Tech decision makers surveyed by Pulse admitted last year that nearly 3 out of 4 companies (71%) experienced a ransomware incident and at least 12% of these incidents involved payments. This shows that ransomware attacks are proving to be a lucrative business for malicious cyber actors as they constantly put organizations’ cybersecurity measures to the test in a host of different sectors where different IT architectures are used.
In recent years we have seen many incidents involving the encryption of on-premises devices in companies, public administrations, schools, hospitals, and even critical infrastructures such as the Colonial Pipeline. But now cybercriminals are also targeting the data and applications that organizations store in the Cloud and these attacks are referred to as “ransomcloud.”
In ransomcloud, cybercriminals block data or the use of applications that are in the Cloud and then demand a ransom to let organizations recover access. Multiple techniques and attack vectors are deployed in this strategy:
Malware has been specifically designed to operate in the Cloud and has become highly sophisticated. Last year we explained in the blog how the Russian APT-28 group had been using the Kubernetes Cloud container platform to break into government institutions and company networks. Cyberattackers also make use of botnets, scripting attacks, and SQL code injections.
More traditional attack techniques are employed that coincide with those used for ransomware in on-premises systems, such as social engineering through phishing to obtain access credentials to Cloud services or the use of credentials that have been obtained on the dark web after being breached. Hackers also take advantage of the expansion of the attack perimeter due to the surge in remote working. Computers located outside the office are generally more vulnerable and are an easier access vector to an organization’s Cloud.
To prevent damage from such incidents, MSPs should protect their customers' data by following the same practices and procedures described by the National Institute of Standards and Technology (NIST) concerning ransomware in general, but adapted to the characteristics of the Cloud or hybrid architecture. This means that MSPs must always take into account that data is no longer hosted entirely on an organization's servers, and this affects essential measures such as file encryption using HTTPS connections and constantly updated back-ups to restore files in the event of an incident. Two copies under different types of storage are recommended, which means ideally one is offline and not in the Cloud.
But all these measures may fall short if organizations do not also have technologies that enable administrators to extend their security perimeter to the Cloud, providing visibility into all data sets and combined with advanced Endpoint Protection, Detection, and Response (EPDR) solutions, so that they can deal with all forms of malware and suspicious activity, no matter how sophisticated. This enables MSP customers to protect all the data, applications, and services they store in the Cloud from threats.