What is ransomcloud and how do attacks work?
Ransomcloud is the term for attacks that target or take advantage of weaknesses or legitimate functionality in cloud resources to deploy malware, encrypt data, and extort money from businesses.
There are multiple ways cyber criminals obtain access to cloud based resources and data. This could be through exploiting vulnerabilities in cloud services to gain a foothold, or web applications to deploy web shells and malware. Other techniques include stealing valid credentials to obtain privileged access to cloud consoles, as well as OAuth app consent phishing and other identity attacks which can result in shared file storage or services being encrypted by malicious apps.
Who is most at risk from ransomware targeting cloud and what are the consequences?
Any business using the cloud is at risk. Businesses that lack maturity in architecting secure cloud services are particularly vulnerable, as are businesses with no security controls to prevent users granting permissions to applications.
As with all ransomware attacks, ransomcloud can cause massive disruption to business operations: failure to recover attacked files is very common and can result in thousands of pounds in lost revenue.
How are cyber gangs increasingly developing and deploying tools/malware strains to target cloud?
Malware authors and criminal groups operate very much like any modern business and are transforming their own tactics and techniques to include cloud. The automation of cloud attacks is also growing and the time between vulnerability releases and weaponisation or malware including ransomware is getting shorter.
Can you provide specific examples, and technical details?
Recently, a zero-day vulnerability was found in Apache Log4j. It took very little time for bad actors to exploit payloads to include ransomware. The threat was exacerbated by the widespread public sharing of the exploit code, dubbed Log4Shell.
Other attacks on cloud hosting providers have made the news, including Cloudstar in the US and the South Korean web hosting company Nayana. These attacks often compromise weak access control on internet facing services before propagating ransomware to an internal IaaS environment.
How can businesses avoid the cloud ransomware threat, including measures they can take?
Education is the key to mitigating the cloud ransomware threat. IT, security, and end users must be made aware of how cloud focused attacks are performed, what can be done to protect against them, and how to report an incident when needed.
Businesses must also implement strong endpoint, email and cloud app detection and response capabilities to avoid developers and cloud engineers falling foul of social engineering attacks, along with robust identity, cloud workload protection, and detection controls.
Any alerts should be sent to a central SIEM/SOAR platform where they can be monitored 24/7 and automated response implemented where sensible. Threat intelligence services are also useful in providing early warning of an attack.
Cloud services should also be regularly assessed, ideally via of a blend of vulnerability assessment, pen testing, purple team testing or breach and attack simulation (BAS). A robust movers and leavers processes should be implemented to revoke access to cloud environments and resources when people move or leave the organisation.
Should the worst happen, businesses should have an incident response plan in place and accompanying playbook that covers ransomware in the cloud. This should be tested regularly and supported by segmentation of backups and also pins that can prevent backups being automatically overwritten by corrupt or encrypted data.
Whitepaper: Human Operated Ransomware
In his paper Human Operated Ransomware (HOR), Bridewell Cyber Defence Technical Lead, Gavin Knapp looks in detail at the ransomware threat as we head into 2022, covering:
- The types of ransomware attack currently prevalent
- The major ransomware players
- An in-depth look at human operated ransomware and its complexity
- How to protect against an attack
- How to detect, respond to, and recover from an attack
Author
Gavin Knapp
Cyber Defence Technical Lead