Ransomware has become one of the most disturbing cybersecurity threats in recent years. Attacks like NotPetya, WannaCry, and Cerber have affected hundreds of thousands of companies and individuals globally.
Writing in the MIT Technology Review, Martin Giles predicts that cloud businesses are likely to become a new target for ransomware attacks in 2018. In this article, we consider whether the cloud is more protected from ransomware attacks, how ransomware infects the cloud services and, most importantly, how you can protect your cloud-based systems from ransomware.
The danger of ransomware
Ransomware is a common term for a pretty peculiar type of attack in which an attacker encrypts or locks all data on a victim’s computer and demands payment to restore access to that data.
According to a report by the US Department of Justice, the number of ransomware attacks has quadrupled in the last three years, from 1,000 daily attacks in 2015 to over 4,000 attacks per day in 2017.
One of the biggest dangers posed by ransomware attacks is their expense for victims: the damage costs of these attacks are predicted to reach as high as $11.5 billion in 2019. These costs include not only payments demanded by hackers but also losses related to other factors, including:
- Data damage
- Restoration of hostage systems and data
- Downtime due to attacks
- Forensic investigation
- Damage to the reputations of victims
The first ransomware attacks used pretty simple encryption tools and techniques so that the encrypted data could easily be restored using reverse engineering. But lately, hackers have moved to more complicated versions of ransomware that use complex encryption algorithms and are harder to mitigate.
There are several common methods that hackers use for spreading ransomware, including malicious email attachments, compromised websites, and infected software applications. At first, attacks relied on some kind of user interaction: a victim had to open an infected email or visit a compromised website. Today, however, hackers are able to perform attacks even without user interaction, for instance by exploiting the remote desktop protocol (RDP).
To learn more about the dangers posed by this type of malware, read our article Ransomware – Mechanisms and Protection.
Why is the cloud so attractive for hackers?
Contrary to common belief, cloud environments are just as vulnerable to ransomware as regular PCs. What differs are the ways you can discover, respond to, and try to prevent these attacks in the cloud.
There are several reasons why hackers may switch their focus to cloud-based systems in the near future.
Large amounts of data – Cloud computing companies host enormous amounts of client data, thus inevitably attracting the attention of cybercriminals. Plus, some cloud service providers run photo libraries or provide email services. The more data attackers can get access to, the larger the ransom they can demand in exchange for that data.
Faster transmission – Cloud-based systems can be used as a channel for spreading a ransomware attack, just like infected emails and compromised websites. All that attackers need to do is upload an infected file to the cloud and share it with other users.
Lots of sensitive data – The sensitivity of data stored in the cloud by both enterprises and individual customers also plays a significant role in drawing attackers’ attention to cloud computing businesses. More and more people are deciding to keep their valuable information in the cloud, relying on its presumably high security. While big players in the market – such as Google, Amazon, Microsoft, and IBM – have enough resources to hire additional expert teams to boost their digital security, smaller businesses have limited resources and therefore are likely to be more vulnerable to ransomware attacks.
Now let’s take a closer look at the ways ransomware can spread across the cloud.
How ransomware infects the cloud
When hackers obtain unauthorized access to a cloud service provider, they can launch a ransomware attack that will directly affect every customer using that service. In this case, the consequences of the attack can be disastrous for a cloud service provider as all customers’ data will be encrypted.
In other cases, cloud services can be infected with ransomware by an authorized user or a penetrated attacker who compromises a legitimate user’s credentials via social engineering. These malicious insiders can then upload an infected file to the cloud and spread it by sharing it with legitimate cloud users.
This method of infecting cloud platforms is very common. For instance, in 2016, a massive attack on the Microsoft Office 365 cloud service was executed with ransomware called Cerber. An attacker uploaded a decoy document that contained malicious macro code that downloaded Cerber malware files to users’ machines after sharing the infected document.
According to a 2016 report by Netskope, about 43 percent of all malware found in the cloud is carrying ransomware. In 2017, Microsoft released their Security Intelligence Report in which they informed of a 300 percent increase in the number of attacks on their cloud-based accounts since 2016.
There are also many others cases when hackers use cloud-based systems as a channel for spreading ransomware. Cloud service providers should monitor what kind of data is uploaded to their systems in order to prevent ransomware from spreading.
Honeypots as a Method of Malware Detection
Protecting the cloud from ransomware
Since there is an increasing number of ransomware attacks in the cloud, you should stay one step ahead of cyber attackers and be ready to withstand this new type of cybersecurity threat.
But how can you protect your cloud-based systems from ransomware? Below, we list several approaches that may help you detect an attack or even prevent it from happening and defend your cloud-based system against ransomware.
Regular scanning – Scan your entire system for vulnerabilities and perform penetration tests regularly. In this way, you can ensure that all susceptible parts of your system are reconfigured or patched to address new exploits and vulnerabilities in time. You also need to know what third-party applications are integrated into your cloud environment and what data these applications have access to.
Multi-layered protection – Use traditional signature-based antivirus and heuristic analysis methods to improve malware detection in the cloud. It’s important to deploy a multi-layered protection strategy to increase the possibility of detecting novel malware strains.
Intrusion detection and prevention monitoring – Deploy intrusion detection systems and intrusion prevention tools to continuously monitor your system. These tools can help you detect possible threats and terminate them in a timely manner.
Behavior analysis – Behavior analysis tools are helpful in detecting a ransomware attack at an early stage. The main benefit of a behavior-based approach is that it detects core behavioral traits that are common to most variants of ransomware: suspicious setup procedures and data encryption. Signature behaviors of ransomware include updating an audit policy, initiating a connection to a domain or IP with a bad reputation, or sending data via a covert channel.
Sandboxing – Create sandboxes for all applications integrated into your cloud environment to record and analyze their behavior in a safe manner. Use the information gathered from these sandboxes to determine what a malicious file intended to do and how it could affect your system.
Proactive alerting – Create an alert system so you can be notified immediately of any suspicious user or application activities. Even if you won’t be able to save the already infected part of the system, you may be able to stop an attack from spreading further across the cloud.
File integrity monitoring – Increase your chances of detecting ransomware by deploying file integrity monitoring tools. These tools can help you detect massive file modifications and block the application that attempts to make these changes.
Cloud computing businesses are not immune to ransomware. Protecting your cloud-based systems and services from ransomware should be taken just as seriously as traditional on-premises defense. A multi-layered security strategy that includes regular scans, monitoring, audits, and backups is essential for ensuring the protection of your cloud services. If you’re working on your own cloud security solution, Apriorit can share our experience in cybersecurity and cloud engineering.