Are my data in the cloud protected from ransomware?

The cloud has become a critical resource for companies. Around 40% now have 50% or more of their workloads in the cloud. Such scenario poses a new challenge for cybersecurity. Given the possibilities offered by cloud environments, traditional network perimeter defense strategies are evolving towards the adoption of new access controls that, along with other elements, provide security measures adapted to the current circumstances.

At the same time, cybercrime is adapting its attack resources to cloud-based environments. Ransomware, a type of malicious action based on encrypting data and demanding a ransom for it, is one of the mechanisms threatening the security of data stored in the cloud. Traditionally, these attacks have targeted servers located on an organization’s own premises, acting on local data. Variations on this model have now been identified:

• On the one hand, an attacker can manage to compromise the local device and then spread the ransomware to the cloud as soon as the victim’s data is synchronized with a cloud storage service. Most cloud storage solutions use file synchronization to keep information in multiple locations simultaneously, which opens the way for ransomware infection.
• It is also possible for cybercriminals to gain direct access to an organization’s cloud systems through phishing.
• Another possibility is to target the attack directly at a cloud service provider to gain access to its clients’ data. In this way, by infecting the provider’s infrastructure, large amounts of its customers’ data can be encrypted through a single action. In 2021, for example, a study announced that 90% of S3 buckets on the Amazon Web Services platform were vulnerable to ransomware. In December 2022, Rackspace Technology, one of the largest cloud hosting providers in the United States, was the target of a ransomware-type attack.
• Cloud environments currently show a high degree of homogenization in terms of structure and conditions, which allows cyberattackers to standardize their actions and thus target a larger number of organizations more quickly.

Traditional Ransomware vs Cloud Ransomware

One of the differences between ransomware against the cloud and ransomware against an organization’s local servers is that the focus is now on data exfiltration rather than data encryption.

Generally, ransomware attacks are based on file encryption that blocks access to their legitimate owners. Unavailable, they are extorted to give in to the cybercriminals’ requests and thus regain the availability of the cryptographically hijacked data.

In the case of ransomware designed to attack a cloud environment, the aim is to exfiltrate data that has not been properly secured. Once this has been achieved, the original files are deleted and a ransom is demanded in exchange for their restitution. Thus, if the entity lacks backup copies, giving in to blackmail may be the only way to recover the information. But even if there are backup copies, the attacker can continue threatening by publishing the stolen data.

In short, when we talk about ransomware applied to the cloud, we are not referring to data encryption techniques on a victim’s endpoints, but to the theft of data extracted from a cloud infrastructure which, transferred to a different medium, is held hostage until the victim pays for its release.

How to protect data in the cloud from Ransomware

The progressive increase in ransomware attacks against the cloud makes the security a vital concern.

Following the guidelines set by regulatory compliance, knowing the data stored in the cloud, classifying them according to their nature and necessary degree of protection, is a fundamental aspect when establishing good security strategies.

Also, the implemented configurations must be conveniently reviewed to prevent improper system administration from allowing access to the attacker. Carrying out periodic reviews, accompanied by technical audits, is an excellent practice to minimize this risk.

Despite what has been said about the strategy followed by cybercriminals when faced with the existence of backups, it is necessary to perform them in a systematic and planned manner. It is true that they will not prevent the threat of data exfiltration mentioned above, but they will always be useful in restoring the compromised data in order to speed up the recovery of the affected organization.

Of course, ransomware infections in the cloud are also most often caused by human error. It must be ensured that an organization’s staff is adequately aware and trained to identify and respond to such an attack.

Developing an incident response and disaster recovery plan is essential to minimize the impact of a ransomware attack.

In order to minimize the scope a cloud ransomware attack, it is advisable to follow the principle of least privilege granted to people operating within the system. Allowing only limited access to what is specifically necessary avoids exposing critical data to unnecessary levels of risk, which minimizes the havoc that an incident such as the one we are now discussing can wreak on a cloud-based document architecture.

Furthermore, implementing .EXE file filtering tools in e-mails is highly advisable. This measure reduces the risk of executing files that compromising the security of the system.

Similarly, awareness of hidden file extensions will help to identify those that, hidden under the appearance of being innocuous, actually carry the danger of seriously affecting the work environment, including the cloud infrastructure.On the other hand, it is important to know exactly where the cloud service provider’s responsibility ends and the customer’s responsibility begins with regard to the security of the stored data. It is important to have a clear understanding of the conditions and scope of the contract, so that you know how to act accordingly in the event of a ransomware attack in the cloud.

Adopting appropriate measures to mitigate risks in the cloud

In general, when it comes to storing and managing large amounts of data, more and more companies are migrating to the cloud. This technology offers significant advantages, including advanced security measures. However, the dangerous threat of a ransomware attack is still very much present in such an environment.

Cloud storage is vulnerable to this type of malware largely due to the synchronization of files from local drives, a traditional entry vector for this type of criminal resource. At the same time, the cloud is not a ransomware-free space, as there are attacks specifically designed for this ecosystem where, instead of targeting the organizations that contract these services, the criminal actions focus on the vulnerabilities detected in the providers themselves.

However, it is important to note that, although the cloud is susceptible to ransomware attacks, at the same time such technology offers significant advantages over data storage. By adopting the appropriate measures (some of the main ones we have outlined in this article) the risks of a ransomware attack can be mitigated.