The newest Palo Alto Networks Unit 42 Cloud Menace Report discovered that delicate information is present in 66% of cloud storage buckets. This information is susceptible to ransomware assaults. The SANS Institute recently reported that these assaults could be carried out by abusing the cloud supplier’s storage safety controls and default settings.
“In simply the previous few months, I’ve witnessed two completely different strategies for executing a ransomware assault utilizing nothing however respectable cloud security measures,” warns Brandon Evans, safety marketing consultant and SANS Licensed Teacher. Halcyon disclosed an assault marketing campaign that leveraged one in every of Amazon S3’s native encryption mechanisms, SSE-C, to encrypt every of the goal buckets. Just a few months prior, safety marketing consultant Chris Farris demonstrated how attackers might carry out an identical assault utilizing a unique AWS safety characteristic, KMS keys with exterior key materials, utilizing easy scripts generated by ChatGPT. “Clearly, this subject is top-of-mind for each menace actors and researchers alike,” notes Brandon.
To deal with cloud ransomware, SANS recommends organizations to:
- Perceive the ability and limitations of cloud safety controls: Utilizing the cloud doesn’t routinely make your information protected. “The primary cloud providers most individuals use are file backup options like OneDrive, Dropbox, iCloud, and others,” explains Brandon. “Whereas these providers normally have file restoration capabilities enabled by default, this isn’t the case for Amazon S3, Azure Storage, or Google Cloud Storage. It’s crucial for safety professionals to grasp how these providers work and never assume that the cloud will save them.”
- Block unsupported cloud encryption strategies: AWS S3 SSE-C, AWS KMS exterior key materials, and related encryption strategies could be abused as a result of the attacker has full management over the keys. Organizations can use Identification and Entry Administration (IAM) insurance policies to mandate the encryption technique utilized by S3, comparable to SSE-KMS utilizing key materials hosted in AWS.
- Allow backups, object versioning, and object locking: These are a few of the integrity and availability controls for cloud storage. None of them are enabled by default for any of the Huge 3 cloud suppliers. If used correctly, they will improve the probabilities that a corporation can get better its information after a ransomware assault.
- Steadiness safety and price with information lifecycle insurance policies: These security measures value cash. “The cloud suppliers will not be going to host your information variations or backups free of charge. On the identical time, your group isn’t going to offer you a clean verify for information safety,” says Brandon. Every of the Huge 3 cloud suppliers permits clients to outline a lifecycle coverage. These insurance policies enable organizations to routinely delete objects, variations, and backups when they’re now not thought of crucial. Bear in mind, nevertheless, that attackers can leverage lifecycle insurance policies as nicely. They had been used within the beforehand talked about assault marketing campaign to induce the goal to pay the ransom rapidly.
To be taught extra, watch Brandon’s webcast, “The Cloud Will not Save You from Ransomware: Here is What Will”, by visiting https://www.sans.org/webcasts/cloud-wont-save-you-from-ransomware-heres-what-will/
Focused on extra ways for mitigating assaults within the Huge 3 cloud suppliers? Try Brandon’s course, SEC510: Cloud Security Controls and Mitigations at SANS 2025 in Orlando or Dwell On-line this April. This course can be out there with Brandon later within the 12 months in Baltimore, MD in June or Washington, DC in July.
