Home»Google Workspace Ransomware Protection»Is Cloud Storage Safe From Ransomware?

Is Cloud Storage Safe From Ransomware?

Is Cloud Storage Safe From Ransomware? Let’s find out.

Help! My screen shows a large red skull and says all of my files are locked! These are words that no system administrator or business leader wants to hear from anyone using a computer on their network.

However, this year in 2021, many IT professionals and business leaders alike have had to deal with a ransomware attack’s real and alarming scenario.

As many businesses move their data to the cloud, the idea among many is once their data lands in the cloud, it is safe from ransomware. Is the cloud secure from threats, though? Is cloud storage safe from ransomware? In this article, we will try to prove the opposite. 

Is Cloud Storage Safe From Ransomware: Cloud Trends and Figures

You only have to look at the statistics of businesses moving their data to the cloud to understand why hackers would target cloud environments with ransomware variants.  According to HostingTribunal.com Cloud Adoption Statistics for 2019, the following figures show the tremendous growth and cloud adoption trend.

  • The public cloud service market is expected to reach $206.2 billion in 2019 worldwide.
  • 83% of enterprise workloads will be in the cloud by 2020
  • 94% of enterprises already use a cloud service
  • 30% of all IT budgets are allocated to cloud computing
  • 66% of enterprises already have a central cloud team or a cloud center of excellence
  • Organizations leverage almost 5 different cloud platforms on average
  • 50% of enterprises spend more than $1.2 million on cloud services annually

The cloud is undoubtedly where most business-critical data will be stored in years to come.  It makes sense then that the bad guys are taking notice of the trends in enterprise data storage and developing malware, including ransomware, that will target your cloud environments.

Read more about What is Ransomware and How Do You Get Ransomware.

Why Cloud Storage is Not Safe from Ransomware

When you ask a question, “how secure is the cloud” you can answer by analyzing how cloud storage typically works and how most businesses use it. Ransomware can easily affect files stored in cloud environments due to file synchronization processes that most cloud storages utilize to keep files in sync.  

When files change locally, these are synchronized to cloud storage.  Changes in the files trigger a synchronization action. When ransomware that has infected a local copy of the file starts encrypting the files locally, this action is viewed as a change in the files and triggers a synchronization.  

In this way, a single end-user that is infected with ransomware can inadvertently synchronize encrypted files to cloud storage that may be shared with everyone in the company.  As a result, files are encrypted for everyone.  

One company found this out the hard way when all of its 4000+ files stored in OneDrive were infected after an employee opened an email infected with ransomware.  The chain of events unfolded when the employee’s local copy of files was encrypted and then synchronized back up to the cloud.

Microsoft has since introduced better OneDrive protection for files stored in OneDrive for Business and home users.  However, even with new safety features in place, the only sure way to recover from a ransomware infection that goes beyond protections the additional features have added is to back up your data effectively.  

Ransomware Variants that Target and Use the Cloud

Ransomware is one of the biggest cloud security threats. With the accelerating movement of businesses storing business-critical data in the cloud, there is no doubt the cloud will only increase as a target for hackers.  Are there already ransomware variants targeting cloud environments?

Yes. Let’s take a look at current ransomware variants that have shown they can attack your data in the cloud and utilize cloud-based technologies.

Jigsaw ransomware

A particular variant of ransomware that has come onto the scene that encrypts local drives, network drives, and cloud storage is the Jigsaw ransomware variant.  Jigsaw ransomware specifically looks for OneDrive storage and encrypts files that are locally synced with OneDrive storage. 

It capitalizes on the way cloud storage works by encrypting the local OneDrive storage location, so the encrypted files are synchronized to the cloud.  Then, the encrypted files that have been synced to the cloud are then synchronized back down to all nodes connected to the shared OneDrive location.

This is perhaps one of the most dangerous aspects of how cloud storage works is its “Achilles heel.”  Although synchronizing files to the cloud from on-premises is a good thing to protect your locally stored data, it provides an easy means to quickly get ransomware from one computer throughout your entire organization via a shared cloud storage location.

Petya ransomware 

The Petya ransomware made use of cloud infrastructure by means of Dropbox to actually propagate the ransomware.  Petya ransomware uses Dropbox as a cloud injection tool. Starting out as a phishing email that masquerades as an applicant seeking a job, the email has a link to a Dropbox location that is supposed to contain the resume.  However, instead of a resume, it is linked to a self-extracting executable that loads the ransomware onto the unsuspecting end user’s system.


Another variant of ransomware, known as RANSOM_CERBER.cad, preys upon Office 365 users.  This strain of malware has several means to bypass Microsoft’s security measures that protect Office 365 applications.  It does this by attaching malicious Office documents via SPAM emails.

When the macro is enabled by the end-user, the VBS-coded Trojan will download the actual ransomware payload RANSOM_CERBER.CAD from a random malicious URL.    


How safe is the cloud from ransomware? Until recently, it was relatively sage. But things have changed. Now, attackers are not just going after your files stored in the cloud with ransomware, but also your cloud-based email.  A new type of cloud-specific ransomware coined by famous “black hat” hacker turned “white hat” hacker Kevin Mitnick is something he coined as “Ransomcloud”.

In the Ransomcloud attack, hackers are able to encrypt online email accounts stored in the likes of Office 365 and Google Workspace (G Suite) in real-time.  It appears that again, phishing emails are the means that hackers are using to trick end users into clicking infected attachments and links which in turn, start encrypting the cloud inbox of the end-user.  

Why Traditional Detection is Not Effective

Your cloud data security is based, among other things, on early threat detection. There are various ways that different solutions use to detect ransomware.  These generally fall into one of the following three categories:

  1. Signature Detection
  2. Abnormal Traffic Detection
  3. Abnormal File Behavior Detection

Let’s see briefly how each of these detection mechanisms work.  

Signature Detection

One of the oldest ways of detecting malicious files is by using signatures.  Traditional antivirus solutions typically leverage this type of detection mechanism. 

In simple terms, signature-based detection makes use of a signature for known ransomware and other malware and then is able to recognize and stop ransomware that matches that signature.  You can think of it as a fingerprint of sorts. Once a positive identification is made based on that signature, the malware is verified and blocked.  

The problem and limitation with a signature-based approach are attackers can change the “signature” of the ransomware by changing the malicious file in such a way that it does not match the “known” signature that would be blocked.  This allows hackers to circumvent the signature-based approach to bypass the security measures in place. At this point, using signatures is a traditional and antiquated approach to protecting your data against ransomware.

Abnormal Traffic Detection

Another widely used approach in detecting and blocking ransomware is abnormal traffic detectionAbnormal traffic detection attempts to detect malicious traffic by examining traffic patterns and detecting those patterns that look like ransomware.  The weak point of abnormal traffic detection is that it can result in high rates of false positives.

A false positive happens when your cloud storage security solution detects traffic patterns that may appear to be ransomware traffic but are actually legitimate. However, this is not an exact science and can result in legitimate network traffic being blocked that is not truly malware or, specifically, ransomware.  

Abnormal File Behavior Detection

Solutions today that can effectively detect and stop advanced ransomware need to use more advanced techniques than the traditional signature and traffic detection.  Abnormal file behavior detection looks at the file behavior for different types of anomalies to match that behavior with a particular type of malware.  

Solutions leveraging machine learning engines that can intelligently differentiate between benign behavior and malicious behavior provide powerful capabilities to businesses looking at stopping ransomware before it destroys significant amounts of business-critical data.    

SpinOne End-to-End Cloud Ransomware Protection

SpinOne provides a unique approach that combines the best of both cybersecurity and data protection in a single solution if you are looking for protection from cloud ransomware.  It offers robust ransomware cloud backup capabilities, ensuring that your critical data is regularly backed up and protected from ransomware attacks. SpinOne leverages machine learning to protect your environment from the bad guys and the tools they use like ransomware.  

Using machine learning, SpinOne looks at abnormal file behavior to detect ransomware activity in your cloud environment.  Once malicious ransomware activity is determined, SpinOne finds the source of the attack and then revokes access to the attack’s origin.  

SpinOne still allows the user account access to the environment. In other words, an employee whose user account has been victimized will still have access to their Google Workspace or Office 365 account.  Using the machine learning approach that powers the ability to detect abnormal file behavior, SpinOne can detect and effectively remediate ransomware attacks from even new or zero-day ransomware that begins attacking your environment.

Cloud Ransomware – Restore Files Automatically

With SpinOne’s solution, you not only get a cybersecurity solution that effectively stops a ransomware attack and blocks the source of the attack, but it also restores any data that has been affected.  Compared to other solutions that, at best, detect and alert to an attack, SpinOne takes the following steps to protect and remediate any files that have been encrypted proactively.  

With SpinOne’s Ransomware Protection, ransomware attacks trigger SpinOne’s automated ransomware file restoration, where only files that have been affected by ransomware are restored.  This provides a granular, automated approach that proactively protects your environment. SpinOne’s unique end-to-end solution stands out when compared to other solutions aiming to defend your Software-as-a-Service (SaaS) environments like Google Workspace and Microsoft Office 365. 

SpinOne Protection Statistics

What is the detection rate of SpinOne when it comes to detecting possible ransomware activity in your cloud environments?

  • The detection rate of 99%

File Loss Rate?

  • File Loss Rate of effectively 0 files lost due to leveraging automatic, versioned backups of your cloud environments

SpinOne Ransomware Protection architecture

Ransomware detection by SpinOne

SpinOne provides the following additional benefits to securing and protecting your cloud environments:

  • Automatic, versioned backups
  • Third-party apps control
  • Intrusion Detection
  • Easy Cloud Data migration
  • User Behavior Analysis
  • Data download analysis and protection

Cloud Storage Security: Wrapping Up

Ransomware continues to be at the top of the list of security concerns for organizations around the world.  Protecting your data assets requires that you protect your environments from ransomware at all costs. As shown, ransomware affects not only on-premises environments but also your cloud data storage as well.

SpinOne is a solution that provides end-to-end protection against ransomware in the cloud by both proactively protecting your cloud environments and automatically remediating any damage as a result of a ransomware process. 

Sign up for a fully-featured trial of SpinOne and check out SpinOne’s next-generation ransomware protection for the cloud.


Davit Davit Asatryan Director of Product
About Author

Davit Asatryan is the Director of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.

Featured Work: