Ransomware's new playbook: how attackers weaponize cloud backups

CybersecurityHQ News

Welcome reader to your CybersecurityHQ report

ā€”

Brought to you by:

Cypago enables strategic decision making through a full Cyber GRC product suite to help you avoid business reputation impact, financial or client trust losses

ā€”

Evolution of Cloud-Targeting Ransomware Techniques

Ransomware attacks have changed a lot in the last few years. The focus of these attacks has shifted away from personal computers and now targets big cloud services. So, it's almost guaranteed that, if you or your organization uses any kind of cloud service, you could be the next ransomware victim. After all, studies show that about 30% of all computers use some form of cloud service. And, let's be honest: Ransomware is one of the most effective and reliable ways for cybercriminals to make money.

Primary Attack Vectors

Ransomware targeted at the cloud has evolved and now uses four main ways to attack. Each one has its own special features and problems that the defenders have to deal with.

The most common method, which makes up 40% of all attacks, is data (Palo Alto Networks) deletion. For some reason, lots of hackers just want to mess things up instead of stealing data. Maybe they're trying to impress their hacker friends or show that they can get into big companies' cloud storage safely. Cloud storage services like Amazon S3 and Microsoft Azure Blob Storage are perfect targets for these attackers because they're easy to access (TechTarget), have a lot of important stuff, and require hardly any computing power to attack.

About 25% of cyberattacks use the bypass method, where the attacker swaps out the original files for encrypted versions, making the real data unusable unless you have the decryption key. This method works really well because it can dodge some backup systems and makes recovery super hard. "We make a copy of your stuff, then we take your files offline," says one expert. "If you don't pay, you won't get your stuff back."

Re-encryption attacks happen a lot in the cloud, like 20% of the time or even 40% according to some sources. In these cases, the attackers don't get to see the data directly and can't easily know what the service provider is sending and receiving. That's bad for the attackers because they need plaintext (the data as it is before encryption) to really have power over the system and make the cloud service unusable for its real customers.

Attacks using the disable key technique, which make up 15% of cloud security breaches, aim to mess up the key management systems that control who can access cloud services and data. Attackers usually target the basic security tools and methods that protect the cloud. By disrupting these important access control and security systems, they can often make whole cloud storage services unusable. If the attackers then find and download the keys to the data, they can access data that was thought to be safe and secure.

Impact on Organizations

The impacts of ransomware attacks aimed at the cloud are hitting organizations hard and costing them a lot of money. For example, the 2021 Kaseya VSA attack, which was part of the REvil/Sodinokibi ransomware scheme, is expected to cost affected companies between $50 million to $70 million because of lost revenue, recovery expenses, and reputational damage. How much a successful attack on cloud assets can cost shows why some experts think the cloud might not be the safest place.

It's not just the data loss or ransomware holding the encryption. The whole business can be threatened. When cloud storage backup systems are attacked, recovery is harder. Regular downtime is getting worse. It went from an average of three to five days to seven to ten days or more. And those average costs have almost doubled.

Of course, these attacks hurt people more than anything. They are causing real harm to our friends and neighbors and making businesses go under. But like a lot of sad stuff, it has become a sort of spectacle. And that makes it something people can't ignore.

It's not just the money paid to hackers that hurts when companies are attacked by ransomware. The hit to our cloud services' reputation is taking a toll, and it's being felt all across the cybersecurity industry. How much is that toll? At least $7.5 billion, and that's just the beginning. That's the estimate from the firm Redmond Analytics, which specializes in figuring out how much damage business disruptions cause. In its report, Redmond Analytics first looked at the average cost of 10 big cloud service companies losing their services for a day (around $5.6 billion, but they might be underestimating). Then, Redmond added up the costs over the next four quarters that these companies will have to pay to keep their operations running without getting sued for doing bad business.

On top of everything else, the recent attacks on cloud backup systems have made businesses rethink their disaster recovery plans. These plans have been pretty much the same for a long time. Most companies keep backup copies stored off-site, and they test their disaster recovery processes to make sure they can keep going after a major incident. But now, using cloud backups safely has added more steps and more complicated working methods to plans that were already hard to manage.

Cloud Backup Security Vulnerabilities

Infrastructure Vulnerabilities

The changing world of cloud backup services has uncovered important weaknesses in our systems, and hackers are using them more and more. Cloud storage providers have become the main targets of the latest big cyberattacks. This is especially true for the most advanced ransomware attacks, where bad guys most often attack the backup system itself. Why attack backups? Because even the best IT disaster recovery plans don't always guarantee that systems and data will be restored quickly and fully after a major failure. However, there is a more serious risk.

Cloud backup systems often have a weak point because storage buckets aren't set up correctly. This is a common problem. Even though backup services come with strong security tools, many organizations don't use them properly or at all. This makes their backup data vulnerable to being wrongfully accessed or even tampered with.

The problem isn't just using a few systems with the wrong settings. Disaster recovery systems rely on many different apps and services that need to work together. Well-designed APIs are perfect for making this happen. But if the APIs aren't secure, they become weak links that attackers can use to access the systems they control. And backup systems, which are sometimes the last place where data security is enforced, can quickly turn from a source of strong protection into an easy target for thieves.

Version control systems are helpful for making sure backups are safe, but they can turn into problems if we don't keep them secured. Saving different versions of data can help us get things back to how they were, but you have to wonder if letting old copies stay around is a good idea. Saving versions means saving the data itself. This means we need a way to manage the system properly so that only the right people can get to it. Is that even possible?

Ransomware attacks can exploit a big flaw in how some companies design their networks. When networks aren't split properly, it's easier for attackers to move around and find the most important data to take hostage. This problem happens in two ways. First, organizations often don't keep their backup networks far enough away from their main networks. Attackers who get into the main network can reach the backup network too easily. Second, lots of companies put their backups right next to the systems that most ransomware attacks use.

Access Control Weaknesses

The Backup as a Service access control problem is really important because lots of companies use cloud backups to protect their data. The private cloud UI is bad because it lets admins bypass most of the BaaS program's restrictions. Also, when using RDP to access the private cloud, we can do just about anything we want in the BaaS program.

In cloud backup setups, gaining higher privileges is still a big problem. Accounts with too many permissions are like the most tasty bait for hackers. These hackers can use stolen high-level accounts to delete all backups silently. Or, they might change backup plans to make them useless. Once they're in, they have full control. The system's weak. Setups like this are everywhere. Too many companies use them without enough thinking. They attack the weakness not by going around it, but by aiming straight for it.

Keeping MFA working well is a big problem. Certainly, a lot of organizations have applied MFA. But many of them have only applied it to the main systems. The backup infrastructure is often still protected by single-factor authentication, which is like the Wild West for cyber attacks. These attacks can get user credentials from phishing or malware, and then log into critical backup systems. MFA is a best practice. But to be effective, security must be applied at all levels in a consistent way. And that includes the backup infrastructure.

Another big problem with access control systems is that they manage sessions poorly. If session timeouts are set too long or if session tokens are not handled securely, then a logged-in user could be 'displaced.' This means that an attacker takes over the session and uses it to carry out commands at a high level. This danger increases when the session token isn't protected well. It could be something like a cookie stored in an insecure way. The risk is even bigger if the system doesn't log actions properly and can't monitor the commands being run.

When organizations use role-based access control (RBAC), they often mess it up. This has caused security issues. People in charge of backups don't keep separation of duties. They give out too many privileges. Some security problems happen because tech staff mess around with backup tools. They use them to access production data. Also, people misusing access in other ways has caused trouble for organizations. Sometimes, bad guys have used access they shouldn't have had.

Merging cloud backup systems (Cybersecurity and Infrastructure Security Agency (CISA) with current identity and access management (IAM) setups brings extra problems. Cloud access rules can be different from those on physical sites. If you don't fix this inconsistency, it can weaken security. So, you have to deal with the problems of a hybrid environment and manage authentication well, making sure access issues don't hurt cloud backup security.

Defense Strategies and Best Practices

In today's evolving threat landscape, protecting cloud backup systems (Cybersecurity and Infrastructure Security Agency (CISA) ransomware attacks requires a sophisticated, multi-layered approach that combines advanced monitoring capabilities with robust recovery strategies. As threat actors increasingly target backup infrastructure, organizations must implement comprehensive security measures to safeguard their critical data assets (eSecurity Planet).

Monitoring and Detection

A good backup plan needs strong monitoring and detection systems set up in the cloud environment. Organizations should use the best and newest intrusion detection systems (IDS) and endpoint detection and response (EDR) solutions they can find. These are the tools that will see potential problems before attacks can hurt the backup systems. A lot can fail during a backup. But this is where continuous security monitoring comes in, watching network traffic patterns, system logs, and user behaviors around the clock, day and night. This monitoring succeeds when it focuses on spotting changes in behavior. These changes are like clues showing something strange is happening, which usually means an attack is happening.

Collecting and analyzing logs is super important for finding threats early. Security teams need to make sure they're logging everything. This includes all the cool backup stuff, like firewall settings, who tried to log in and when, and any changes in the system. It's also really important to use EDR tools. They are the best way I know to stop threats from messing with memory allocation, which is a main way ransomware is set up.

Managing Remote Desktop Protocol (RDP) is really important because ransomware attackers often use it to get in. Organizations should keep RDP access to a minimum, making it so rare you might as well say it's never used. They should also control who can access RDP. If someone really needs to use RDP, it must be done safely. Almost everything we said about RDP in the first half of this paper also applies to RDP in virtual machines.

It's really important to control command-line and scripting tasks because they're related to user accounts. If someone can use commands or scripts, they basically have access to all parts of the system. That's why a few important people are allowed to use the command line safely. But what if those important people are told to leave, and their access isn't cut off quickly? That's a weak point that threat actors might try to exploit.

To find the latest cyber threats, we need more than just regular detection methods. We need advanced methods. But what makes them advanced? First, they use smart systems that can think for themselves. These systems, made by experts and using the latest research, are called machine learning algorithms. They help us see many different threat patterns. They help us see what's happening now and what's likely to happen soon.

Security groups should figure out normal backup system behavior and set up automatic alerts for any changes. They need to watch for odd things like backups getting bigger, happening more often, or changing in time. These might be signs of hackers messing with the systems or ransomware trying to encrypt them.

Recovery Planning

To keep the business going during and after a ransomware attack, you need a strong recovery plan. This means your organization should have lots of backup copies stored in different, faraway places. Some of these backups might be in "air-gapped" situations, where they're totally cut off from the network (eSecurity Planet). We don't want any of these important backup copies to get infected. Every part of this plan must use ways that are safe and reliable, so ransomware can't get into the backups easily and the organization can check the backups before using them for recovery.

These days, backup systems that can't be changed are really important for effective recovery plans. They help us avoid the "backup hypocrisy" that makes some people wonder if our backup plans are good. That's because, in many cases, people can easily find the backup files they need. In contrast, the regular files we're supposed to keep. Immutable backup targets include systems that might have been attacked but still have unaffected data not touched by ransomware mutants.

Organizations should try to set up a 3-2-1 backup plan. This plan says to have three copies of your data. You should have them on two different kinds of storage. One of the storage types should be in a different place. This method lowers the chance of a single point of failure. And it makes it more likely that you can recover your data successfully after an attack.

To check if recovery plans actually work, organizations need to test them regularly. They should do lots of practice runs and fake recovery exercises. That way, they can find problems and make sure everyone knows what to do if a real attack happens. In this article, we'll focus on the most important simulated recovery exercise. We think doing one of these can really help organizations get ready to handle cyberattacks.

Managing encryption keys is super important for recovery planning. Organizations should have strong key management policies. These should include securely and safely storing encryption keys, regularly changing keys, and controlling who can access the keys. They also need to train staff to avoid mistakes. If not done right, recovery plans can fail, and organizations could pay the price.

Finally, it's really important that protocols are set up for how to communicate during a ransomware incident. The first part of this is making sure the right people can talk to each other inside the organization in a secure and private way. This is the part of the plan that focuses on "what we say and how we say it" when leading the organization's official response to an attack. But the other part is about talking to the outside world. This includes stakeholders, customers, and even some people in the government who might care about how the organization is doing. This part answers the question, "What should the outside world be told about this ransomware attack, and when should they be told?"

When organizations put these detailed strategies and top practices into action, they become way stronger against ransomware attacks aiming at the cloud. The next section goes over some of the most important replication strategies, essential best practices for defenses, and helpful tips for a secure cloud environment, especially for public sector agencies using clouds that private companies own and run.

References

[1] DeBeck, C. (n.d.). Ransomcloud. TechMonitor. https://www.techmonitor.ai/technology/cybersecurity/ransomcloud

[2] SentinelOne. (n.d.). The state of cloud ransomware in 2024. https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/

[3] Palo Alto Networks. (n.d.). Ransomware data protection in the cloud. https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/

[4] TechTarget. (n.d.). Offline backups are a key part of a ransomware protection plan. https://www.techtarget.com/searchDataBackup/tip/Offline-backups-are-a-key-part-of-a-ransomware-protection-plan

[5] TechTarget. (n.d.). How to develop a cloud backup ransomware protection strategy. https://www.techtarget.com/searchcloudcomputing/tip/How-to-develop-a-cloud-backup-ransomware-protection-strategy

[6] Ransomware.org. (n.d.). Ransomware backup strategy. https://ransomware.org/how-to-prevent-ransomware/passive-defense/ransomware-backup-strategy/

[7] eSecurity Planet. (n.d.). Cloud security best practices. https://www.esecurityplanet.com/cloud/cloud-security-best-practices/

[8] Cybersecurity and Infrastructure Security Agency (CISA). (n.d.). Cybersecurity Advisory (CSA): #StopRansomware. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060a

Upgrade your subscription for exclusive access to member-only insights and services.

Stay Safe, Stay Secure.

The CybersecurityHQ Team

Reply

or to participate.