Inside the Cloud: Cloud-Based Ransomware
This is the second in a series of articles about cloud-based attack vectors. Check out our last article about admin takeovers! Inside the Cloud: Attacks & Prevention – Administrative Account Compromise
Ransomware has long been associated with takeovers of endpoints. However, attackers are evolving to target cloud environments – and the effects can be devastating.
What it is
In a ransomware attack, an attacker gains control over critical resources and threatens to release and/or delete access to the data. In the cloud, attackers typically have access to manipulate data objects through account takeover or misconfiguration of resources or accounts.
Cloud-based environments are prone to the same ransomware attacks as self-hosted environments. Attackers can use phishing attacks, exploit Internet-facing vulnerabilities, or install malware to gain access. However, cloud environments have some additional methods for attackers to exploit due to the flexibility and easy configuration of the environment.
Here are some of the methods an attacker can use to control access to cloud-based resources:
- Copy data, then directly delete it from the target’s account
- Copy data, then schedule it for deletion by editing the data’s lifecycle policy
- Copy data, then overwrite data with empty files
- Re-encrypt a file using an encryption key they control (a local key or one stored in the attacker’s remote KMS)
- Copy, then delete the original key used to encrypt the data in the cloud
- Change a password and/or login methods on a critical account to prevent login
The data an attacker can ransom can include nearly anything stored in the cloud; administrative accounts, data buckets, virtual machines, databases, serverless code, etc.
Here are some tips to prevent and mitigate cloud ransomware attacks:
- Perform regular audits on data permissions and configuration, from both the inside and outside surfaces of the environment. Monitor the assignment and use of powerful permissions that allow a user to assign, add, edit or remove lifecycle configurations, encryption keys, users, and data buckets.
- Enable versioning so that if an object is re-encrypted, the older version can be restored.
- Enable MFA validation against administrative logins, and against potential ransomware actions like deleting resources.
- Make regular backups, ideally to a location not stored in the same cloud.
- Enable data protection mechanisms like Object Locks. Note that Object Locks can cause operational problems with processes like automated resource management, so test this change and follow your organization’s change management process.
- To prevent the ransoming of an administrative account, create a “break glass” administrative account with a strong, random, complex password. Many organizations store the password in two different locations to prevent any one employee from having access to the login.
Tips for incident response
An incident response plan for the cloud benefits from any IR framework (for example, NIST or SANS). However, here are a few cloud-specific tips for ransomware incidents:
- Enable alerting and logging against data modification and deletion. Although this won’t prevent a ransomware attack, it may alert the security team early enough to respond and investigate quickly, minimizing damage. Ideally, logs are configured prior to any incidents as a preventative measure. If they aren’t, enabling them at the start of an incident can still help with incident response.
- In the event of a cloud ransomware incident, it may be helpful to enlist the cloud service provider (for example Amazon, Azure, or GCP). They may contribute services, advice, logs, or even rollbacks to improve the outcome of the incident.
- In the absence of logs or cloud provider cooperation, cloud billing can provide an unexpected source of insights into the incident; many billing statements contain usage reports that can identify the exfiltration or manipulation of data.
Sedara provides cloud and hybrid environment hardening as part of the work of our CDP program. Additionally, our penetration testing team can find gaps and validate the security work you’ve put into your environments. To find out more, call us today!
Next up in this series is – Cloud based attack vectors
Learn more about Creating Visibility In Your Digital Environment with Attack Surface Management (ASM).
Need more personalized security advice?