As it stands, the statistics relating to the effect ransomware is having on cloud services are sparse, to say the least. However, fortunately, most organizations are aware of the threat that ransomware poses, and are keen to find reliable ways to prevent, remove and recover from an infection. The problem is that there isn’t a fool-proof way of preventing such attacks from occurring. Instead, we have to rely on a variety of tools, practices, and training methods to ensure that we stand a chance of keeping our systems and data secure.
As we all know, over the past couple of years the COVID-19 restrictions forced a large number of employees to work from home. This shift encouraged many organizations to start using cloud-based services, mainly due to their easy-to-access storage and collaboration features. However, as you would expect, cyber-criminals took note of this shift and began developing sophisticated strains of ransomware that specifically target cloud services. As an example, attackers started using techniques that trick the victim into installing malicious OAuth apps and Chrome extensions that request access to their cloud account, whether it is a Google Workspace or Microsoft 365 account. Once the attacker has access to their account, they can install the ransomware application and start encrypting their cloud data. To make matters worse, many recent strains of ransomware use the double-extortion technique, which is where the attackers first steal sensitive data before encrypting the files and then threaten to expose the data if the victim refuses to pay the ransom.
Cloud Ransomware Attack Types
While there are many different strains of ransomware floating around, there are three main techniques that attackers use to execute ransomware on a cloud environment, which include; Ransomware-infected file-sharing services, RansomCloud attacks, and Ransomware targeting cloud vendors.
Ransomware-Infected File-Sharing Services
This is where the ransomware program infects a file-sharing service that is synced to a cloud platform. The program will first encrypt the files stored on the victim’s local machine. The infection then spreads to their cloud repository and continues to encrypt the data.
A RansomCloud attack is a relatively new type of ransomware that targets cloud-based email services, such as Office 365. Adversaries use phishing techniques to gain access to email accounts, encrypt the emails and then demand a ransom. Attackers will also try to use their access to impersonate the account owner in order to trick the victim’s contacts into installing and spreading the ransomware application.
Ransomware Targeting Cloud Vendors
As opposed to targeting the organizations that use cloud service providers, threat actors will often try to target the cloud service providers themselves. From their perspective, this makes a lot of sense, as a successful breach of an account belonging to one of their employees could potentially enable them to encrypt data across the entire cloud infrastructure, thus causing widespread disruption. In that scenario, it’s reasonable to assume that at least one of the organizations using the service will be tempted to pay the ransom.
How To Protect Yourself Against Cloud Ransomware Attacks
There are a number of cloud security best practices that should be adhered to in order to minimize the likelihood of a cloud ransomware attack, which are as follows:
Educate employees: Conduct security awareness training (at least annually) to ensure that all employees are able to identify suspicious emails, attachments, links, third-party applications, and extensions. Employees should also be conditioned to disconnect their device from the network as soon as they realize (or even suspect) that they have fallen victim to a ransomware attack.
Backup data securely: Ensure that you take regular backups of your data, and store your backups in a separate and secure location. Perhaps consider using a cloud-to-cloud backup provider, and even consider backing up the data locally.
Use anti-phishing tools: Deploy a cloud-based anti-phishing solution that uses predictive AI to defend against sophisticated phishing attacks.
Adopt a real-time auditing solution: Continually monitor your cloud environment, either using the tools that are native to your chosen cloud platform or use a dedicated third-party real-time auditing solution. A third-party solution will use machine learning techniques to detect and respond to suspicious file and folder activity in real-time. A technique is known as “threshold alerting” can be used to detect and respond to events that match a pre-defined threshold condition, such as when multiple files have been encrypted within a given time frame. In this scenario a script can be automatically executed which may disable a user account, stop a specific process, or, depending on how much control you have over your infrastructure, shut down or disable the affected server.
Block malicious websites and apps: It is important to keep track of any third-party applications that are installed by your employees, including any mobile apps and browser extensions. Use web filtering and application blacklisting/whitelisting where possible to ensure that your employees are not visiting malicious websites or installing any apps that are known to contain a malicious payload.
Install updates/patches: Ensure that all software on your network (including personal devices) has the latest updates/patches installed. Even though most ransomware attacks arrive via phishing attempts, attackers will still try to exploit known software vulnerabilities in order to execute the attack and propagate to other systems.
Use multiple cloud providers: Consider using more than one cloud service provider. That way, if disaster strikes, you can continue with some (or all) business operations while you address the issue. It’s important to remember that visibility is key. If you are going to adopt a multi-cloud infrastructure, make sure that your auditing solution is able to aggregate event data from multiple platforms and display a summary of events via a single console.