Ransomcloud: Ransomware's Latest Manifestation Targets the Cloud

Written by

Within the mob of malware, ransomware is leading the pack. While other malicious software ransacks computer systems, ransomware goes further by making demands. It’s the age-old tactic of extortion but re-enacted in the digital world. As we’ve become more dependent on the internet, the playing field for this particular strain of malware has expanded immeasurably. At the same time, cybersecurity threats are growing – in 2020, malware and ransomware attacks increased by 358% and 435%, respectively – and are outpacing societies’.

Though ransomware may have started as an opportunity operation, it has since become an established criminal enterprise. Just as a legitimate business adapts to remain competitive, ransomware gangs do the same. The mass shift to the cloud is a prime example of this.

Cloud migration is not a new phenomenon, but the pandemic has certainly expedited it. To maintain business continuity, companies have transferred their digital assets and operations to a cloud computing environment, minimizing the use of on-premise databases. Unfortunately, cybercriminals have recognized this shift and the valuable data now held within the cloud, leading to ‘ransomcloud’ attacks.

Such attacks occur through three key methods: File sync piggybacking, remote connection with stolen credentials and attacking the cloud provider. Here is how these approaches work.

File Sync Piggybacking

The first type of ransomcloud attack leverages phishing to infect the victim’s local computer. However, contrary to popular belief, the malicious email attachment or link often does not contain the malware payload. Instead, it delivers a small program that runs in the background and installs the malware.

Once in the system, the malware disguises itself as a popup permission request from trusted software. By approving, the malware is activated and can disseminate across the entire network to any connected machine. As it spreads, threat actors lookout for file sync services interacting with cloud services. Once identified, the ransomware piggybacks on the file sync, allowing threat actors to access, infect and encrypt data in the cloud.

If the organization has measures such as air gapping in place, ransomware may be unable to compromise a route to the cloud and settle on local infection instead. This explains the rise in the use of Google Drive, Slack, Microsoft Teams etc., to distribute malicious software. These applications sit between the cloud and on-premise devices. Once compromised, it becomes incredibly difficult to reverse the impact. This is where advanced cloud access security broker (CASB) tools prove useful as they sit between the on-premise and cloud infrastructures, vetting the traffic between them.

Remote Connection With Stolen Credentials

The second tactic sees threat actors monitor network connections for authentication attempts. They then capture the user’s cloud credentials, usually by presenting a fake login portal masquerading as the real cloud platform. By tracking the keystrokes on the infected local computer, connection details can be copied to a remote computer and automatically entered into the real cloud platform.

As the local malware captures and transfers the keystrokes to the remote computer, cyber-criminals can access the cloud via simultaneous login. Therefore, potentially bypassing two-factor authentication methods. Now, they have a connection to the cloud and the same access as the cloned user.

Attacking the Cloud Provider

Lastly, a ransomcloud attack could arise by targeting the cloud provider directly. This is the most damaging and lucrative method for the attacker because if they are successful, it would mean they have compromised the entire cloud platform. In short, they could demand ransoms from all customers of the compromised service.

Consider Microsoft Azure cloud, which has a vulnerability in August 2021, that enabled attackers to escalate privileges and move laterally across the Microsoft cloud. Although quickly rectified with no reported attacks, this incident highlights the risk.

Responsibility for Cloud Security

Having now investigated how the cloud could be compromised, we might then ask who bears the responsibility of maintaining its security? The answer, it is a shared responsibility. Cloud vendors, businesses or their managed service providers and even individual employees all play a role. One must simply establish responsibility early in the cloud migration process.

Nevertheless, it is important to remember that a business is always responsible for its data, regardless of where it is hosted. They need to be attentive to their permissive policies, insider threats, phishing campaigns and leaked credentials. The best way to combat some of these challenges is to adopt best practice measures like following the principle of least privilege to limit the damaging actions if a cloud account is hacked. It also means investing in security awareness training to curb successful phishing attempts. Businesses must also ensure they have clear visibility of their cloud environments to detect and remediate issues sooner rather than later.

What’s hot on Infosecurity Magazine?