RansomCloud: How Ransomware is Attacking the Cloud

Within the mob of malware, ransomware is leading the pack. While other malicious software – such as viruses, worms, spyware, and adware – ransack computer systems, ransomware goes further by making demands. It infiltrates computers and servers with intention, encrypting files and data along the way thus, rendering devices unusable. Once satisfied, the operators behind the attack will insist that a hefty sum is paid up in return for the decryption key.  

It’s the age-old tactic of extortion but re-enacted in the digital world. Now that our everyday lives have become highly dependent on the internet, the playing field for this particular strain of malware has expanded immeasurably. At the same time, cybersecurity threats are growing – in 2020, malware and ransomware attacks increased by 358% and 435% respectively – and are outpacing societies’ ability to respond effectively.  In fact our own ransomware readiness research found that 58% of organisations with over 2,000 employees have already suffered a ransomware attack.  

Though ransomware may have started as an operation of opportunity, it has since become an established criminal enterprise in its own right. And in the same way a legitimate business might adapt and evolve to remain competitive in the market, threat actors leveraging ransomware are doing the same. The mass shift to the cloud is a prime example of this.  

Cloud migration is not a new phenomenon, but it has certainly been expedited by the pandemic. To maintain businesses continuity, companies have transferred their digital assets and operations to a cloud computing environment; minimising or even eliminating the use of on-premise databases. In other words, software, services and databases can now be accessed via the internet.  

Among a host of other benefits, cloud computing has enabled companies to be more flexible and mobile, while improving collaboration efficiency. It has also facilitated scalability and reduced overall IT costs. Unfortunately, cybercriminals have recognised this shift and the valuable data now held within the cloud; leading to ‘Ransomcloud’ attacks to take advantage of poor cloud security.  

Such attacks occur through three key methods:  

1. File sync piggybacking 
2. Remote connection with stolen credentials 
3. Attacking the cloud provider 

So, how do these methods work? 

1 – File sync piggybacking

The first type of ransomcloud attack leverages the common attack vector of phishing to infect the victim’s local computer. Contrary to popular belief, the malicious attachment or link included in the email often does not contain the malware payload. Rather, it delivers a small program that runs stealthily in the background, and it is this program that will then install the malware.  

Once in the system, the malware will disguise itself as a popup permission request from a trusted software like an anti-virus scan request. By approving, the malware is activated and can now disseminate itself; not just in the local computer, but across the network to any machine or server it may be connected to. As it spreads, threat actors will be on the lookout for a file sync service interacting with a cloud service. When it has been identified, the ransomware piggybacks on the file sync allowing threat actors to access, infect and encrypt data in the cloud.  

Of course, should the organisation have measures such as air gapping in place, ransomware may be unable to compromise a route to the cloud and settle on local infection instead. It’s no wonder then that we are witnessing a rise in the use of Google Drive, Slack, Microsoft Teams etc. to distribute malicious software. These applications sit between the cloud and on-premise devices, syncing relevant files as appropriate. Once compromised, it becomes incredibly difficult to reverse the impact. This is where Advanced Cloud Access Security Broker (CASB) tools prove useful as they sit between the on-premise and cloud infrastructures, vetting the traffic between them. 

2 – Remote connection with stolen credentials

The second tactic sees threat actors monitor network connections for authentication attempts. They will then capture the user’s cloud credentials usually by presenting a fake login portal masquerading as the real cloud platform. By tracking the keystrokes on the infected local computer, connection details can be copied to a remote computer and automatically entered to the real cloud platform from there.  

As the local malware captures the keystrokes and passes this on to the remote computer, cybercriminals can gain entry to the cloud via simultaneous login. Therefore, potentially bypassing two-factor authentication methods that ask for a code as the user would type this in also. Now, they have a connection to the cloud from their own computer and gain as much or as little access as the cloned user, depending on their privilege level.  

3 – Attacking the cloud provider

Last but not least, a ransomcloud attack could arise by targeting the cloud provider directly. This is the most damaging of methods and most lucrative for the attacker because if they are successful, it would mean they have compromised the entire cloud platform. In short, they could demand ransoms from some or all customers of the compromised service.  

Consider Microsoft Azure cloud. In August 2021, Microsoft was notified of a vulnerability in their Azure Cosmos Database. The vulnerability, an issue identified within Jupyter Notebooks, enabled the perpetrator to escalate privileges and move laterally across the Microsoft cloud. Although it was quickly rectified and there were no reported incidents of ransomware, it does highlight the risk. 

Cloud Security Responsibility

Having now investigated the ways in which the cloud could be compromised, we might then ask who bears the responsibility of maintaining its security. The truth of the matter is the responsibility is shared. Cloud vendors, businesses or its managed service provider and even individual employees all have a role to play; though it may flex depending on how the business consumes cloud. For instance, a cloud provider will bear greater responsibility for businesses who adopt serverless computing. Conversely, the business will own a greater degree of responsibility if they utilise an Infrastructure as a Service (IaaS) model. One must simply establish who is responsible for what early in the cloud migration process.  

Nevertheless, it is important to remember that a business is always responsible for its data; regardless of where it is hosted. With that said, they need to be attentive to their permissive policies, insider threats, phishing campaigns, and leaked credentials. The best way to combat some of these challenges is to adopt best practice measures like following the principle of least privilege to limit the damaging actions that may transpire should a cloud account be hacked. It also means investing in security awareness training to curb successful phishing attempts. Businesses must also ensure they have clear visibility of their cloud environments so they can detect and remediate issues sooner rather than later.  

No matter where you are on your cloud journey, we can help you every step off the way to apply risk-based policies and controls to protect your cloud data, applications, and infrastructure from threat.  

To find out more about cloud security consulting services from Adarma and how we can help your organisation take control of your attack surface please Contact us. 

Stay up to date with the latest threat insights from Adarma by following us on Twitter and LinkedIn. 

You can also catch up on our insights on cloud security, including understanding your attack surfaces and the risk third party providers pose to your security.