The newest Palo Alto Networks Unit 42 Cloud Menace Report discovered that delicate knowledge is present in 66% of cloud storage buckets. This knowledge is weak to ransomware assaults. The SANS Institute lately reported that these assaults will be carried out by abusing the cloud supplier’s storage safety controls and default settings.
“In simply the previous few months, I’ve witnessed two completely different strategies for executing a ransomware assault utilizing nothing however reputable cloud security measures,” warns Brandon Evans, safety marketing consultant and SANS Licensed Teacher. Halcyon disclosed an assault marketing campaign that leveraged considered one of Amazon S3’s native encryption mechanisms, SSE-C, to encrypt every of the goal buckets. A number of months prior, safety marketing consultant Chris Farris demonstrated how attackers might carry out the same assault utilizing a distinct AWS safety characteristic, KMS keys with exterior key materials, utilizing easy scripts generated by ChatGPT. “Clearly, this matter is top-of-mind for each menace actors and researchers alike,” notes Brandon.
To handle cloud ransomware, SANS recommends organizations to:
- Perceive the facility and limitations of cloud safety controls: Utilizing the cloud doesn’t mechanically make your knowledge secure. “The primary cloud providers most individuals use are file backup options like OneDrive, Dropbox, iCloud, and others,” explains Brandon. “Whereas these providers often have file restoration capabilities enabled by default, this isn’t the case for Amazon S3, Azure Storage, or Google Cloud Storage. It’s crucial for safety professionals to know how these providers work and never assume that the cloud will save them.”
- Block unsupported cloud encryption strategies: AWS S3 SSE-C, AWS KMS exterior key materials, and comparable encryption methods will be abused as a result of the attacker has full management over the keys. Organizations can use Id and Entry Administration (IAM) insurance policies to mandate the encryption methodology utilized by S3, resembling SSE-KMS utilizing key materials hosted in AWS.
- Allow backups, object versioning, and object locking: These are a number of the integrity and availability controls for cloud storage. None of them are enabled by default for any of the Large 3 cloud suppliers. If used correctly, they’ll enhance the probabilities that a corporation can get better its knowledge after a ransomware assault.
- Steadiness safety and price with knowledge lifecycle insurance policies: These security measures price cash. “The cloud suppliers are usually not going to host your knowledge variations or backups without spending a dime. On the similar time, your group isn’t going to present you a clean verify for knowledge safety,” says Brandon. Every of the Large 3 cloud suppliers permits clients to outline a lifecycle coverage. These insurance policies permit organizations to mechanically delete objects, variations, and backups when they’re now not thought of obligatory. Remember, nonetheless, that attackers can leverage lifecycle insurance policies as nicely. They have been used within the beforehand talked about assault marketing campaign to induce the goal to pay the ransom rapidly.
To study extra, watch Brandon’s webcast, “The Cloud Will not Save You from Ransomware: This is What Will”, by visiting https://www.sans.org/webcasts/cloud-wont-save-you-from-ransomware-heres-what-will/
All in favour of further ways for mitigating assaults within the Large 3 cloud suppliers? Try Brandon’s course, SEC510: Cloud Safety Controls and Mitigations at SANS 2025 in Orlando or Stay On-line this April. This course can also be out there with Brandon later within the 12 months in Baltimore, MD in June or Washington, DC in July.
