Legend has it that Willie Sutton, the 20th-Century bank robber bluntly replied when a reporter asked why it was that he chose to rob banks, "because that's where the money is.” While he later denied saying this, the quote remains attributed, whether he said it or not. His reputed unplanned answer even went on to spawn an ‘eponymous law’ sometimes taught in medicine, ‘Sutton’s Law,’ which is the principle of going straight to the most obvious diagnosis. Applying ‘Suttons Law’ to this century’s crime related question, why ransomware will likely continue its evolution into the cloud, the obvious answer becomes "because that's where the data is.” And it’s not just the data, either.
Cloud Security Has Never Been More Important
Many organizations have expedited the use and reliance on public cloud services to run their businesses in ways which would have been hard to anticipate, even a few years prior. The cloud stakes are now higher than ever. Positively speaking, for many smaller businesses who lack dedicated cyber security functions, skills or tools, many of the reasonable public cloud services could offer a level of ‘baked in’ protection which they may otherwise lack on-premise. Basic cloud security services should not be assumed to be any cure-all however, and are no dissuasion to attackers. The ‘2020 Ransomware Resiliency Report’ published by Veritas identifies:
“There is no safe haven from ransomware – attacks are targeting data and applications in the cloud nearly as often as they are directed at on-premises resources.”
Cloud Specific Targeting
The writing has been on the wall for some time now with regard to the targeting and harnessing of cloud specific resources by ransomware perpetrators. Surfacing in 2014, ‘Virlock’ was an early warning, demonstrating how it could cruelly leverage local file-syncing functionality to exponentially spread itself amongst users collaborating in a shared cloud file store. That rather odd, obscure malware strain was notable at the time for not only being able to scramble your files, but effectively weaponize them to infect others.
Somewhat paradoxically, the high risk of reinfection which its own powerful weaponization feature presented actually made for a lousy ransom proposition. After all, isn’t a supposedly ‘satisfied’ ransomware customer someone who has paid their hard-negotiated cryptocurrency to not only regain access to their data, as well as reclaim a perceived sense of control and normality? Rather than someone who nervously risks detonating another disruptive infection, simply by accessing a toxic file missed somewhere in the recovery process, Virlock’s eccentric, polymorphic nature and lack of effort to apply any serious encryption (using XOR & XOR-ROL) made it appear to be an experimental taste of things to come rather than any serious business model.
Cloud Security Threats from File Synchronization
Still, file synchronization between local data storage and the cloud remains an all too common vector for ransomware. Not just for home consumers, but large enterprises running hybrid, multiple cloud or Infrastructure as a Service (IaaS) environments. The big cloud service providers (CSPs) offering IaaS services invest in many layers of state of the art security to protect their underlying physical and virtual infrastructures, hypervisors and networks. Yet with IaaS, the customer rarely abrogates the security responsibilities for their companies virtual cloud infrastructure running within that.
The cloud customer is only as safe as the devices and on-premise networks that they allow to directly connect into their cloud environments. Often for corporations, this is via dedicated high-speed links. Where privileges are not properly controlled and data logically segregated, a single infected end-user (most commonly through a malicious email) can present an immediate threat to the wider cloud environment. Likewise, appropriate protection of the cloud management and control planes becomes even more paramount.
We most likely have heard by now of how ransomware campaigns such as ‘Ryuk’ initially carry out reconnaissance inside a network following their foothold infections (often delivered via Emotet and Trickbot) in order to identify their victims most critical assets. Presumably, to maximize the impact of their imminent attack and increase both the amount and likelihood of remittance. Such attacks will often initially target backups and hypervisors in the on-premise world, so it doesn’t take much imagination to conceive what kind of damage could wreak with full administrative access to your cloud management plane.
Shared Responsibility of Cloud Security
Even in the realm of Software as a Service (SaaS), where the customer has less shared security responsibility and more assumed or contractual trust in the service providers' controls, there is an ever present, growing risk of significant compromise. In fact, the compromise of a large and prominent service provider is exactly the type of coup d’état the more serious ransomware players will invest their resources into planning and executing. Such an attack, once successful, will after all affect many businesses rather than a single entity yielding greater potential returns by its host.
The ransomware attack against the cloud software provider Blackbaud in May 2020 for example, impacted on customers throughout the world including charities, non-profits, foundations and universities. This vicious attack against Blackbaud resulted in multiple class action legal cases and served as a stark example of what has become referred to as Ransomware 2.0. This is where attackers will exfiltrate data and threaten to release it should the victim not wish to pay for decryption keys, or should the encryption process itself have failed, perhaps due to effective responses and protections being in place. Whilst the Maze and Sodinokibi groups have become notorious for this type of blackmail tactic, it is unfortunately becoming more common in a variety of attacks, and yet another unwelcome ‘new normal’ of our times.
Keeping Ahead of The Game
But let's not dwell on the sense of anxiety the current state of cybercrime can hit us with, and instead remind ourselves that practicing good security, whether in the cloud or on-premise, is more essential than ever. Essential for protection against all threats, not just ransomware.
Rather than fear the cloud, security professionals should keep ahead of the game, continually up-skill, innovate and demonstrate the same will to adapt as some of our more forward-thinking adversaries. Automate continuous and proactive monitoring, vulnerability scanning and remediation wherever we can, adopting a ‘shift-left’ DevSecOps approach to cloud software development. We must keep up to date with the more advanced security capabilities offered by our service providers as well as understanding any protective gaps they may have and how we may compensate for them.
Whilst always looking to apply vendor neutral best practice and principles, (ISC)², the Cloud Security Alliance (CSA) and NIST all offer a wealth of impartial cloud specific security guidance and publications to tap into.
Dealing Effectively with Ransomware Threats to Cloud Security
Given that ransomware is fundamentally another form of extortion driven by black market economics, the next effective mitigations may be legislative as well as technical. As a potential precursor, in October 2020, the US Treasury put out an official warning, reminding the public that:
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
The Treasury advisory also stated that:
“paying a ransom to cyber actors does not guarantee that the victim will regain access to its stolen data.”
The advice of many respected security experts alongside our own ‘common sense’ would reason that paying a ransom based on the promise by a criminal that they will never release your data or delete it and refrain from further blackmail in the future, holds little tangible guarantee. None the less, a legitimate and highly lucrative ‘side industry’ of insurers and ransom ‘negotiators’ continues to flourish, helping to fuel the underground criminal economy. So much that some are calling for more radical steps to be taken, such as making ransomware payments a criminal offence.
There are many practical concerns with such an approach. It would be filled with cross jurisdictional challenges and difficult to consistently track and enforce. Unless exceptional circumstances were taken into account for such legislation, it could present victims, such as hospitals, facing actual ‘life and death’ decisions with unenviable dilemmas of conscience and consequence. Following the first, tragic ransomware related fatality in 2020 it is time, however governments and law enforcement across the globe have only begun seriously discussing and considering such measures.
Role of Certified Cloud Security Provider (CCSP) For Professionals
CCSP certification is the most valued, vendor-neutral Cloud Security qualification. It demonstrates you have the knowledge needed to tackle the inevitable threats in the cloud environment. Certification advances your knowledge and understanding of cloud security by focusing on six different domains: cloud security operations, legal risk & compliance, cloud concepts architecture & design, cloud data security, cloud platform & infrastructure security and cloud application security.
To learn more about how the CCSP credential can help you gain expertise and advance your career, download our white paper Cloud Security Skills Can Take Your Career to Infinity (And Beyond).