Cloud Ransomware
The term “ransomware” often leads to confusion when discussing its implications in the cloud. Originally, “ransomware” was coined to describe “ransom software,” but as we delve into the tactics, techniques, and procedures (TTPs) in ransomware attacks, we find that the traditional concept of executable software isn’t always the primary tool in these assaults. Traditional ransomware attacks typically involve malicious software causing widespread encryption of files on systems. However, this isn’t precisely what happens in cloud-based “ransomware activity.” Instead, it often resembles an extortion scheme, which aligns with the general trend of ransomware evolution.
In the early days of ransomware campaigns, threat actors encrypted files in a victim’s environment and demanded a ransom for the decryption key. As these campaigns advanced, to counter victims who had backups or could crack weak encryption methods, threat actors initiated “double-extortion” campaigns. In these attacks, the threat actor not only encrypts the data but also extracts data before encryption. This additional step gives them an upper hand in ransom negotiations, as they can threaten to release private data publicly, even if the victim recovers the files. A notable shift in this tactic was observed with the ransomware group BianLian, which abandoned encryption and focused solely on extortion.
When discussing cloud ransomware, we’re primarily referring to this latest behavior. The cloud’s nature doesn’t allow the same opportunity for users to run software and encrypt data stored in the cloud environment. Instead, threat actors can more easily extract improperly secured data, delete the original files, and demand a ransom for the files’ return. If the victim organization lacks backups, paying the ransom might be the only way to retrieve the data, as the files no longer exist in the environment, even in an encrypted form. Moreover, even with backups, the threat actors can still threaten to release any stolen data, putting the victim organization in a precarious situation. In essence, “cloud ransomware” doesn’t involve TTPs related to data encryption on victim endpoints but focuses solely on data theft and ransom demands.
A related topic worth noting is the role of initial access brokers (IABs) in cloud ransomware. IABs are threat actors who compromise an environment and sell this access on the dark web to other threat actors, instead of executing an action on the objective. Ransomware actors have been seen using IABs for quick access to environments where they intend to deploy ransomware. It wouldn’t be surprising if IABs start exploring the cloud landscape, identifying vulnerable environments, gaining access, and selling this access on the dark web. This potential trend could significantly influence the future of cloud ransomware campaigns.
As previously stated, a cloud ransomware attack differs significantly from traditional ransomware attacks in on-premise environments. The primary objective shifts from data encryption to data exfiltration, and the execution of malicious software in the environment becomes irrelevant in the context of the cloud.
A recent blog post by Invictus Incident Response illustrates a real-world example of a “cloud ransomware” attack and the attacker’s approach: https://for528.com/cloud-ransom. This particular attack occurred in an AWS environment, but similar tactics could be used with other cloud providers. The attack’s key elements provide insights into the SMPs we can expect to see in future cloud extortion campaigns.
Initially, the attacker must gain access to the environment. In the instance documented by Invictus Incident Response, this was achieved through exposed credentials. Typically, compromised credentials, whether they’re API keys, service accounts, or regular user accounts, will be the primary access methods. Regardless of how they’re exposed, the attacker needs to find credentials with the necessary permissions for data exfiltration or use privilege escalation techniques to obtain these permissions.
Once the attacker has the necessary permissions, they will conduct reconnaissance in the environment to identify the data they will exfiltrate and use for ransom. All major cloud providers offer storage accounts (AWS S3 Buckets, Azure Storage Accounts, Google Cloud Storage, etc.), which are the primary targets for these actors. Assuming they have the right permissions, they can access this storage directly via the console, simple CLI commands, or API calls. The following high-level steps are typically involved:
1. Enumerate storage contents to identify target data.
2. Download identified data from the environment.
3. Delete the downloaded data from the cloud environment.
4. Create a ransom note within the targeted storage, informing the victim of the attack and providing contact information for ransom negotiation.
These are the basic TTPs we can expect to see in cloud ransomware attacks. However, the attacker may also take additional steps to increase the likelihood of a successful attack. For instance, Invictus Incident Response noted the establishment of persistence through the creation of new user accounts. The additional SMPs employed by attackers will likely depend on a) the permissions obtained during initial access or privilege escalation and b) the attacker’s sophistication level. Only time and public reporting will reveal the full scope of ransomware’s evolution in the cloud.
While the threat landscape of cloud ransomware is still largely uncharted, there are numerous measures we can take to mitigate the risk of an attack and prepare for situations where our defenses might falter. From a defense standpoint, a few key actions should be prioritized.
Firstly, it’s crucial to comprehend your identity and access management (IAM) to ensure permissions adhere to the principle of least privilege. Similarly, all API keys and service accounts should be secured. These credentials should never be hard-coded into any source code and should not be over-permissioned. As initial access via compromised credentials is a critical step in such attacks, securing accounts is an excellent first step to minimize the risk of an attack.
Secondly, your data should be secured and backed up. Backing up data in a separate system could be beneficial if the initial system is compromised. Like IAM security, restricting access to data, especially sensitive data, limits what a threat actor can do if they gain access to the cloud environment. Cloud providers may offer additional controls to reduce the risk of data exfiltration, modification, or deletion. For instance, S3 buckets feature an “object lock” that can prevent certain versions of objects from being deleted, as detailed here: https://for528.com/aws-lock. Explore protective controls offered by your cloud vendor for your storage accounts. Data should also be backed up. While this won’t prevent the threat of data leakage if stolen, it will enable the recovery of deleted data, allowing organizational operations to resume more quickly after an attack. All cloud providers offer backup services.
These are just a few key steps to defend against a cloud ransomware attack or at least mitigate its impact. There are many more defensive controls that can be enabled. Many cloud vendors provide guidance on securing data. AWS even recently released the AWS Blueprint for Ransomware Defense, which maps their offerings to NIST security controls. For defenses in Azure, FOR528 course author Ryan Chapman has released tips for both defending against and responding to ransomware in Azure environments: https://for528.com/azure. Regardless of your cloud platform, investigate defensive controls offered by the provider that align with countering the TTPs discussed above.
Conclusion
In this article, we’ve explored the progression of ransomware into cloud environments, the strategies, methods, and practices (TTPs) employed by threat actors, and how we can safeguard against and prepare for such attacks. Cloud ransomware is a relatively new phenomenon, but considering the rise of ransomware attacks in recent years and the ongoing shift to the cloud, it’s likely that threat actors will continue to evolve in this direction.
As we gain more understanding of these threat actors’ operations, we’ll be better equipped to defend against their attacks. However, there are already steps we can take to prepare for a possible surge in cloud ransomware incidents.
