RansomCloud is ransomware designed to infiltrate and encrypt cloud storage. Responsibility for the security of your data isn't as straightforward as you might think. We tell you what you need to know.

Ransomware and RansomCloud

Ransomware is a type of malware that infects a victim's computers and servers. It encrypts the files and data on those devices rendering the network inoperable. To reverse the process---known as decryption---requires a unique decryption key. The cybercriminals extort a ransom in exchange for the key.

Ransomware is big business. Since the start of the COVID-19 pandemic, ransomware attacks have increased by 600%. In 67% of cases phishing emails are used to ensnare the victim. Phishing attacks are emails that are crafted to closely mimic emails from trusted sources, such as online services, banks, and other payment platforms like PayPal.

The emails try to generate a sense of urgency. There's a problem that needs handling right now, or a special offer is closing soon---don't miss out! Opening a tainted attachment will infect your computer. Clicking on a malicious link will take you to a bogus website that will harvest your credentials, or download malware to your computer.

Meanwhile, the move to cloud computing continues unabated. One of the perceived attractions is improved robustness of operation and superior business continuity. The infrastructure that underpins the cloud offerings from service providers such as Microsoft, Google, Amazon is world-class. And if anyone knows security, it must be those titans of technology, right? That doesn't mean these platforms---or any other platform, for that matter---come with neatly parcelled fit-and-forget security. As you may expect, it's a bit more complicated than that.

Cybercriminals have started targeting cloud platforms and services with ransomware attacks, giving rise to the name "ransomcloud." Whether you adopt a public cloud, hybrid cloud, or multi-cloud infrastructure, the cybercriminals want to get at your data. The more data you have in one place, the more attractive a target that place becomes. If that same data storage holds the data for many businesses, its value to the cybercriminals escalates.

Types of RansomCloud attack

There are three types of attack that can infect cloud storage.

Piggy-Backing on Sync

Most ransomware is delivered by phishing attacks. The first type of ransomcloud attack infects the victim's local computer. Phishing emails rely on an action from the victim such as attempting to open a bogus attachment or clicking a link. The attachment is unlikely to carry the malware itself. More often, they run a small program called a "dropper." The dropper runs in the background and downloads and installs the actual malware. Clicking a link can initiate downloads too.

The malware may present a popup to the user that looks like a permission request from a piece of trusted software. Instead of giving permission for, say, your anti-virus to scan the user's portion of your cloud storage, you're inadvertently giving access rights to the malware. The malware can now access that cloud.

Once the victim's computer is infected the malware may distribute itself across the network from machine to machine, and server to server. Some ransomware looks for a file sync service that is communicating to a cloud service. It piggy-backs onto this and gains access to the cloud storage, infecting and encrypting the data in the cloud.

Once access to the cloud has been established, the ransomware then triggers and encrypts the on-premise computers. It waits until it has either successfully infiltrated the cloud---which it cannot do if it encrypts all the local computers straight away---or it decides that there is no route to the cloud that it can compromise, and settles on a purely local infection.

Remote Connection With Stolen Credentials

The second type of attack infects the victim's local or mobile device. It steals the user's cloud credentials by monitoring network connections and watching authentication attempts. It may direct the user to a bogus web portal masquerading as the real cloud platform. When the victim signs into the fraudulent portal it harvests their credentials.

By tracking keystrokes on the infected local computer connection details can be copied by the malware to a remote computer. The same credentials are entered automatically by the remote computer. Even if two-factor authentication is in use, the local malware catches the keystrokes on the victim's device and relays them to the cybercriminals' remote computer.

A simultaneous login from the cybercriminals' computer works because the ID and password they have eavesdropped from the victim's computer are correct, and the 2FA verification is the current, valid verification token. So the cybercriminals now have a connection to your cloud from their own computer. That could be data storage, or it might be corporate email.

Attacking The Cloud Provider

A successful attack on a cloud provider is a major coup for the cybercriminals---and a big payday too. They can compromise the entire platform and extort ransoms from some or even all of the customers of that service.

In late August 2019, Digital Dental Record and PerCSoft told their 400 customers---all dental surgeries---that their DDS Safe cloud platform for dentists had been hit by ransomware. Approximately 400 dental surgeries had their data encrypted.

On August 12, 2021 Microsoft were notified of a vulnerability in its Azure Cosmos Database, the software at the heart of its Azure cloud-offering. It was reported to them by a security researcher. Microsoft immediately mitigated the vulnerability. There is no evidence that the vulnerability was exploited.

The vulnerability was in an open-source product called Jupyter Notebook that was integrated into the Cosmos DB, and turned on by default. Microsoft responded to the notification from the security researcher with text-book play-for-play actions, controlling and mitigating the situation immediately. A close call, but no actual breach. But it does show that everyone can be vulnerable.

Who Is Responsible For Cloud Security?

The responsibility is shared, insofar as you each have responsibilities. But you're responsible for different parts of the puzzle. A cloud provider is responsible for ensuring that data cannot be accessed without legitimate credentials. It is their duty to ensure your data is not exposed to risk because of a vulnerability. And if that vulnerability is exploited by a cybercriminal, they are responsible for the breach.

However, they are not responsible for vulnerabilities or exploits that occur as a result of poorly chosen or default passwords, misconfigured software---even if it is software they have provided as part of their service to you---nor for failings on the part of your staff. If someone in your organization falls prey to a phishing attack, your cloud provider isn't responsible.

Some organizations assume that all security for the cloud falls to the cloud provider. That isn't the case at all. It's important to understand exactly where the responsibilities lie, and where the cut-off is for each party. This is key to becoming secure. You must understand what they're providing so that you can see what you need to provide on top of that. And knowing where the boundaries of responsibility lie is the only way you can ensure there are no unguarded or neglected areas in the fringes between you and your provider.

How To Defend Your Data

Ask for clarity. Reputable cloud providers will have planned for how to recover from a ransomware attack and other types of outage. They will have documented it and rehearsed it. They may not be able to share the plan---it might give away information that is for internal use only, and could feasibly weaken their security---but you can ask when it was last tested or reviewed. They may be able to share with you the results of the last walk-through of the plan.

Be clear on where their responsibilities stop, and where yours start. Read the small print.

Assume the worst can happen, and plan for it. If your cloud provider has an outage, how will you continue to operate? For example, you might leverage more than one cloud vendor and adopt a multi-cloud strategy. The same thing can be achieved with a hybrid strategy, utilizing on-premise servers. Whatever your plan is, verify it works before need it.

Always do backups, store them in multiple locations, and do test restores. Update operating systems, software, and network device firmware with security and bug-fix patches. Use a market-leading endpoint security suite, covering antivirus and anti-malware.

Because almost 70% of ransomware attacks are initiated through phishing emails, ensure your staff receives cybersecurity awareness training and that it is periodically topped up. A benign phishing attack gives you a measure of how susceptible your workforce is to this type of social engineering. There are online services you can use, and security firms that will conduct benign phishing campaigns for you.

A little education can save a lot of heartache. And possibly your business.