The state of cloud ransomware in 2024

Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm.

  • Monday, 18th November 2024 Posted 1 month ago in by Phil Alsop

SentinelLabs has identified several tools designed to target web servers with ransomware or to leverage cloud services to upload files before encrypting local files on an endpoint.

Cloud ransom attack mechanics

Cloud ransom attacks typically target cloud-based storage services, such as Amazon’s Simple Storage Service (S3) or Azure Blob Storage. While each implementation varies, a ransom attack requires the attacker to find an accessible storage service, copy the file contents to a destination controlled by the attacker, and then encrypt or delete the files from the victim’s instance.

Cloud service providers (CSPs) have implemented robust security mechanisms that minimise the risk of data being lost permanently. For example, AWS’ Key Management Service (KMS) defines a 7-day window between a key delete request and its permanent deletion, providing users with ample time to detect and rectify a cryptographic ransom attack against S3 instances.

Despite increasingly thorough security measures, researchers continue to find new ways to circumvent CSP controls.

Ransomware using cloud services for data exfiltration

Aside from ransomware targeting cloud services, threat actors are increasingly using cloud services to exfiltrate the data they intend to ransom. In September 2024, modePUSH reported that the BianLian and Rhysida ransomware groups are now using Azure Storage Explorer to exfiltrate data from victim environments. In October 2024, Trend Micro reported that a ransomware actor mimicking the notorious Lockbit ransomware group used samples that leverage Amazon’s S3 storage to exfiltrate data stolen from the targeted Windows or macOS systems.

SentinelLabs has identified a Python script that researchers call RansomES due to the Spanish language comments in the code. Designed to run on a Windows system, the script provides the actor with methods to exfiltrate the files to S3 or FTP and then encrypt the local versions.

Web application ransom attacks

Web applications are often run via cloud services. Their more minimal nature makes cloud environments a natural hosting point where the applications are easier to manage and require less configuration and upkeep than running on a full operating system. However, web applications themselves are vulnerable to extortion attacks.

SentinelLabs has identified several ransom scripts that target PHP applications. Researchers have identified a Python script called Pandora, which is a multi-tool targeting a variety of web services. This tool is unrelated to the Pandora ransomware group, which leverages binaries to target Windows systems.

Another PHP ransom script SentinelLabs has identified is attributed to the IndoSec group, an Indonesia-based threat actor. This script is a PHP backdoor that the attacker can use to manage and delete files, and perform ransom attacks.

Conclusion

Cloud ransom attacks are an emerging threat that organisations are better equipped to defend against now than in previous years, given the continuous dedication to CSP security measures in addition to a wealth of cloud security products designed to minimise risk.

SentinelLabs recommends the use of a Cloud Security Posture Management (CSPM) solution to discover and assess cloud environments and alert of issues such as misconfiguration and overly permissive storage buckets, as these are the primary flaws that facilitate the cloud ransom attack techniques described in this report. Additionally, always enforce good identity management practices, such as requiring MFA on all admin accounts and deploying runtime protection against all cloud workloads and resources.

Beacon, NY, Dec 20, 2024– DocuWare unveils its AI-powered Intelligent Document Processing (DocuWare IDP), bringing about unprecedented improvements...
85% of IT decision makers surveyed reported progress in their companies’ 2024 AI strategy, with 47% saying they have already achieved positive ROI.

MSPs will invest in more AI security forecasting

Posted 4 days ago by Phil Alsop
Predictive maintenance and forecasting for security and failures will be a growing area for MSPs with an interest in security, says Nicole Reineke,...

Machine identities next big target for cyberattacks

Posted 5 days ago by Phil Alsop
Venafi has published the findings of its latest research report: The Impact of Machine Identities on the State of Cloud Native Security in 2024....
Nearly 50% of organisations have experienced a security breach in the last two years.

IT professionals recognise lack of gender diversity

Posted 5 days ago by Phil Alsop
The majority (87 percent) of IT professionals agree that there is a lack of gender diversity in the sector, yet less than half (41 percent) of...

A moving landscape for MSPs

Posted 1 week ago by Phil Alsop
2025 predictions from Ranjan Singh, chief product officer at Kaseya.

Data breach epidemic takes its toll

Posted 1 week ago by Phil Alsop
New study by Splunk shows that a significant number of UK CISOs are stressed, tired, and aren’t getting adequate time to relax.