Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/11/2020
02:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Ransomware Will Soon Target the Cloud

As businesses' daily operations become more dependent on cloud services, ransomware authors will follow to maximize profits. The good news: Many of the best practices for physical servers also apply to the cloud.

Ransomware is now a billion-dollar enterprise for cybercriminals, and — as in any industry — it has evolved over time to become more efficient and maximize profits. Hackers have transitioned away from launching ransomware attacks indiscriminately in bulk and are now specifically targeting high-value targets within the companies and industries most likely to pay higher ransoms for the safe return of their files. As attackers continue to refine their tactics to bring in more money, I believe the next generation of ransomware will target cloud-based assets, including file stores, Amazon S3 buckets, and virtual environments.

When ransomware first hit the scene in 2013 with CryptoLocker, attackers targeted anyone and everyone, from CEOs to senior citizens. Even if just a small percentage of victims paid the relatively small ransom, attackers were sending out such a high volume of ransomware that they'd still make money. This broad, "shotgun blast" approach fell out of fashion in 2016 and 2017 as ransomware success rates decreased due to improvements in antivirus protections. Instead, attackers began targeting industries in which businesses can't function with any downtime, most prominently healthcare, state and local government, and industrial control systems. Attackers picked their targets more carefully, devoted more time and effort to breaking in, and asked for larger ransoms. In short, they adapted their tactics to maximize profits.

Looking ahead, I believe ransomware will target the cloud for three reasons. First, the cloud has been left largely untouched by ransomware so far, so it's a new market opportunity for attackers.

Second, the data and services stored or run through the cloud are now critical to the day-to-day operations of many businesses. Five years ago, a company might have been able to function without its cloud deployment in the short term, so the pressure to pay a ransom wouldn't have been as high. Now, most businesses will be crippled if they lose access to their public or private cloud assets. That creates the same intense pressure to restore services quickly that we've seen with hospitals, city governments, and power plants over the last few years.

Third, the cloud offers an attractive aggregation point that allows attackers to access a much larger population of victims. Encrypting a single physical Amazon Web Server could lock up data for dozens of companies that have rented space on that server. As an example, several attacks in the first and second quarters of 2019 involved bad actors hijacking multiple managed service providers' management tools and using them as a strategic entry point from which to spread Sodinokibi and Gandcrab ransomware to their customer rosters. The same principle applies here — hacking a central, cloud-based property allowed attackers to hit dozens or hundreds of victims.

Cloud Security
To prevent cloud ransomware attacks, businesses need cloud security. Many smart IT people believe they don't need to worry about securing data in an infrastructure-as-a-service (IaaS) deployment because Microsoft or Amazon will handle it for them. This is only partially true.

While most public cloud providers do supply basic security controls, they may not include all of the latest security services needed to prevent more evasive threats. For example, most IaaS providers offer some form of basic anti-malware protection, but not the more sophisticated behavioral or machine learning-based anti-malware solutions available today. WatchGuard research has found that between a third and half of all malware attacks use evasion or obfuscation techniques to bypass traditional, signature-based antivirus solutions. Without more proactive anti-malware, modern ransomware could skirt right past basic cloud security controls. Fortunately, you can get a virtual or cloud version of most network security solutions on the market today, and I suggest using these to secure your cloud environments.

Finally, misconfigurations and human mistakes made while setting up cloud permissions and policies create weak spots that attackers can exploit to deliver ransomware. Every organization using a public or private cloud should harden these environments by properly securing S3 bucket configurations, closely managing file permissions, requiring multifactor authentication for access, and more. There are many "cloud hardening" guides that can help with this, and I recommend that anyone new to the cloud look into them.

As cloud services become increasingly critical to more businesses' daily operations, ransomware authors will follow to maximize profits. The good news is that the cloud can be secured with many of the same best practices that apply to physical networks. Make every effort to keep your cloud deployments safe and secure today. In the future, you might be glad you did.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "What Is a Privileged Access Workstation (PAW)?"

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.