We're proud to be named a 2024 Publisher's Choice winner!

We're an RSA Conference 2024 Innovation Sandbox Finalist!

Contending with ransomware and extortionware has, unfortunately, become commonplace for enterprises. But the results can be anything but common. We at Mitiga have watched as attackers continue to up the ante creating what can be devastating impacts on organizations and the people they serve.

The Change Healthcare ransomware attack, for example, has affected millions of Americans, impeding their ability to get a prescription filled or paid for. That’s just one example of an attack with outcomes that produce mission-critical damages.

Why is it happening now?
Over the period of multiple years, the prevalence of unsecured and misconfigured cloud resources has led to numerous data security incidents that have caused all kinds of harm.

As organizations increasingly adopt cloud services, the threat of ransomware and extortionware in the cloud has become an increasing concern for CISOs and security teams.

One strategy that we have observed in recent investigations is deleting cloud resources instead of encrypting them. This “Living off the Cloud” type of attack could have less overhead in development and leverage the relevant cloud API requests instead of malware. In the most basic form of cloud ransomware attack, all the adversary needs to do is get access to the cloud data, copy it all to a different location, delete the original copy, and then hold the data for ransom.

The Risks of Cloud Ransomware

Cloud ransomware attacks are opportunistic, targeting public resources and compromised credentials. A recent IBMX-Force report found that cloud account credentials alone make up 90% of cloud assets for sale on the dark web, making it easy for threat actors to take over legitimate user identities to establish access into victim environments.

Assumptions about an organization's state of cloud security is another real risk when it comes to ransomware. These assumptions can come from confusion regarding both the logging available and the forensic value of these logs. It is important to not only verify that you have the correct logs enabled and configured, but you also understand how those logs can assist in the event of ransomware.

These assumptions can also plague an organization when there is a belief that if a log is enabled and has forensic value that you have adequate alerting in place. Each of these steps should be carefully reviewed to determine if you are ransomware ready.

Guidance for CISOs and Teams

To contend with ransomware and extortion in cloud and SaaS environments, CISOs and teams should focus on the following areas:

Understand the Threat Landscape

Identify your organization’s attack surface and perform vulnerability assessments against it. A few examples of this could include:

       -   Identify where your critical assets and services are.

       -   Run continuous assessments to identify vulnerabilities in your environment.

       -   Conduct penetration tests to gain comprehensive visibility into your attack surface.

Detect Early Stages of the Attack Chain

It all starts by first establishing baselines for normal user and system activity. With that in place, it's time to implement monitoring and logging solutions to detect potentially anomalous behavior. Be sure to set up alerts and notifications for suspicious activity, such as unusual login attempts or data access patterns. This could include:

       -   Identify baseline usage and metrics across critical and sensitive services.

       -   Create detections for deviations from the baseline.

       -   Leverage the logging available and create custom detections based on your environment.

            Default detections are not enough.

       -   Set escalation thresholds and response playbooks based on the type of alert received.

Conduct Tabletop Exercises Regularly

There really is no substitute for being prepared. Something we've seen that really helps with the incident response process is to simulate ransomware incidents to test your organization's incident response plans. Use those simulations to identify gaps and areas for improvement in your incident response processes.  

Ransomware incidents rarely involve just the technical team. These can become coordination and management challenges as well. It is important to exercise with other business units along with both internal and external stakeholders as they are likely to be asked questions and have significant roles in these situations. For executives, these exercises take an hour or two out of the day that is hard for busy leaders to find, but if you are able to outline the potential risks to the business clearly, through examples and data, it’s usually a meeting they’ll accept, and appreciate once it’s done. Your board will thank you too.

Combatting cloud ransomware and extortionware requires a proactive and slightly different approach from CISOs and security teams compared to what is thought of during on-premises ransomware. Cloud ransomware can happen quick and if there is no detection in place, the attacker will have the upper hand. This upper hand gets worse if you do not have the proper logs configured. During on-premises ransomware analysis, host forensics provides a fallback. However, in the cloud, without properly configured logs, you have little to analyze. Responding to ransomware can be difficult and it becomes more difficult when you cannot answer how or what happened. The steps outlined here may seem like a lot, but the extra preparation is paid back many times over in increased organizational resilience.


Need more advice to get ransomware ready? Our eBook will help you prepare.


April 22, 2024

Don't miss these stories:

Mitiga Wins Global InfoSec Award for Cloud Threat Detection Investigation & Response (TDIR)

We’re proud to report that at the open of today’s RSAC24, Mitiga was awarded the Publisher's Choice Cloud Threat Detection Investigation & Response (TDIR) from Cyber Defense Magazine (CDM), the industry’s leading electronic information security magazine.

Here's Why Traditional Incident Response Doesn’t Work in the Cloud

Traditional incident response (IR) learned from on-premises investigations doesn’t work in the cloud. Today's threat actors are finding misconfigurations and vulnerabilities to allow them to penetrate cloud environments.

Why Did AWS Replace My Role’s ARN with a Unique ID in My Policy?

After several years of working with AWS, IAM remains one of the most frequently used services in my daily routine. Yet, despite my familiarity with it, a recent production incident taught me that there’s always more to learn.