How many customers are migrating to the cloud today? Well, mostly all of them. The reasons are multifold - cost-cutting, digital transformation, online presence, backups, etc. Companies are moving their entire enterprise data in a lot of cases entirely to the cloud and in some cases, even the most sensitive data is available online. Many organizations suffer from this myth that once the data is moved to the cloud, it's safe from attacks and especially ransomware attacks. They also believe that the cloud provider will take care of all the security needs from a data protection perspective. Well, this blog post will analyze in detail and try to explain that the cloud is not a panacea to all your security needs and debunk certain myths related to cloud security.
How Big is the cloud?
A quick Google search will help you uncover some mind-blowing facts:
- Globally, the cloud computing market will surpass $1 trillion by 2028. (Precedence Research)
- The global cloud computing market grew from $24.63 billion in 2010 to $156.4 billion in 2020. That’s a 635% jump.
- More than 90% of organizations use the cloud
- Cloud-based workloads account for 75% of workloads in 1 out of 5 organizations
- Cloud adoption among enterprise organizations is over 94%
- 95% of companies are concerned about cloud security
- 46% of European companies store all their data in the cloud
- Misconfiguration is responsible for 68% of issues
The cloud is a gold mine of data and has the power to disrupt millions of customers and enterprises in a blink if impacted. Do you still feel that the cloud is not the target of cybercriminals?
A Brief Overview of Ransomware
Ransomware is a cyberattack that renders your files unusable by encrypting them. The intention of a ransomware attack is not to breach your information, but, to render it unusable. However, these tactics are beginning to see a change. The ransomware attacks in the past were mostly focused on availability. However, the double extortion trend is on the rise. This is mainly when the companies have backups of their information stored at a different location and are not interested in paying cybercriminals.
Ransomware is not new, it’s been around for decades. It’s a modern-day data kidnapping scheme that has evolved and proliferated due to insane internet speeds and the move toward digitalization.
Whatever you say, My Data is Safe!!!
Although 95% of companies are concerned about cloud security, there are a lot of myths that businesses uphold when they move to the cloud. That is mainly because how cloud has been sold as a panacea to all their problems, especially in the cybersecurity domain. The cloud is viewed as the most secure untouchable workspace where all misconfigurations and security concerns will magically disappear.
An article by Krebs on Security in 2016 stated that ransomware is a threat to cloud services too. Hence, what I’m talking about is not new. It’s just that the sophistication and the stakes are sky-high now. When we compare the cloud adoption from 2016 to 2022 there has been a jump of more than 9000% and that’s mind-boggling. The pandemic has alone contributed multifold increase in the adoption of the cloud.
Let’s try to debunk certain myths that are associated with the cloud, especially with the business teams:
- Cloud security is the responsibility of the cloud provider.
- I’m not exposing my machine to the public internet, so there is no need for security configuration.
- I’m using a cloud service provider that is certified by hundreds of third parties and holds multiple certifications.
- Multi-factor authentication is enabled. I have nothing to worry about now.
- Clouds do not allow the upload of executables or certain file types, and hence my data is always safe from ransomware.
This is just a very small list, I would encourage you to add more in the comment section below.
- Cloud is a shared responsibility model in which the cloud provider as well as the cloud customer has varying yet important responsibilities. In no case, the cloud customer is absolved of security responsibilities, even in the SAAS model. The customer is always responsible for the data, IAM practices, and security configurations and architecture.
- It does not matter if your VM is not exposed to the internet. Your endpoint is. In most incidents, cybercriminals target the endpoint machines and gain access via them. Once they are logged in using your credentials, they can easily expose all the data on the internet. We will discuss this in detail when we talk about ransomcloud.
- Cloud providers are very focused on getting certifications on multiple parameters. Indeed that is true. However, an astute security professional will agree that it’s really important to understand the scope of the audit - what all services were covered in such audits. In most cases, the scope is extremely limited and the new services are out of bounds as they are still in the public beta phase. However, in such cases, developers still use them and upload petabytes of data while using them. It takes just one vulnerability for a cybercriminal to expose your entire data.
- Multi-factor authentications are considered extra protection against attacks in the digital space. It is not a foolproof solution. MFA is indeed hackable. But yes, that should not stop us from enabling it.
- There is a feature called file synchronization feature that is enabled in a lot of cloud storage websites. When files change locally, these are synchronized to cloud storage. Changes in the files trigger a synchronization action. When ransomware that has infected a local copy of the file starts encrypting the files locally, this action is viewed as a change in the files and triggers synchronization. In this way, a single end-user that is infected with ransomware can inadvertently synchronize encrypted files to cloud storage that may be shared with everyone in the company. As a result, files are encrypted for everyone.
Let’s Try out a new Flavour !!!
While ransomware has been the flavor of the month as well as the year for cybercriminals, another sophistication is now catching up. Enter - RANSOMCLOUD ( play the big entry music pls).
What (the heck) is Ransomcloud?
Ransomcloud is a type of malicious attack deployed by malware that infects user systems through phishing scams that deliver the malware via a malicious email, attachment, or link.
Social engineering plays a big part here. A user in your enterprise will receive a phishing email and if they click on it, all files would become encrypted. Now this impacts OneDrive and Share point sites too.
Here is a step-by-step process explained by the famous Kevin Mitnick in the YouTube Video.
A few screenshots have been taken from the YouTube video and showcased here. [ All images belong to the authors. I do not claim any copyright to the following information provided here. Phishing RansomCloud Exploit Hitting Inbox - Image Courtesy]
- A phishing email is sent to the user. The link is for the AntiSpam PRO service. The email feels legitimate.
- You are asked to click on the link for installing this service.
- As an authentication measure, you have to log into your account.
- Permissions are granted
- Back to Inbox and you are done.
- Well wait, the magic happens after a few minutes
- Show me the money, honey !!!
However, this is not the only way to impact your cloud storage. There are quite many ways to do this.
File service Synchronization
We briefly touched upon the file sync utility that is offered by almost all cloud providers. Once the malware enters your system either via phishing or a malicious download ( via torrent), it asks for your permission to allow permissions. Once you approve the request, it searches for the service that interacts with the cloud storage and piggybacks onto it.
Traditional Antivirus is Long Dead, RIP
Your traditional antivirus is long dead and if you still feel, I’m talking nonsense, well, refer to the article by Brian Krebs. The signature-based end-point protection is no longer a viable strategy for your defense strategy. The ransomcloud is designed to evade most signature-based anti-viruses.
Human Errors - The Weak Link
No technology in the world can stop an attack if your employees do not follow basic cyber hygiene practices. If they share their passwords, even a 25-character passphrase is rendered useless as there is no defense against it. The vulnerabilities in the system can be easily exploited if the staff is not made aware of the security policies and guidelines.
Employees are the first line of defense against cyber threats, so the intelligent approach is to train staff to recognize the common social engineering attacks they will encounter.
Training employees on how to identify suspicious emails to mitigate cyber risk is vital. When employees are adequately trained, businesses can block potential ransomware and phishing attacks before they have a chance to do damage.
How to prevent Ransomware attacks?
While you have to follow the trends and sooner or later, you will jump onto the cloud bandwagon, there are a few steps that you can take for ensuring that the impact is less when you are attacked by ransomware.
Keep Multiple Backups
This is the best strategy to ensure that you have multiple copies of the same data with different service providers. In this case, even if your instance/servers are hit by ransomware, you can retrieve your data from the other cloud provider.
Enforce Data Classification across the organization in the strictest manner possible
While most organizations have a data/information classification policy in place, they are not followed diligently. All organizations claim that their cloud costs have ballooned over time. Their backups are increasing every day with no end in sight. One of the major reasons is not segregating the data according to classifications and ultimately backing up all the data. Do you really believe that the entire data in your laptop deserves to be backed up with multiple cloud providers?
Version Control
While this may sound a bit funny, version control is one of the best ways to ensure protection from ransomware attacks in the cloud. Not all versions get impacted, especially in case of the attack via file sync piggybacking.
Least Privileges
I often say this and would be happy to repeat it. We are so hell-bent on using the latest and shiniest tools in the market, that we often forget about basics. Need to Know / Least Privileges should be used by default as the company strategy to mitigate risks. A user having elevated privileges should be using a different account with multiple defense-in-depth strategies built around it.
Employee Awareness
Organizations need to have dedicated phishing awareness training for all employees. The senior management should be trained extensively on this subject to avoid spear phishing and whaling attacks.
Having a disaster recovery plan, especially for ransomware attacks
This will help the team to put the plan into action rather than scrambling for guidance at the last moment.
Conclusion
Public clouds are the way forward. They offer agile, reliable, and scalable storage services that on-premises data centers would find almost impossible to keep up with. As cloud adoption is getting faster and more prevalent, cybercriminals will also find new ways to go after valuable data.
Although we have not seen ransomware groups targeting cloud environments, ransomware attacks are probable and concerning, and the time to consider and prepare for the possibility of ransomware in the cloud is now.
What are your thoughts on ransomware attacks in the cloud? Share in the comments section below.
More Reading Resources:
https://unit42.paloaltonetworks.com/ransomware-in-public-clouds/
https://parablu.com/reaching-for-the-cloud-can-ransomware-infect-cloud-storage/
https://spinbackup.com/blog/is-cloud-storage-safe-from-ransomware/
Comments ()