IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
In-depth

What is cloud ransomware and how can you avoid attacks?

With ransomware increasingly targeting cloud applications and data, as well as cloud-based companies, we explain how you can protect your business

Ransomware attacks are becoming an everyday occurrence, and operators are increasingly targeting the cloud. In what’s known as cloud ransomware, or RansomCloud, adversaries are seeking ways to attack cloud applications and stored data, as well as cloud-based companies. 

US-based cloud hosting service Cloudstar, for instance, was hit in July by a sophisticated ransomware assault that brought it to a standstill for days. Although such attacks are more prominent, cloud-based services have been targets for years, with South Korean web hosting company Nayana, for example, paying a $1 million ransom in 2017 after data on customer servers was encrypted.

As COVID-19-fuelled digital transformation ensues, meanwhile, most organisations have migrated at least some of their business to the cloud. This move comes with improved efficiency, but experts warn it can also increase the risk of being hit by RansomCloud attacks.

Cyber criminals can target the cloud with ransomware in multiple ways. One is by encrypting data organisations store on their own systems backed up to the cloud, explains David Emm, principal researcher at Kaspersky, while another is obtaining access directly to cloud-based data. “Adversaries are using social engineering to trick staff into disclosing the credentials needed to access cloud systems,” Emm tells IT Pro, adding if any system is protected using weak credentials, attackers can use brute force methods to gain access. 

Hackers can also target the cloud by compromising a cloud provider itself. This is less common, but it does happen, with the infamous REvil gang, for instance, in 2019 compromising PerCSoft, a provider of backup and cloud storage facilities to US dental practices. 

Cloud ransomware: How cyber gangs gain access to the cloud 

As most organisations move to the cloud, ransomware operators have started to target cloud infrastructure, says Ian Farquhar, field CTO in the security architecture team at analyst firm Gigamon. This is being fuelled by the fact cloud infrastructure security is a challenge for many organisations. “Hiring infosec specialists is difficult; hiring infosec specialists with cloud experience is even harder.”

There are multiple ways cyber criminals obtain access to cloud-based resources and data, says Gavin Knapp, cyber defence technical lead at Bridewell Consulting. They can target vulnerabilities in cloud services to gain a foothold, or web applications to deploy web shells and malware. “Other techniques include stealing valid credentials to obtain privileged access to cloud consoles, as well as OAuth app consent phishing and other identity attacks which can result in shared file storage or services being encrypted by malicious apps.”

RansomCloud attacks often compromise weak access control on internet-facing services before propagating ransomware to an internal infrastructure as a service (IaaS) environment, says Knapp. He cites the example of the zero-day vulnerability found in Apache Log4j. “It took little time for bad actors to exploit payloads to include ransomware,” he says. “The threat was exacerbated by the widespread public sharing of the exploit code, Log4Shell.”

Cloud attackers can often gain access through poorly configured cloud API services and accidentally shared credentials. “Attackers can go through services such as GitHub and search for cloud access keys that have been incorrectly posted to public repositories,” says Rob Demain, CEO of security firm e2e-assure. “Hackers simply pull out the authentication keys written in the code.”

Related Resource

Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture

Orange whitepaper cover with image of someone at a laptop on a video conference call with other people smiling backFree Download

Malware authors and criminal groups operate like any modern business and are transforming their own tactics and techniques to include cloud, warns Knapp. “The automation of cloud attacks is also growing and the time between vulnerability releases and weaponisation of malware including ransomware is getting shorter.” 

The ransomware business model is becoming increasingly ‘professionalised’, with cyber criminals hiring dedicated malware developers as an efficient and cost-effective way of carrying out operations, says Deloitte cyber risk partner, Nick O’Kelly. “These developers typically advertise through cyber criminal marketplaces, and their services can range from initial ’dropper’ malware that exploits specific vulnerabilities, to bespoke ransomware designed to the clients’ needs and victim specification – such as cloud infrastructure.”

This is already starting to happen, at least in theory. Security firm KnowBe4 posted a blog in January about a white hat hacker who developed a working RansomCloud strain that encrypts cloud email accounts, including Microsoft Office 365 accounts, in real-time.

Any business using the cloud is at risk, but those lacking maturity in architecting secure cloud services are “particularly vulnerable”, as well as businesses lacking security controls to prevent users granting permissions to applications, warns Knapp. Organisations that fail to understand the so-called shared security responsibility model – which means the business and cloud provider are jointly responsible for security – are also at risk. 

Cloud ransomware: How your business can defend against threats

As the volume of ransomware attacks increase, there are no guarantees you won’t be hit by strains targeting the cloud, but your business can take steps to avoid it. Backups are important and testing your defences is key. Regular assessments and checks should be made on your organisation’s resilience to ransomware attacks, says Phil Robinson, principal consultant and founder of cyber security consultancy Prism Infosec.

This should include looking at the data held in cloud services and establishing whether it can be effectively recovered if it’s deleted or encrypted. Robinson, in particular, urges businesses to examine whether data is being versioned, snapshotted or backed up to another platform, how frequently this is happening, and when the last time a simulated loss and restore was tested.

Don’t assume that because your organisation is using a cloud-based service provided by a key player such as Microsoft, Amazon or Google, it means data is safe, says Robinson. “In particular, the use of IaaS will more than likely mean it’s your own responsibility to ensure you’re resilient against these types of attacks.”

Even platform as a service (PaaS) or software as a service (SaaS) don’t provide automatic protection, Robinson warns. “Microsoft Onedrive and Sharepoint have a level of ransomware protection via the Versioning feature. This, however, might not be enabled by your organisation, or an attacker who has gained administrative privileges may be able to disable it.”

Education, in addition, is the key to mitigating the RansomCloud threat, says Knapp. “IT, security and end-users must be made aware of how cloud-focused attacks are performed, what can be done to protect against them, and how to report an incident when needed.”

As well as good security hygiene such as multifactor authentication (MFA) and regular patching, technical solutions also help. Businesses should implement strong endpoint, email and cloud app detection and response capabilities. This will help to avoid developers and cloud engineers being tricked by social engineering attacks, says Knapp. All alerts should be sent to either a security information and event management (SIEM) or security orchestration, automation, and response (SOAR) system where they can be monitored 24/7, he continues, with threat intelligence services also useful in providing early warning of an attack.

Featured Resources

Four strategies for building a hybrid workplace that works

All indications are that the future of work is hybrid, if it's not here already

Free webinar

The digital marketer’s guide to contextual insights and trends

How to use contextual intelligence to uncover new insights and inform strategies

Free Download

Ransomware and Microsoft 365 for business

What you need to know about reducing ransomware risk

Free Download

Building a modern strategy for analytics and machine learning success

Turning into business value

Free Download

Recommended

What is Amazon S3?
Amazon S3

What is Amazon S3?

16 May 2022
EDB unveils world-first openly governed Kubernetes Postgres operator
Cloud

EDB unveils world-first openly governed Kubernetes Postgres operator

13 May 2022
How the cloud primed Markerstudy for an M&A spree
Cloud

How the cloud primed Markerstudy for an M&A spree

9 May 2022
Gaia-X: The last chance saloon for Europe’s visionary cloud project
Cloud

Gaia-X: The last chance saloon for Europe’s visionary cloud project

4 May 2022

Most Popular

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack
hacking

Russian hackers declare war on 10 countries after failed Eurovision DDoS attack

16 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Windows Server admins say latest Patch Tuesday broke authentication policies
Server & storage

Windows Server admins say latest Patch Tuesday broke authentication policies

12 May 2022