How Ransomware is Taking Over the Cloud
It is an invasion! The unsuspecting will no doubt suffer major losses. Lives will be changed! Are we talking about a war, a literal invasion, or some military activity? No. We are actually referring to the prolific spread of ransomware in the cloud. In fact, ransomware is taking over the cloud!
If your business has migrated data to the cloud, you want to take note of the risk. Ransomware is a tremendous threat to your data. Let’s take a look at the risk of ransomware in your business. What are the risks of ransomware in your cloud environment? How can businesses protect their cloud data?
The Evolution of Ransomware
There is no doubt that ransomware is evolving and has become more powerful and aware of cloud environments. Attackers realize that organizations have been forced to transition to remote solutions and are transitioning data and services to the cloud.
Cloud environments, especially with the current remote work situation, provide many benefits to businesses. These include the ability to scale in an elastic way, access from anywhere, world-class resiliency, and access to myriads of modern services and applications.
With the future of business-critical data revolving around cloud environments, it is no surprise that attackers are focusing next-generation ransomware so it can effectively target cloud storage and other cloud services. Additionally, some organizations place much less priority on backing up cloud data.
There is a perception that data located in cloud environments is indestructible. Many may assume that cloud service providers have an “easy button” they can click and your data is once again available. This is simply not true and becomes evident when you read the “shared responsibility model” of today’s major cloud service providers.
Cloud services, massive amounts of data, and misconceptions about cloud data protection amount to increased risk for ransomware taking over your cloud environment.
Pinpointed attacks on businesses
When you look at the majority of orchestrated ransomware attacks carried out over the past couple of years, attackers have demonstrated they are keenly focused on one target – businesses. Businesses are by far the most lucrative targets for cybercriminals. Locking up the data of a large corporation can lead to a huge payday for hackers that can be in the neighborhood of millions of dollars.
This can be easily seen with the recent attack in July 2020 on Garmin. Garmin’s on-premises “private cloud” infrastructure was massively affected by the ransomware attack. The popular “Garmin Connect” and other services were down for days after the ransomware infection. Garmin was reportedly hit with the ominous WastedLocker ransomware that has been a favorite tool of hackers this year. Garmin reportedly paid $10 million to the Evil Corp hacker group who was responsible for the attack.
Attackers are also capitalizing on the disrupted normalcy and increased distraction of the global pandemic to compromise your business with increased phishing attacks that contain ransomware. Over the past few months, this has involved using “COVID-19-themed” phishing attacks that lure unsuspecting end users into clicking on malicious email links that infect their devices.
The FBI issued a warning at the end of July 2020 regarding a new ransomware variant called Netwalker that is targeting government organizations, educational entities, healthcare firms, and private companies. The FBI stated:
“Cyber actors using Netwalker have taken advantage of the COVID-19 pandemic to compromise an increasing number of unsuspecting victims…Starting in April, Netwalker began gaining unauthorized access to victim networks by exploiting unpatched virtual private network appliances, vulnerable user interface components in web applications or weak passwords used for Remote Desktop Protocol connections”.
What are the results of these types of targeted attacks on businesses?
- Encrypted critical files, databases, and applications
- Harvested administrator credentials
- Stolen valuable data
- Encrypted end user files
- In the case of Netwalker, hackers are posting stolen data on MEGA cloud storage
How ransomware takes over your cloud environment
You may wonder, with new-age security tools and endpoint security solutions in place, how can ransomware take over the cloud? Well, you have to remember that no security solution is 100% effective. They all have holes in them, albeit, maybe very small. One of the most dangerous security vulnerabilities is the “human element”, or end-users.
End-users generally represent the riskiest component of your security strategy. People can be fooled, tricked, duped, distracted, and also make mistakes. This generally can lead to the compromise of even the most secure environments. Let’s look at three ways that ransomware can take over your cloud environment. These include the following:
- Email attacks including phishing
- Malicious third-party apps and browser plugins
- File synchronization
Email attacks including phishing
One of the first and foremost ways that attackers are compromising cloud environments is through email attacks including phishing. Phishing is a type of email attack that presents a malicious email as a legitimate email from a known contact or a reputable vendor.
Underneath it may hide a dangerous payload in the form of a malicious attachment or web link. Most of the malicious attachments and hyperlinks found in phishing emails contain some form of malware which is often ransomware. Again, attackers are heavily using the pandemic to get end-users to click links with information about Coronavirus cures, vaccines, treatments, and other information.
Without thinking, an end-user may curiously click an email link containing a catchy subject line or an enticing link that offers new information or breaking news regarding the pandemic or some other high-profile topic. Ransomware can be lurking just a couple of clicks away.
Kevin Mitnick demonstrated the capabilities of a new type of ransomware that he dubbed “Ransomcloud”. This type of ransomware tricked Office 365 users into clicking a malicious link received in their Exchange Online email by presenting itself as a legitimate security solution. The resulting “cloud-aware” ransomware then proceeded to encrypt the user’s Exchange Online inbox in real-time!
Malicious third-party apps and browser plugins
One of the extremely powerful tools available as part of cloud SaaS environments are the thousands of third-party apps. These are available in cloud app marketplaces such as in G Suite and Microsoft 365. Third-party apps allow organizations to extend the capabilities and features that are natively provided by the cloud service provider in SaaS environments. These can allow doing things that are not otherwise possible using the native cloud functionality.
Browser plugins that integrate with cloud environments can also be really great tools to have integration with cloud services right from your browser. Again, this provides benefits. As is always the case, attackers turn something that is beneficial into a way they can compromise your cloud environment. How?
Attackers use the enticement of installing third-party apps and browser plugins to their advantage. Like phishing emails, malicious third-party applications, and browser plugins can masquerade as legitimate tools available to extend your cloud capabilities. By only accepting a few permissions requests, a malicious application or browser plugin may have everything it needs to compromise your data.
How can this type of compromise be so easy for a malicious application? Cloud environments use something called OAuth which provides access delegation. With OAuth, a token is issued to applications so those applications can perform actions on behalf of the user without explicitly knowing the user’s password. We are familiar with this type of authentication as we see permissions requests from mobile applications that may request permission to access storage or other resources on mobile devices.
A malicious marketplace app or browser plugin can request permissions on behalf of the user. These permissions may be permissions to access your G Suite or Microsoft 365 storage. Once permissions are granted, the malicious application can encrypt your data, exfiltrate it, or both. The same is true with malicious browser plugins. They assume the permissions that are granted by OAuth authentication.
The “ransomcloud” attack mentioned earlier uses a combination of a phishing attack and also assuming permissions of the current user by means of masquerading as a legitimate app. Once permissions are delegated to the malicious ransomcloud app, the ransomware encryption process can begin.
Another easy way that ransomware can take over your cloud environment is by file synchronization. Both Google Drive Sync and OneDrive synchronize local files up to cloud storage. The danger with this is that a local machine can become infected with ransomware. As the ransomware encrypts files locally, the encrypted files are synchronized with cloud storage.
As the files are synchronized, the good copies of your data are overwritten with encrypted files that are locked by the ransomware. While file synchronization is more of a legacy ransomware infection technique, it can still wreak havoc on your data.
The Solution? Backups and Ransomware Protection
Cybercriminals are intent on using ransomware to take over your cloud environment. There are really only two viable solutions to the ransomware epidemic – backups and ransomware protection. Backups are the single way that you are assured to have a good copy of your data.
Without good backups of your cloud SaaS environment, you may have no alternative but to pay cybercriminals to get your data back. Detecting a ransomware attack that is underway can be extremely difficult. Generally, when most organizations know they are dealing with a ransomware attack, it is too late and their files are already encrypted.
What if you could have real-time protection against ransomware? Attacks are automatically detected and remediated. Any files that are affected are automatically recovered. This may sound too good to be true, however, there is a solution that makes this possible.
SpinOne’s SpinBackup is a solution that provides enterprise-grade backups for your cloud SaaS environment as well as the best ransomware protection on the market. It uses automated ransomware protection that is powered by artificial intelligence (AI).
How does SpinOne’s ransomware protection work?
- AI automatically detects a ransomware attack that is underway
- The source of the attack is automatically blocked
- SpinOne identifies the files that have been affected
- The affected files are automatically restored from SpinBackup
- Administrators are automatically notified
With SpinOne protecting the environment, ransomware is a non-issue instead of a business-impacting crisis. Be sure to try out the fully-featured trial version of SpinOne to see how it can be a game-changer for your cloud SaaS environment in the battle against ransomware.