Ransomware attacks are becoming an everyday occurrence, and operators are increasingly targeting the cloud. In what’s known as cloud ransomware, or RansomCloud, adversaries are seeking ways to attack cloud applications and stored data, as well as cloud-based companies.
US-based cloud hosting service Cloudstar, for instance, was hit in July by a sophisticated ransomware assault that brought it to a standstill for days. Although such attacks are more prominent, cloud-based services have been targets for years, with South Korean web hosting company Nayana, for example, paying a $1 million ransom in 2017 after data on customer servers was encrypted.
As COVID-19-fuelled digital transformation ensues, meanwhile, most organisations have migrated at least some of their business to the cloud. This move comes with improved efficiency, but experts warn it can also increase the risk of being hit by RansomCloud attacks.
Cyber criminals can target the cloud with ransomware in multiple ways. One is by encrypting data organisations store on their own systems backed up to the cloud, explains David Emm, principal researcher at Kaspersky, while another is obtaining access directly to cloud-based data. “Adversaries are using social engineering to trick staff into disclosing the credentials needed to access cloud systems,” Emm tells IT Pro, adding if any system is protected using weak credentials, attackers can use brute force methods to gain access.
Hackers can also target the cloud by compromising a cloud provider itself. This is less common, but it does happen, with the infamous REvil gang, for instance, in 2019 compromising PerCSoft, a provider of backup and cloud storage facilities to US dental practices.
Cloud ransomware: How cyber gangs gain access to the cloud
As most organisations move to the cloud, ransomware operators have started to target cloud infrastructure, says Ian Farquhar, field CTO in the security architecture team at analyst firm Gigamon. This is being fuelled by the fact cloud infrastructure security is a challenge for many organisations. “Hiring infosec specialists is difficult; hiring infosec specialists with cloud experience is even harder.”
There are multiple ways cyber criminals obtain access to cloud-based resources and data, says Gavin Knapp, cyber defence technical lead at Bridewell Consulting. They can target vulnerabilities in cloud services to gain a foothold, or web applications to deploy web shells and malware. “Other techniques include stealing valid credentials to obtain privileged access to cloud consoles, as well as OAuth app consent phishing and other identity attacks which can result in shared file storage or services being encrypted by malicious apps.”
RansomCloud attacks often compromise weak access control on internet-facing services before propagating ransomware to an internal infrastructure as a service (IaaS) environment, says Knapp. He cites the example of the zero-day vulnerability found in Apache Log4j. “It took little time for bad actors to exploit payloads to include ransomware,” he says. “The threat was exacerbated by the widespread public sharing of the exploit code, Log4Shell.”
Cloud attackers can often gain access through poorly configured cloud API services and accidentally shared credentials. “Attackers can go through services such as GitHub and search for cloud access keys that have been incorrectly posted to public repositories,” says Rob Demain, CEO of security firm e2e-assure. “Hackers simply pull out the authentication keys written in the code.”
Malware authors and criminal groups operate like any modern business and are transforming their own tactics and techniques to include cloud, warns Knapp. “The automation of cloud attacks is also growing and the time between vulnerability releases and weaponisation of malware including ransomware is getting shorter.”
The ransomware business model is becoming increasingly ‘professionalised’, with cyber criminals hiring dedicated malware developers as an efficient and cost-effective way of carrying out operations, says Deloitte cyber risk partner, Nick O’Kelly. “These developers typically advertise through cyber criminal marketplaces, and their services can range from initial ’dropper’ malware that exploits specific vulnerabilities, to bespoke ransomware designed to the clients’ needs and victim specification – such as cloud infrastructure.”
This is already starting to happen, at least in theory. Security firm KnowBe4 posted a blog in January about a white hat hacker who developed a working RansomCloud strain that encrypts cloud email accounts, including Microsoft Office 365 accounts, in real-time.
Any business using the cloud is at risk, but those lacking maturity in architecting secure cloud services are “particularly vulnerable”, as well as businesses lacking security controls to prevent users granting permissions to applications, warns Knapp. Organisations that fail to understand the so-called shared security responsibility model – which means the business and cloud provider are jointly responsible for security – are also at risk.
Cloud ransomware: How your business can defend against threats
As the volume of ransomware attacks increase, there are no guarantees you won’t be hit by strains targeting the cloud, but your business can take steps to avoid it. Backups are important and testing your defences is key. Regular assessments and checks should be made on your organisation’s resilience to ransomware attacks, says Phil Robinson, principal consultant and founder of cyber security consultancy Prism Infosec.
This should include looking at the data held in cloud services and establishing whether it can be effectively recovered if it’s deleted or encrypted. Robinson, in particular, urges businesses to examine whether data is being versioned, snapshotted or backed up to another platform, how frequently this is happening, and when the last time a simulated loss and restore was tested.
Don’t assume that because your organisation is using a cloud-based service provided by a key player such as Microsoft, Amazon or Google, it means data is safe, says Robinson. “In particular, the use of IaaS will more than likely mean it’s your own responsibility to ensure you’re resilient against these types of attacks.”
Even platform as a service (PaaS) or software as a service (SaaS) don’t provide automatic protection, Robinson warns. “Microsoft Onedrive and Sharepoint have a level of ransomware protection via the Versioning feature. This, however, might not be enabled by your organisation, or an attacker who has gained administrative privileges may be able to disable it.”
Education, in addition, is the key to mitigating the RansomCloud threat, says Knapp. “IT, security and end-users must be made aware of how cloud-focused attacks are performed, what can be done to protect against them, and how to report an incident when needed.”
As well as good security hygiene such as multifactor authentication (MFA) and regular patching, technical solutions also help. Businesses should implement strong endpoint, email and cloud app detection and response capabilities. This will help to avoid developers and cloud engineers being tricked by social engineering attacks, says Knapp. All alerts should be sent to either a security information and event management (SIEM) or security orchestration, automation, and response (SOAR) system where they can be monitored 24/7, he continues, with threat intelligence services also useful in providing early warning of an attack.