The newest Palo Alto Networks Unit 42 Cloud Menace Report discovered that delicate knowledge is present in 66% of cloud storage buckets. This knowledge is weak to ransomware assaults. The SANS Institute lately reported that these assaults will be carried out by abusing the cloud supplier’s storage safety controls and default settings.
“In simply the previous few months, I’ve witnessed two totally different strategies for executing a ransomware assault utilizing nothing however official cloud security measures,” warns Brandon Evans, safety marketing consultant and SANS Licensed Teacher. Halcyon disclosed an assault marketing campaign that leveraged certainly one of Amazon S3’s native encryption mechanisms, SSE-C, to encrypt every of the goal buckets. Just a few months prior, safety marketing consultant Chris Farris demonstrated how attackers might carry out the same assault utilizing a special AWS safety characteristic, KMS keys with exterior key materials, utilizing easy scripts generated by ChatGPT. “Clearly, this matter is top-of-mind for each menace actors and researchers alike,” notes Brandon.
To deal with cloud ransomware, SANS recommends organizations to:
- Perceive the ability and limitations of cloud safety controls: Utilizing the cloud doesn’t routinely make your knowledge secure. “The primary cloud providers most individuals use are file backup options like OneDrive, Dropbox, iCloud, and others,” explains Brandon. “Whereas these providers normally have file restoration capabilities enabled by default, this isn’t the case for Amazon S3, Azure Storage, or Google Cloud Storage. It’s important for safety professionals to know how these providers work and never assume that the cloud will save them.”
- Block unsupported cloud encryption strategies: AWS S3 SSE-C, AWS KMS exterior key materials, and related encryption strategies will be abused as a result of the attacker has full management over the keys. Organizations can use Identification and Entry Administration (IAM) insurance policies to mandate the encryption methodology utilized by S3, equivalent to SSE-KMS utilizing key materials hosted in AWS.
- Allow backups, object versioning, and object locking: These are a few of the integrity and availability controls for cloud storage. None of them are enabled by default for any of the Huge 3 cloud suppliers. If used correctly, they will improve the probabilities that a company can recuperate its knowledge after a ransomware assault.
- Stability safety and value with knowledge lifecycle insurance policies: These security measures price cash. “The cloud suppliers aren’t going to host your knowledge variations or backups totally free. On the similar time, your group shouldn’t be going to offer you a clean test for knowledge safety,” says Brandon. Every of the Huge 3 cloud suppliers permits prospects to outline a lifecycle coverage. These insurance policies permit organizations to routinely delete objects, variations, and backups when they’re not thought of needed. Bear in mind, nonetheless, that attackers can leverage lifecycle insurance policies as properly. They had been used within the beforehand talked about assault marketing campaign to induce the goal to pay the ransom rapidly.
To study extra, watch Brandon’s webcast, “The Cloud Will not Save You from Ransomware: Here is What Will”, by visiting https://www.sans.org/webcasts/cloud-wont-save-you-from-ransomware-heres-what-will/
Desirous about further ways for mitigating assaults within the Huge 3 cloud suppliers? Try Brandon’s course, SEC510: Cloud Safety Controls and Mitigations at SANS 2025 in Orlando or Stay On-line this April. This course can also be accessible with Brandon later within the yr in Baltimore, MD in June or Washington, DC in July.