IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

What is cloud ransomware and how can you avoid attacks?

With ransomware increasingly targeting cloud applications and data, as well as cloud-based companies, we explain how you can protect your business

Harnessing the power of cloud computing is something that no longer seems as daunting as it used to and organisations running at least part of their operations on public clouds is increasing every year. With this uptake in usage, however, and the value that the technology can offer, ransomware attacks in the cloud are naturally on the horizon and will always evolve to target areas of significant value.

That said, serious incidents are still rare because traditionally coded ransomware payloads don’t operate well on cloud infrastructure - they’re built to exploit PCs and other computers. Security firms like Unit42 say it’s time to get ahead of the curve and start securing cloud environments before attackers can change their tactics and techniques so their ransomware programs cause damage in the cloud.

There are no known ransomware threat actors that are solely focused on targeting cloud infrastructure, the security company says, but that doesn’t mean the threat is non-existent. There is a precedent of cloud providers themselves being targeted by ransomware - Cloudstar’s incident in July 2022 is an example of that - and malware gangs like TeamTNT have been observed targeting Kubernetes in the past.

This means that now is the time to start familiarising yourself with the weak points that could be used to target your cloud environment and all the high-value data that resides in it. Customer information, business-critical data, and key processes are all attractive targets for cyber criminals, so spending time to get ahead of the attackers could be hugely significant for business continuity and reputation in the long term.

Cloud ransomware: How cyber gangs gain access to the cloud 

As most organisations move to the cloud, ransomware operators have started to target cloud infrastructure, says Ian Farquhar, field CTO in the security architecture team at analyst firm Gigamon. This is being fuelled by the fact cloud infrastructure security is a challenge for many organisations. “Hiring infosec specialists is difficult; hiring infosec specialists with cloud experience is even harder.”

There are multiple ways cyber criminals obtain access to cloud-based resources and data, says Gavin Knapp, cyber defence technical lead at Bridewell Consulting. They can target vulnerabilities in cloud services to gain a foothold, or web applications to deploy web shells and malware. “Other techniques include stealing valid credentials to obtain privileged access to cloud consoles, as well as OAuth app consent phishing and other identity attacks which can result in shared file storage or services being encrypted by malicious apps.”

RansomCloud attacks often compromise weak access control on internet-facing services before propagating ransomware to an internal infrastructure as a service (IaaS) environment, says Knapp. He cites the example of the zero-day vulnerability found in Apache Log4j. “It took little time for bad actors to exploit payloads to include ransomware,” he says. “The threat was exacerbated by the widespread public sharing of the exploit code, Log4Shell.”

Cloud attackers can often gain access through poorly configured cloud API services and accidentally shared credentials. “Attackers can go through services such as GitHub and search for cloud access keys that have been incorrectly posted to public repositories,” says Rob Demain, CEO of security firm e2e-assure. “Hackers simply pull out the authentication keys written in the code.”

Related Resource

Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture

Orange whitepaper cover with image of someone at a laptop on a video conference call with other people smiling backFree Download

Malware authors and criminal groups operate like any modern business and are transforming their own tactics and techniques to include cloud, warns Knapp. “The automation of cloud attacks is also growing and the time between vulnerability releases and weaponisation of malware including ransomware is getting shorter.” 

The ransomware business model is becoming increasingly ‘professionalised’, with cyber criminals hiring dedicated malware developers as an efficient and cost-effective way of carrying out operations, says Deloitte cyber risk partner, Nick O’Kelly. “These developers typically advertise through cyber criminal marketplaces, and their services can range from initial ’dropper’ malware that exploits specific vulnerabilities, to bespoke ransomware designed to the clients’ needs and victim specification – such as cloud infrastructure.”

This is already starting to happen, at least in theory. Security firm KnowBe4 posted a blog in January about a white hat hacker who developed a working RansomCloud strain that encrypts cloud email accounts, including Microsoft Office 365 accounts, in real-time.

Any business using the cloud is at risk, but those lacking maturity in architecting secure cloud services are “particularly vulnerable”, as well as businesses lacking security controls to prevent users from granting permissions to applications, warns Knapp. Organisations that fail to understand the so-called shared security responsibility model – which means the business and cloud provider are jointly responsible for security – are also at risk. 

Cloud ransomware: How your business can defend against threats

As the volume of ransomware attacks increases, there are no guarantees you won’t be hit by strains targeting the cloud, but your business can take steps to avoid it. Backups are important and testing your defences is key. Regular assessments and checks should be made on your organisation’s resilience to ransomware attacks, says Phil Robinson, principal consultant and founder of cyber security consultancy Prism Infosec.

This should include looking at the data held in cloud services and establishing whether it can be effectively recovered if it’s deleted or encrypted. Robinson, in particular, urges businesses to examine whether data is being versioned, snapshotted or backed up to another platform, how frequently this is happening, and when the last time a simulated loss and restore was tested.

Don’t assume that because your organisation is using a cloud-based service provided by a key player such as Microsoft, Amazon or Google, it means data is safe, says Robinson. “In particular, the use of IaaS will more than likely mean it’s your own responsibility to ensure you’re resilient against these types of attacks.”

Even platform as a service (PaaS) or software as a service (SaaS) doesn’t provide automatic protection, Robinson warns. “Microsoft Onedrive and Sharepoint have a level of ransomware protection via the Versioning feature. This, however, might not be enabled by your organisation, or an attacker who has gained administrative privileges may be able to disable it.”

Education, in addition, is the key to mitigating the RansomCloud threat, says Knapp. “IT, security and end-users must be made aware of how cloud-focused attacks are performed, what can be done to protect against them, and how to report an incident when needed.”

As well as good security hygiene such as multifactor authentication (MFA) and regular patching, technical solutions also help. Businesses should implement strong endpoint, email and cloud app detection and response capabilities. This will help to avoid developers and cloud engineers being tricked by social engineering attacks, says Knapp. All alerts should be sent to either a security information and event management (SIEM) or security orchestration, automation, and response (SOAR) system where they can be monitored 24/7, he continues, with threat intelligence services also useful in providing early warning of an attack.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download


Inside Singapore’s mission to infuse itself with technology
digital transformation

Inside Singapore’s mission to infuse itself with technology

23 Nov 2022
Google Cloud Platform now automatically detects highly common ransomware dropper

Google Cloud Platform now automatically detects highly common ransomware dropper

21 Nov 2022
Digital transformation: Managing a hybrid IT estate of old and new
digital transformation

Digital transformation: Managing a hybrid IT estate of old and new

18 Nov 2022
Appian Europe: 'Our data fabric system offers features unavailable anywhere else'

Appian Europe: 'Our data fabric system offers features unavailable anywhere else'

16 Nov 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Google rolls out patch for high-severity Chrome browser zero day
zero-day exploit

Google rolls out patch for high-severity Chrome browser zero day

25 Nov 2022