[BreachExchange] Why Ransomware Will Soon Target the Cloud

[Destry Winant]

https://www.darkreading.com/cloud/why-ransomware-will-soon-target-the-cloud-/a/d-id/1336957

As businesses' daily operations become more dependent on cloud
services, ransomware authors will follow to maximize profits. The good
news: Many of the best practices for physical servers also apply to
the cloud.

Ransomware is now a billion-dollar enterprise for cybercriminals, and
— as in any industry — it has evolved over time to become more
efficient and maximize profits. Hackers have transitioned away from
launching ransomware attacks indiscriminately in bulk and are now
specifically targeting high-value targets within the companies and
industries most likely to pay higher ransoms for the safe return of
their files. As attackers continue to refine their tactics to bring in
more money, I believe the next generation of ransomware will target
cloud-based assets, including file stores, Amazon S3 buckets, and
virtual environments.

When ransomware first hit the scene in 2013 with CryptoLocker,
attackers targeted anyone and everyone, from CEOs to senior citizens.
Even if just a small percentage of victims paid the relatively small
ransom, attackers were sending out such a high volume of ransomware
that they'd still make money. This broad, "shotgun blast" approach
fell out of fashion in 2016 and 2017 as ransomware success rates
decreased due to improvements in antivirus protections. Instead,
attackers began targeting industries in which businesses can't
function with any downtime, most prominently healthcare, state and
local government, and industrial control systems. Attackers picked
their targets more carefully, devoted more time and effort to breaking
in, and asked for larger ransoms. In short, they adapted their tactics
to maximize profits.

Looking ahead, I believe ransomware will target the cloud for three
reasons. First, the cloud has been left largely untouched by
ransomware so far, so it's a new market opportunity for attackers.

Second, the data and services stored or run through the cloud are now
critical to the day-to-day operations of many businesses. Five years
ago, a company might have been able to function without its cloud
deployment in the short term, so the pressure to pay a ransom wouldn't
have been as high. Now, most businesses will be crippled if they lose
access to their public or private cloud assets. That creates the same
intense pressure to restore services quickly that we've seen with
hospitals, city governments, and power plants over the last few years.

Third, the cloud offers an attractive aggregation point that allows
attackers to access a much larger population of victims. Encrypting a
single physical Amazon Web Server could lock up data for dozens of
companies that have rented space on that server. As an example,
several attacks in the first and second quarters of 2019 involved bad
actors hijacking multiple managed service providers' management tools
and using them as a strategic entry point from which to spread
Sodinokibi and Gandcrab ransomware to their customer rosters. The same
principle applies here — hacking a central, cloud-based property
allowed attackers to hit dozens or hundreds of victims.

Cloud Security
To prevent cloud ransomware attacks, businesses need cloud security.
Many smart IT people believe they don't need to worry about securing
data in an infrastructure-as-a-service (IaaS) deployment because
Microsoft or Amazon will handle it for them. This is only partially
true.

While most public cloud providers do supply basic security controls,
they may not include all of the latest security services needed to
prevent more evasive threats. For example, most IaaS providers offer
some form of basic anti-malware protection, but not the more
sophisticated behavioral or machine learning-based anti-malware
solutions available today. WatchGuard research has found that between
a third and half of all malware attacks use evasion or obfuscation
techniques to bypass traditional, signature-based antivirus solutions.
Without more proactive anti-malware, modern ransomware could skirt
right past basic cloud security controls. Fortunately, you can get a
virtual or cloud version of most network security solutions on the
market today, and I suggest using these to secure your cloud
environments.

Finally, misconfigurations and human mistakes made while setting up
cloud permissions and policies create weak spots that attackers can
exploit to deliver ransomware. Every organization using a public or
private cloud should harden these environments by properly securing S3
bucket configurations, closely managing file permissions, requiring
multifactor authentication for access, and more. There are many "cloud
hardening" guides that can help with this, and I recommend that anyone
new to the cloud look into them.


As cloud services become increasingly critical to more businesses'
daily operations, ransomware authors will follow to maximize profits.
The good news is that the cloud can be secured with many of the same
best practices that apply to physical networks. Make every effort to
keep your cloud deployments safe and secure today. In the future, you
might be glad you did.