Ransomware is the number one cybersecurity threat facing organizations today. According to the annual Sophos "State of Ransomeware" report the average total cost of recovery from a ransomware attack more than doubled in 2021 to $1.85 million, up from $761,106 in 2020. I covered some of the basics of ransomware in a previous article, but what if your organization has moved, fully or partially, to the cloud? Are you safe from ransomware?
The short answer is no. Just because you've transitioned to the cloud, doesn't mean you can relax on your cybersecurity efforts. All of the major cloud service providers operate on a "shared responsibility" security model. This means that they will handle the security of the infrastructure they provide, but you are responsible for ensuring the security of your apps and data.
That said, there are plenty of benefits to hosting your data and apps in the cloud. As mentioned, your cloud provider takes on the responsibility for securing the infrastructure that hosts your apps and data. No matter what level of security your organization requires, you have the comfort of knowing that the infrastructure you're using is architected to the specifications of the cloud provider's most security-sensitive clients. In addition, cloud providers generally offer a number of tools and services that can make security easier from your side. Services like identity and access management, monitoring, logging, auditing, data encryption, and key management can be easily integrated into your solutions. While these tools can greatly simplify your cybersecurity initiatives, ensuring that they're used and configured properly is up to you.
Servers hosted in the cloud are not inherently any safer from ransomware than they would be if they were running on premises. And the same precautions should be taken for either. However, there are some specific threats to your cloud services that you should be aware of.
Many organizations treat cloud document storage services as a form of data backup. This kind of makes sense, right? If you upload a document from your computer to the cloud, then if anything happens to the local version, you can just download the cloud version and you're back up and running. Many of these services include syncing your documents as a feature. Anytime you make a change locally, it's automatically uploaded to the cloud, and you don't need to worry about keeping it up to date. The problem is, if your local machine becomes infected with ransomware, when those synced files are encrypted, the encrypted versions will be automatically synced to the cloud. Now your backups are corrupted as well. No matter which document storage solution you use (Dropbox, OneDrive, Google Drive, etc.), if your files are automatically synced, your vulnerable to this type of attack. Additionally, if the user whose machine is compromised has access to other shared documents in the cloud, those files could also be encrypted by the attacker.
Using versioning is one way to help prevent data loss from this type of attack, and most storage providers have some form of versioning available. The number of previous versions and how long they are maintained will vary from one vendor to another, and you may need to configure this option in your settings. While versioning can help, it's also best to make regular backups of your cloud files and store them in a separate location, such as an AWS S3 bucket. This way, if your files do become encrypted, you still have a way to restore them.
RansomCloud is a new strain of ransomware that targets cloud email services. The attacker tricks a user into clicking on a link in an email and allowing access to their cloud account. Once the user accepts, the attacker has full access to their account. To see a RansomCloud attack in real-time, check out this demonstration by Kevin Mitnick, where he shows just how easy it is to fall victim to this type of attack.
In order to mitigate the risk of a RansomCloud attack, organizations should regularly backup all cloud email data to a secure location, allowing for speedy recovery. Additionally, advanced antimalware and spam detection should be used to scan for and filter out potentially dangerous emails. Finally, ensure that all employees are trained on the dangers of ransomware, and how to spot and report phishing emails.
With the rapid shift to remote work fueled by the COVID-19 pandemic, IT departments have been forced to find solutions to keep their workers connected and productive. This has caused organizations to drastically increase their reliance on third-party apps and services. While most apps don't cause any security concerns, there are a growing number of malicious apps and browser extensions being spread thorough the app stores. During installation, these apps will often ask the user to grant permissions to manage data or to access a user's account. Once granted, the attacker has the access they need to begin encrypting files.
While limiting what apps can be installed on organization hardware via admin controls can help limit the exposure to malicious apps, the rise in the use of cloud services that can be accessed from multiple devices dramatically increases the risks of account takeovers due to users installing malicious apps from the Android or iOS app stores. This is why it's essential that organizations educate employees about the dangers of malicious software, and how to avoid these types of attacks.
These are just a few of the attack vectors currently targeting cloud services, and new ones are discovered all the time. So, how do you protect your organization's cloud environment?
All of the major cloud providers (AWS, Google Cloud, and Azure), have recently released guidance to help organizations follow best practices in securing their cloud environments. Some of the key takeaways from these documents are:
- Identify your sensitive data and evaluate the primary cybersecurity risks your organization faces.
- Implement a robust disaster recovery plan, utilizing your providers backup and recovery solutions.
- Encrypt all sensitive data, both in transit and at rest.
- Limit attacker access by implementing strict user access policies.
- Keep all applications and operating systems up-to-date, and employ automated tools to regularly apply patches and keep dependencies updated.
- Follow a defined security standard, either a regulatory or compliance standard, such as PCI DSS, or a standard provided by your cloud provider, such as the AWS Well-Architected Framework.
- Make use of monitoring and automated alerting tools.
While ransomware attacks will continue to evolve, implementing cybersecurity best practices in your cloud environment will go a long way in protecting your organization from becoming a victim of ransomware. For additional information on how to protect your organization see the recent NIST special publication focused on protecting against ransomware attacks.