The latest Palo Alto Networks UNIT 42 report has shown that sensitive data is in a 66% cloud storage bucket. This data is vulnerable to the ransomware attacks. Institute of Sans Recently reported What these attacks can be carried out by abuse of cloud suppliers’ security and default settings.
“Only in the last few months, I have witnessed two different methods for the ransom attack, using nothing but legitimate cloud security functions,” Brandon Evans warns, security consultant and certified SANS instructor. Halcyon has opened an attack company that used one of Amazon S3 encryption mechanisms, SSE-C to encrypt each of the target buckets. A few months earlier, the security consultant Chris Pharis demonstrated how the attackers can commit a similar attack using another AWS security feature, KMS Keys with external key materials using simple scripts generated chatgpt. “It is clear that this topic is intended for both the subjects of the threat and the researchers,” Brandon notes.
To eliminate Cloud Ransomware, SANS recommends organizations:
- Understand the power and restrictions of control over security: Using cloud does not automatically make your security data. “The first cloud services that most people use are backup files such as OneDrive, Dropbox, iCloud and others,” Brandon explains. “Although these services usually have the default recovery capabilities, this is not the case for Amazon S3, Azure Storage or Google Cloud Storage. It is important for safety professionals to understand how these services work and not believe that the cloud will save them.”
- Blocking methods of encryption without support: AWS S3 SSE-C, AWS KMS External Key Material and similar encryption methods can be abused as the attacker has complete control over the keys. Organizations can use the identity and access policy (IAM) for the mandate of the encryption method used by S3, such as SSE-KMS using key materials located in AWS.
- Enable backup, version of objects and lock facilities: These are some elements of the integrity and availability for cloud repositories. None of them are included in the default for any of the large 3 cloud providers. When used properly, they can increase the chances that the organization can restore their data after the ransom attack.
- Balance of Security and Cost in Life Cycle Policy: These security features cost money. “Cloud vendors are not going to post your data versions or backups for free. At the same time, your organization is not going to give you a data security check,” Brandon says. Each of the large 3 cloud providers allows customers to determine the life cycle policy. These politicians allow organizations to automatically delete objects, versions and backups if they are no longer considered necessary. Remember, however, that attackers can also use a life cycle policy. They were used in the previously mentioned Attack company to urge the goals to pay ransom quickly.
To find out more, see Brandon’s broadcast: “The cloud will not save you from the ransom: That’s what happens” by visiting https://www.sans.org/webcasts/Cloud-wont-save
Interested in the additional tactics of mitigating the attacks in large 3 cloud providers? Check the Brandon Course, SEC510: Cloud Controls Control and Mitigations at Sans 2025 Orlando or lives on the Internet in April this April. This course is also available with Brandon later in the year in Baltimore, Doctor of Medical Sciences in June or Washington, Colombia County in July.
