Combatting Cloud Ransomware and Extortionware: Guidance for CISOs and Teams

Contending with ransomware and extortionware has, unfortunately, become commonplace for enterprises. But the results can be anything but common. We at Mitiga have watched as attackers continue to up the ante creating what can be devastating impacts on organizations and the people they serve.

The Change Healthcare ransomware attack, for example, has affected millions of Americans, impeding their ability to get a prescription filled or paid for. That’s just one example of an attack with outcomes that produce mission-critical damages.

Why is it happening now?
Over the period of multiple years, the prevalence of unsecured and misconfigured cloud resources has led to numerous data security incidents that have caused all kinds of harm.

As organizations increasingly adopt cloud services, the threat of ransomware and extortionware in the cloud has become an increasing concern for CISOs and security teams.

One strategy that we have observed in recent investigations is deleting cloud resources instead of encrypting them. This “Living off the Cloud” type of attack could have less overhead in development and leverage the relevant cloud API requests instead of malware. In the most basic form of cloud ransomware attack, all the adversary needs to do is get access to the cloud data, copy it all to a different location, delete the original copy, and then hold the data for ransom.

The Risks of Cloud Ransomware

Cloud ransomware attacks are opportunistic, targeting public resources and compromised credentials. A recent IBMX-Force report found that cloud account credentials alone make up 90% of cloud assets for sale on the dark web, making it easy for threat actors to take over legitimate user identities to establish access into victim environments.

Assumptions about an organization's state of cloud security is another real risk when it comes to ransomware. These assumptions can come from confusion regarding both the logging available and the forensic value of these logs. It is important to not only verify that you have the correct logs enabled and configured, but you also understand how those logs can assist in the event of ransomware.

These assumptions can also plague an organization when there is a belief that if a log is enabled and has forensic value that you have adequate alerting in place. Each of these steps should be carefully reviewed to determine if you are ransomware ready.

Guidance for CISOs and Teams

To contend with ransomware and extortion in cloud and SaaS environments, CISOs and teams should focus on the following areas:

Understand the Threat Landscape

Identify your organization’s attack surface and perform vulnerability assessments against it. A few examples of this could include:

- Identify where your critical assets and services are.

- Run continuous assessments to identify vulnerabilities in your environment.

- Conduct penetration tests to gain comprehensive visibility into your attack surface.

Detect Early Stages of the Attack Chain

It all starts by first establishing baselines for normal user and system activity. With that in place, it's time to implement monitoring and logging solutions to detect potentially anomalous behavior. Be sure to set up alerts and notifications for suspicious activity, such as unusual login attempts or data access patterns. This could include:

- Identify baseline usage and metrics across critical and sensitive services.

- Create detections for deviations from the baseline.

- Leverage the logging available and create custom detections based on your environment.

Default detections are not enough.

- Set escalation thresholds and response playbooks based on the type of alert received.

Conduct Tabletop Exercises Regularly

There really is no substitute for being prepared. Something we've seen that really helps with the incident response process is to simulate ransomware incidents to test your organization's incident response plans. Use those simulations to identify gaps and areas for improvement in your incident response processes.

Ransomware incidents rarely involve just the technical team. These can become coordination and management challenges as well. It is important to exercise with other business units along with both internal and external stakeholders as they are likely to be asked questions and have significant roles in these situations. For executives, these exercises take an hour or two out of the day that is hard for busy leaders to find, but if you are able to outline the potential risks to the business clearly, through examples and data, it’s usually a meeting they’ll accept, and appreciate once it’s done. Your board will thank you too.

Combatting cloud ransomware and extortionware requires a proactive and slightly different approach from CISOs and security teams compared to what is thought of during on-premises ransomware. Cloud ransomware can happen quick and if there is no detection in place, the attacker will have the upper hand. This upper hand gets worse if you do not have the proper logs configured. During on-premises ransomware analysis, host forensics provides a fallback. However, in the cloud, without properly configured logs, you have little to analyze. Responding to ransomware can be difficult and it becomes more difficult when you cannot answer how or what happened. The steps outlined here may seem like a lot, but the extra preparation is paid back many times over in increased organizational resilience.

Need more advice to get ransomware ready? Our eBook will help you prepare.

‍

LAST UPDATED:

March 3, 2025

Don't miss these stories:

From Rogue OAuth App to Cloud Infrastructure Takeover

How a rogue OAuth app led to a full AWS environment takeover. And the key steps security leaders can take to prevent similar cloud breaches.

Defending SaaS & Cloud Workflows: Supply Chain Security Insights with Idan Cohen

From GitHub Actions to SaaS platforms, supply chain threats are growing. Hear Mitiga’s Idan Cohen and Field CISO Brian Contos explore real-world compromises, detection tips, and strategies to strengthen your cloud security.

Inside Mitiga’s Forensic Data Lake: Built for Real-World Cloud Investigations

Most security tools weren’t designed for the scale or complexity of cloud investigations. Mitiga’s Forensic Data Lake was.

Measurements That Matter: What 80% MITRE Cloud ATT&CK Coverage Looks Like

Security vendors often promote “100% MITRE ATT&CK coverage.” The reality is most of those claims reflect endpoint-centric testing, not the attack surfaces organizations rely on most today: Cloud, SaaS, AI, and Identity.

How Threat Actors Used Salesforce Data Loader for Covert API Exfiltration

In recent weeks, a sophisticated threat group has targeted companies using Salesforce’s SaaS platform with a campaign focused on abusing legitimate tools for illicit data theft. Mitiga’s Threat Hunting & Incident Response team, part of Mitiga Labs, investigated one such case and discovered that a compromised Salesforce account was used in conjunction with a “Salesforce Data Loader” application, a legitimate bulk data tool, to facilitate large-scale data exfiltration of sensitive customer data.

Why Visibility Drives Everything in Modern Cybersecurity with Sevco’s Greg Fitzgerald

In this episode of Mitiga Mic, Brian Contos sits down with Greg Fitzgerald, co-founder of Sevco Security, for a candid conversation on the real state of asset visibility, prioritization, and the evolving challenges facing security teams. With nearly three decades in the industry, Fitzgerald brings perspective on how cybersecurity has shifted from endpoint tools to orchestration-wide awareness. And why that shift is critical for cloud, SaaS, AI, and identity defense. Watch the episode or read the full transcript below.