Why Cloud Storage Isn't Immune to Ransomware

Cloud security is a shared responsibility. which sometimes leads to security gaps and complexity in risk management.

Shai Morag, CEO, Ermetic

December 15, 2021

4 Min Read
Digital chain with 1s and 0s
Source: Panther Media GmbH via Alamy Stock Photo

Ransomware is the flavor of the month for cybercriminals. The FBI reports that ransomware attacks rose 20% and losses almost tripled in 2020. And our increased use of the cloud may have played a part in that spike. A survey of CISOs conducted by IDC earlier this year found that 98% of their companies suffered at least one cloud data breach in the previous 18 months as opposed to 79% last year, and numbers got worse the more exposure they had to the cloud.

Organizations now use hundreds of cloud-based apps, which adds thousands of new identities logging in to their systems. This opens almost unlimited possibilities for hackers. Even if cloud vendors have their own identity and access management controls, vulnerabilities will emerge. In fact, recent research into cloud security found that over 70% of organizations had machines open to the public that were linked to identities whose permissions were vulnerable, under the right conditions, to being exploited to launch ransomware attacks.

A number of reasons could explain why security falls through the cracks of many cloud systems, and leaves them more vulnerable to ransomware attacks.

First, cloud security is a shared responsibility. User organizations and cloud service providers share security efforts, but this sometimes leads to security gaps and complexity in the management of risk. Misconfigurations also occur, with sensitive assets left exposed to external access, or controls weakened unintentionally. And there's the issue of excessive entitlements, where some identities have privileges far beyond what the user needs.

In addition, security pros are up against poor access key management; just like users need to change their passwords, access keys need to change to thwart hackers. And many organizations aren't using cloud provider controls effectively. Each cloud vendor has their own identity and access management system to protect their servers, but not all organizations use them or make sure they play well with their own IAM systems.

How to Mitigate Ransomware Risks in the Cloud
The following best practices can prevent ransomware from compromising cloud resources.

  • Adopt a least-privilege access strategy: This is probably the best way to keep fraudsters off your systems and mitigate the shockwaves if they do get in. Keep permissions to the bare minimum users need to do their jobs. You can make your buckets on the cloud private and configure them to reduce entitlements. A fraudster needs to be able to both access your buckets on the cloud and alter them to delete or reconfigure their rules in order to perform a ransomware attack, so separate those actions to make it tougher for them. Also, clean out any inactive users or functions that could be exploited; this cleanup can be automated easily.

  • Remove risk factors: This is the low-hanging fruit of security. A scan of your infrastructure can score some easy wins by taking measures such as rotating access keys, enabling multifactor authentication (MFA) for users, and disabling unused credentials. But don't make this a one-shot: This is a continuing effort.

  • Perform logging and monitoring: Some events, such as key deletions and life-cycle configurations, can take days. By logging and monitoring sensitive actions like these, the organization can stop a ransomware attack in progress. Using tools such as CloudTrail and CloudWatch (both from Amazon Web Services), you can spot those events and head off the attack with a timely response. This is less effective for events that run faster, but the sooner you spot the attack, the better the mitigation.

  • Prevent delete operations: Use native delete-prevention mechanisms that come out of the box with cloud services, such as AWS's MFA Delete or Object Locks, to prevent malicious deletions. Object Locks lets you set a default retention period for objects and makes it impossible to delete the object until the period ends, while enabling MFA Delete on your data buckets requires using the root user and its MFA token to perform some deletions.

  • Replicate buckets: Configuring sensitive buckets in the cloud to back up their contents automatically into a dedicated location can improve security on an ongoing basis. This backup is an easy solution to mitigate the ability of ransomware to lock or delete data, and serves as a backup if the data is corrupted, as well. Duplicating data will add some cost, though, and adds more attack surface for fraudsters, so it must be balanced with your best practices.

Ransomware is not going away. Developing a strong security posture in the cloud should be an ongoing effort, but the tools are available to make the task easier. Tasks can be automated, access and privileges tightened and identities managed more effectively. The first step is to understand that vulnerabilities are a fact of digital life.

About the Author(s)

Shai Morag

CEO, Ermetic

Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto Networks, and CEO of Integrity-Project, a software outsourcing company acquired by Mellanox. Shai also served for 10 years as an officer in senior product development and management roles with the Intelligence Unit of the Israel Defense Forces.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights