to target the cloud is becoming a more viable strategy for ransomware gangs.  

In this short blog, we will give the lowdown on what cloud ransomware is, how it works, and how to mitigate these attacks.  

What is cloud ransomware? 

Cloud ransomware follows a similar pattern and objective to traditional ransomware. Attackers look to obtain access to cloud-based resources or data and hold companies to ransom by encrypting these cloud-based assets. Attackers exploit vulnerabilities introduced by misconfiguration of the cloud environment or where companies fail to adopt cloud security best practices (such as applying overly permissive settings) to gain a foothold.

How does cloud ransomware work? 

Cloud ransomware works in a similar way to traditional ransomware attacks, although there are some slight differences tailored to the specifics of cloud environments. To help understand the threat faced by your cloud environment, we break down the common threat vectors (channels by which an attacker will try to deliver their malware payload), and the common stages of an active attack in this section. Understanding how your environment could be attacked is critical to identifying and implementing effective controls to stop an attacker in their tracks. 

Common cyber attack vectors: 

  • Phishing: Phishing remains a principal vector for ransomcloud attacks. Attackers send deceptive emails, tricking users into running malicious programs that exploit file sync services to infiltrate the cloud. Concurrently, counterfeit login portals capture user credentials, granting cybercriminals unauthorised cloud access, potentially even bypassing two-factor authentication measures.
  • API (Application Programming Interface) Vulnerabilities: Cloud services are heavily dependent on APIs for automation and integration. Attackers, capitalising on insecure API endpoints or exposed API keys, can gain unwarranted access to cloud resources. Read our blog on why API is critical for you organisation
  • Misconfigured Cloud Storage: Misconfigurations in storage entities, such as AWS S3 buckets or Azure Blob Storage, allow for unauthorized access and modification of data. Ransomware can exploit these to replace or encrypt critical data.
  • Cross-Platform Exploitation: Given the interoperability between cloud platforms, attackers often exploit inconsistencies in security postures between these services, facilitating breaches. 
  • Serverless Function Abuse: Serverless computing, although efficient, can be leveraged by attackers to invoke malicious functions, causing damage, or furthering their access into cloud environments. 
  • Attacking Cloud Provider: Attackers target vulnerabilities in cloud providers’ infrastructure or systems. If successful, they can compromise the entire platform, affecting all users and services under that provider. You can read our Guide to Supply Chain Security here. 

A cyber-attack, including ransomware attacks, tends to involve a series of stages. Understanding these stages can help you improve your cloud security defences. The typical stages are: 

Reconnaissance

Prior to an attack, threat actors will try to obtain information about their target. This can be through active scanning an enumeration of your cloud assets and cloud boundaries, or passive reconnaissance of publicly available information such as employee names, roles and email addresses from LinkedIn or your own website. 

Initial Access

Hackers gain initial access to cloud environments by exploiting vulnerabilities enumerated in the reconnaissance stage. Compromising credentials via social engineering, exploiting cloud misconfigurations, or targeting software vulnerabilities are some common initial access methods. Cloud backups suffer the same flaws as traditional backup solutions unless properly configured, and the causes of cloud misconfigurations are plenty, ranging from default to credentials to giving excessive permissions to users.  

Privilege Escalation and Lateral Movement

Hackers use tools and techniques to elevate their permissions to higher levels and/or move laterally to achieve the end goal of encrypting your cloud-based resources. Special software like mimikatz can mine for credentials, but the more efficient way to achieve privilege escalation and lateral movement in the cloud is to target identity and access management (IAM) misconfigurations. For example, a particular user might have excessive permissions to all your cloud storage buckets, more than is needed to carry out their routine work tasks.  

Encryption

Traditional ransomware infects resources like applications or user workstations when a hacker with sufficient privileges drops malicious software to multiple host systems; this software encrypts all files on the disk of each compromised system. But cloud computing resources like VM (Virtual Machine) instances or containers that your company might use to run custom apps may not store any or store limited app data and are designed to be temporary/short-lived.  

These characteristics mean that traditional ransomware is less effective in the cloud than on on-premises infrastructure that tends to be persistent and long-lived. While typical ransomware could technically infect VM instances or containers, there would not be much point in doing so. However, the encryption part is still vital for cloud-native ransomware, it just tends to happen in a different way. Instead, this phase often focuses on techniques for encrypting persistent cloud data, such as object storage, block storage, and databases. 

Who is responsible for protecting cloud data? 

In the cloud landscape, security is a partnership between the cloud provider and the customer, commonly known as the Shared Responsibility Model. 

Cloud Service Providers (CSPs): They are typically responsible for the “security OF the cloud”. This includes safeguarding the infrastructure that runs cloud services, such as hardware, software, networking, and data centres. CSPs also offer tools and features to enhance security and ensure uptime. 

Customers: Customers are accountable for the “security IN the cloud”. This entails managing and securing their own data, platforms, applications, and network traffic. Decisions on encryption, access controls, threat detection, and response strategies fall on the customers’ shoulders. 

Confusion emerges mainly because the specific obligations under this model differ depending on the type of cloud service you use. Whether the service you use is IaaS (Infrastructure as a Service), PaaS (Platform as a Service), or SaaS (Software as a Service), though, the onus rests on your business to properly secure your data in the cloud.  

Even in the SaaS model, in which the cloud service provider takes on the most responsibility, the customer is generally still responsible for managing their data and user access. It is up to your business to understand and use the available security measures effectively, such as by managing user permissions and using encryption. 

Misunderstandings about the shared responsibility model often result in cloud data lacking adequate protection. One report from 2022 found that over a third of enterprises were not encrypting the sensitive data assets they store in the cloud, such as company secrets or personally identifiable information. The tendency to misunderstand the shared responsibility model makes having an incident response plan in place that much more important. When a security incident in the cloud occurs, a quick response is critical to protect against cloud ransomware. To help you, we recently posted a really helpful guide on Cloud Incident Response Best Practices. 

How to mitigate cloud ransomware attacks

  • Regular Backups: Backups are essential for ransomware defence, and it is crucial to regularly test your organisation’s resilience. It is important to evaluate data in cloud services to ensure its recoverability if compromised. Relying solely on major cloud providers does not guarantee data safety, especially in Infrastructure as a Service (IaaS) scenarios where the onus of protection often lies with the user. Even services like Platform as a Service (PaaS) or Software as a Service (SaaS) do not always offer inherent ransomware safeguards out of the box; features such as Versioning in Microsoft OneDrive might not be activated or can be disabled by attackers with admin access. 
  • Implement least-privilege access: This cornerstone principle of identity and access management aims to give users only the minimum levels of access necessary to complete their job functions. Identify what resources you have in your cloud environment and who needs access to them. Use cloud-native identity and access management to assign permissions based on job roles or attributes of those requesting access.  
  • Use multi-factor authentication: Implementing MFA adds an additional layer of security so that even if a threat actor compromises login credentials for an employee’s cloud account, the attacker still cannot access the account without the second factor. 
  • Stay on top of patching: Your company’s patching strategy should include applying timely updates to any apps or services you run on virtual machine instances in public cloud environments.  
  • Consider using the Zero Trust Security Model: The Zero Trust model is a robust mitigation strategy against cloud ransomware attacks because it operates on a “never trust, always verify” principle, reducing the attack surface. By segmenting networks, enforcing continuous authentication, and granting least-privilege access, it limits lateral movement and unauthorized access, ensuring that even if attackers infiltrate, their capacity to cause widespread damage is constrained. This proactive stance enhances the security posture against evolving ransomware tactics. 
  • Use CSPM (Cloud Security Posture Management) and CASB tools: Utilising CASB (Cloud Access Security Broker) and CSPM (Cloud Security Posture Management) tools significantly bolsters defences against cloud ransomware attacks. CASB provides visibility and enforces security policies across cloud services, mitigating risks like unauthorized data exposure. Meanwhile, CSPM continuously checks and manages the cloud environment against security benchmarks, promptly detecting and rectifying misconfigurations. Together, they offer a layered security approach, ensuring data integrity and optimal cloud configuration against potential ransomware exploits. 
  • Invest in cyber training and awareness: Rather than treating user cyber training and awareness as a box to tick, view it as central to your security strategy. Incorporate training materials about cloud security threats, including cloud ransomware, and how to report incidents to your incident response team (if you have one). Increase awareness about social engineering and test this awareness with simulated phishing exercises.  

Given that AWS and Azure are two of the most commonly used public cloud service providers, it is worth overviewing some helpful cloud ransomware mitigation measures for both.  

Cloud ransomware mitigation for AWS

  • Use the available AWS Identity and Access Management (IAM) features: to implement least privilege access and multi-factor authentication. 
  • Use Amazon GuardDuty: This threat detection service continuously monitors malicious or unauthorised behaviour to help protect your AWS accounts and workloads. 
  • Enable Amazon Macie: This service helps identify and protect sensitive data such as personally identifiable information (PII) stored in Amazon S3 buckets and other AWS storage services. 

Cloud ransomware mitigation for Azure

  • Use Microsoft Sentinel for threat intelligence and detecting in-progress ransomware attacks in your cloud environment. 
  • Enforce multi-factor authentication using Azure Active Directory to protect cloud accounts against many of the most common password attacks.
  • Azure Information Protection classifies, labels, and protects data based on its sensitivity. 

Get an independent cloud security review

Continued breaches of cloud environments often make media headlines, and their root causes regularly come down to security lapses and misconfigurations. An independent cloud security review is a great way to identify gaps in cloud security practices, improve your cloud security posture, and defend against cloud ransomware.  

Evalian arms your businesses with a team of security experts to perform cloud security reviews at a cost-effective rate.  

Request Free Consultation

  • This field is for validation purposes and should be left unchanged.

 

Image by jordy_pp on Freepik
Image by rawpixel.com on Freepik
Patrik Jakus 2

Written by Patrik Jakus

Patrik is a Cloud Security Assessor at Evalian, providing professional security services to clients. Having previously worked for a managed security service provider as a Security engineer specialising in cloud technologies, Patrik was involved in a variety of projects including Cloud Security Assessments, DLP (Data Loss Prevention) engineering, MDR (Managed Detection and Response) engineering and Attack Surface Management. Patrik is certified in AWS, Azure and Ethical Hacking.