Sign up for our newsletter
Technology / Cybersecurity

Ransomcloud: How and why ransomware is targeting the cloud

Drawn to the wealth of data stored in the cloud, criminals are developing 'ransomcloud' malware that targets cloud services.

Ransomware attacks have terrorised businesses and governments in the past 18 months. As organisations move more of their data into the cloud, criminals are turning their attention to so-called ‘ransomcloud’ attacks, which seek to compromise data stored in cloud services. These attacks come in a few different forms, each of which demands different precautions. And as long as the ongoing ransomware spree continues, experts warn, the sophistication of ransomware attacks targeting the cloud will continue to evolve.

ransomcloud
Businesses are increasingly using the cloud to store sensitive, making it an attractive target for ransomware attacks (Image: sestovic / iStock)

What is ransomcloud?

‘Ransomcloud’ refers to a certain type of ransomware attack that targets data in the cloud. “As data moves to the cloud, ransomware follows,” says Sergio Loureiro, cloud security product director at Swedish security company Outpost24. “Potentially attackers can find much more data, therefore getting to the cloud data is the holy grail for attackers.”

That data is increasingly valuable. In its State of the Cloud 2021 survey of 750 cloud decision makers, IT management software vendor Flexera found that at least 50% of cloud-using organisations plan to store sensitive data, including consumer and financial data, at least partly on public cloud services in future.

White papers from our partners

Given the prize on offer, cybercriminals are increasingly developing malware to target cloud computing services. “Based on our research, malware continues to evolve to target cloud environments more effectively, indicating continued investment in cloud targeting by threat actors," says Charles DeBeck, an analyst at IBM's threat intelligence division X-Force.

Unsurprisingly, given the opportunity to steal or encrypt data, cloud-based storage services are by far the most common target for hackers, researchers at NetSkope Threat Labs.

And ransomware, in particular, is increasingly being used to target the cloud. Along with crypto-mining software, ransomware accounted for over 50% of detected system compromises affecting cloud environments in the past year, says X-Force's DeBeck.

How does ransomcloud work?

A 2019 article by IT provider ProSource identified three forms of ransomware attack on the cloud. In the first and most common kind, the ransomware initially compromises a victim's local device, then spreads to the cloud when their data syncs with a cloud storage service.

“If an organisation uses cloud services for data storage or back-ups and... if the data is synced to the cloud storage, the files are just as susceptible to encryption as if they did not use the cloud at all,” explains Erich Kron, security awareness advocate at Knowb4.

To protect against this kind of attack, ProSource recommends end-point security best practices such as anti-virus and regular patching.

In the second form of ransomcloud attack, criminals get direct access to an organisation's cloud systems through phishing, then encrypt or extract their contents. Defence against this kind of attack requires effective phishing defences, including employee training, says ProSource.

Attackers are putting a target on cloud providers because they know that if they can infect the provider's infrastructure, they can then encrypt huge amounts of customer data.
Erich Kron, Knowb4

The third kind of attack directly targets a particular cloud provider, to get access to its customers' data. “Attackers are putting a target on cloud providers because they know that if they can infect the provider's infrastructure, they can then encrypt huge amounts of customer data through a single infection," says Knowb4's Kron.

In 2019, DDS Safe, a US cloud-based back-up and storage provider for dentistry practices, was infected with the REvil ransomware strain. According to CNN, an estimated 400 dentistry offices were unable to access patient records or financial ledgers following the attack.

Here, ProSource advises that companies ensure their cloud providers have ransomware protections in place, and create business continuity plans in case cloud-based data is unavailable.

Who is responsible for protecting data in the cloud from ransomware?

One factor that complicates protecting against ransomcloud attacks is that responsibility for the data stored in cloud service is often shared between the cloud provider and the customer. While a cloud provider is responsible for ensuring that data cannot be accessed without legitimate credentials, they may not take responsibility for what happens if those credentials are stolen from a customer.

“You've got that shared responsibility with the cloud providers and actually [customers] are responsible for a lot of it, depending on the kind of services you are taking," explains Bharat Mistry, technical director for UK & Ireland at IT security vendor Trend Micro Europe.

As a result, businesses might assume that a cloud provider is responsible for security measures, when these are in fact their own responsibility. Cloud users should therefore check carefully which security precautions are included in their providers' offerings. “You need to understand what they're providing you and then what you need to build on top of that,” stresses Mistry.

Most cloud security breaches result from weak policies or practices on the part of cloud buyers, says X-Force's DeBeck. "The most common ways attackers are infiltrating businesses is by taking advantage of a 'misstep' on the business's side, such as an improperly configured asset, exploiting weak passwords or policy controls," he explains.

But businesses' ability to apply cloud security best practices is not helped by the complexity of their cloud environments, he adds. "Complex infrastructures and lack of cloud security expertise are contributing to old tactics by cybercriminals succeeding even today."

This is borne out in Flexera's finding that security persists as challenge even as an organisation's cloud maturity grows. Buyers should modernise their cloud infrastructure to be "more interoperable and open, enabling security teams better visibility and speedier responses," DeBeck argues.

Despite the efforts of US president Joe Biden and international law enforcement, the ransomware threat is far from over. Until it is, ransomcloud threats are likely to grow in sophistication as criminals develop their techniques, warns DeBeck. “As long as business cloud environments remain complex and fragmented, adversaries will rely on these to move laterally through networks and deploy ransomware," he says. “[And] as long as ransomware continues to be profitable for threat actors, I expect this threat to remain relatively constant."

Claudia Glover

Reporter

Claudia Glover is a staff reporter on Tech Monitor.