Help! My screen shows a large red skull and says all of my files are locked! These are words that no system administrator or business leader wants to hear from anyone using a computer on their network.
However, this year in 2019, many IT professionals and business leaders alike have had to deal with the very real and alarming scenario of a ransomware attack.
As many businesses move their data to the cloud, the idea among many is once their data lands in the cloud, it is safe from ransomware. Is the cloud secure from threats, though? Is cloud storage safe from ransomware? In this article, we will try to prove the opposite.
Table of Contents
Is Cloud Storage Safe From Ransomware: Cloud Trends and Figures
You only have to look at the statistics of businesses moving their data to the cloud to understand why hackers would target cloud environments with ransomware variants. According to HostingTribunal.com Cloud Adoption Statistics for 2019 the following figures show the tremendous growth and trending of cloud adoption.
- The public cloud service market is expected to reach $206.2 billion in 2019 worldwide.
- 83% of enterprise workloads will be in the cloud by 2020
- 94% of enterprises already use a cloud service
- 30% of all IT budgets are allocated to cloud computing
- 66% of enterprises already have a central cloud team or a cloud center of excellence
- Organizations leverage almost 5 different cloud platforms on average
- 50% of enterprises spend more than $1.2 million on cloud services annually
The cloud is certainly where most business-critical data will be stored in years to come. It makes sense then that the bad guys are taking notice of the trends in enterprise data storage and developing malware, including ransomware, that will target your cloud environments.
Why Cloud Storage is Not Safe from Ransomware
When you ask a question “how secure is the cloud”, you can answer by analyzing how cloud storage typically works and the way that most businesses use it. Ransomware can easily affect files that are stored in cloud environments due to file synchronization processes that most cloud storages utilize to keep files in sync.
When files change locally, these are synchronized to cloud storage. Changes in the files trigger a synchronization action. When ransomware that has infected a local copy of the file starts encrypting the files locally, this action is simply viewed as a change in the files and triggers a synchronization.
In this way, a single end user that is infected with ransomware can inadvertently synchronize encrypted files to cloud storage that may be shared with everyone in the company. As a result, files are encrypted for everyone.
One company found this out the hard way when all of its 4000+ files stored in OneDrive were infected after an employee opened an email infected with ransomware. The chain of events unfolded when the employee’s local copy of files was encrypted and then synchronized back up to the cloud.
Microsoft has since introduced better OneDrive protection for files that are stored in OneDrive for Business as well as home users. However, even with new safety features in place, the only sure way to recover from a ransomware infection that goes beyond protections the additional features have added is to back up your data effectively.
Ransomware Variants that Target and Use the Cloud
Ransomware is one of the biggest cloud security threats. With the accelerating movement of businesses storing business-critical data in the cloud, there is no doubt the cloud will only increase as a target for hackers. Are there already ransomware variants targeting cloud environments? Yes. Let’s take a look at current ransomware variants that have shown they can attack your data in the cloud and by means of cloud-based technologies.
A particular variant of ransomware that has come onto the scene that encrypts local drives, network drives, and cloud storage is the Jigsaw ransomware variant. Jigsaw ransomware specifically looks for OneDrive storage and encrypts files that are locally synced with OneDrive storage. It capitalizes on the way cloud storage works by encrypting the local OneDrive storage location so the encrypted files are synchronized to the cloud. Then, the encrypted files that have been synced to the cloud are then synchronized back down to all nodes connected to the shared OneDrive location.
This is perhaps one of the most dangerous aspects of the way cloud storage works that is its “Achilles heel”. Although synchronizing files to the cloud from on-premises is a good thing to protect your locally stored data, it provides an easy means to quickly get ransomware from one computer throughout your entire organization via a shared cloud storage location.
The Petya ransomware made use of cloud infrastructure by means of Dropbox to actually propagate the ransomware. Petya ransomware uses Dropbox as a cloud injection tool. Starting out as a phishing email that masquerades as an applicant seeking a job, the email has a link to a Dropbox location that is supposed to contain the resume. However, instead of a resume, it is linked to a self-extracting executable that loads the ransomware onto the unsuspecting end user’s system.
Another variant of ransomware, known as RANSOM_CERBER.cad preys upon Office 365 users. This strain of malware has several means to bypass Microsoft’s security measures that protect Office 365 applications. It does this by attaching malicious Office documents via SPAM emails. When the macro is enabled by the end-user, the VBS-coded Trojan will download the actual ransomware payload RANSOM_CERBER.CAD from a random malicious URL.
How safe is the cloud from ransomware? Until recently, it was relatively sage. But things have changed. Now, attackers are not just going after your files stored in the cloud with ransomware, but also your cloud-based email. A new type of cloud-specific ransomware coined by famous “black hat” hacker turned “white hat” hacker Kevin Mitnick is something he coined as “Ransomcloud”.
In the Ransomcloud attack, hackers are able to encrypt online email accounts stored in the likes of Office 365 and G Suite in real-time. It appears that again, phishing emails are the means that hackers are using to trick end users into clicking infected attachments and links which in turn, start encrypting the cloud inbox of the end-user.
Why Traditional Detection is Not Effective
Your cloud data security is based, among other things, on the early threat detection. There are various ways that different solutions use to detect ransomware. These generally fall into one of the following three categories:
- Signature Detection
- Abnormal Traffic Detection
- Abnormal File Behavior Detection
Let’s see briefly how each of these detection mechanisms work.
One of the oldest ways of detecting malicious files is by using signatures. Traditional antivirus solutions typically leverage this type of detection mechanism. In simple terms, signature-based detection makes use of a signature for known ransomware and other malware and then is able to recognize and stop ransomware that matches that signature. You can think of it as a fingerprint of sorts. Once a positive identification is made based on that signature, the malware is verified and blocked.
The problem and limitation with a signature-based approach are attackers can change the “signature” of the ransomware by changing the malicious file in such a way that it does not match the “known” signature that would be blocked. This allows hackers to circumvent the signature-based approach to bypass the security measures in place. At this point, using signatures is a traditional and antiquated approach to protecting your data against ransomware.
Abnormal Traffic Detection
Another widely used approach in detecting and blocking ransomware is abnormal traffic detection. Abnormal traffic detection attempts to detect malicious traffic by examining traffic patterns and detecting those patterns that look like ransomware. The weak point of abnormal traffic detection is that it can result in high rates of false positives.
A false positive happens when your cloud storage security solution detects traffic patterns that may appear to be ransomware traffic, but are actually legitimate. This is not an exact science however and can result in legitimate network traffic being blocked that is not truly malware or specifically, ransomware.
Abnormal File Behavior Detection
Solutions today that can effectively detect and stop advanced ransomware need to use more advanced techniques than the traditional signature and traffic detection. Abnormal file behavior detection looks at the file behavior for different types of anomalies to match that behavior with a particular type of malware.
Solutions leveraging machine learning engines that can intelligently differentiate between benign behavior and behavior that is malicious provide powerful capabilities to businesses looking at stopping ransomware before it destroys large amounts of business-critical data.
SpinOne End-to-End Cloud Ransomware Protection
If you are looking for protection from cloud ransomware, SpinOne provides a unique approach that combines the best of both cybersecurity and data protection in a single solution. SpinOne leverages machine learning to protect your environment from the bad guys and the tools they use like ransomware.
Using machine learning, SpinOne looks at abnormal file behavior as its means of detecting ransomware activity in your cloud environment. Once malicious ransomware activity is determined, SpinOne finds the source of the attack and then revokes access to the source of the attack.
SpinOne still allows the user account access to the environment. In other words, an employee whose user account has been victimized will still have access to his or her G Suite or Office 365 account. Using the approach of machine learning that powers the ability to detect abnormal file behavior, SpinOne is able to detect and effectively remediate ransomware attacks from even new or zero-day ransomware that begins attacking your environment.
Cloud Ransomware – Restore Files Automatically
With SpinOne’s solution, you not only get a cybersecurity solution that effectively stops a ransomware attack and blocks the source of the attack, but it also restores any data that has been affected. Compared to other solutions that, at best, detect and alert to an attack, SpinOne takes the next steps to proactively protect and remediate any files that have been encrypted.
With SpinOne’s Ransomware Protection, ransomware attacks trigger SpinOne’s automated ransomware file restoration where only files that have been affected by ransomware are restored. This provides a granular, automated approach, that proactively protects your environment. SpinOne’s unique end-to-end solution stands out when compared to other solutions aiming to protect your Software-as-a-Service (SaaS) environments like G Suite and Microsoft Office 365.
SpinOne Protection Statistics
What is the detection rate of SpinOne when it comes to detecting possible ransomware activity in your cloud environments?
- The detection rate of 99%
File Loss Rate?
- File Loss Rate of effectively 0 files lost due to leveraging automatic, versioned backups of your cloud environments
SpinOne Ransomware Protection architecture
SpinOne provides the following additional benefits to securing and protecting your cloud environments:
- Automatic, versioned backups
- Third-party apps control
- Intrusion Detection
- Easy Cloud Data migration
- User Behavior Analysis
- Data download analysis and protection
Cloud Storage Security: Wrapping Up
Ransomware continues to be at the top of the list of security concerns for organizations around the world. Protecting your data assets requires that you protect your environments from ransomware at all costs. As shown, ransomware affects not only on-premises environments but also your cloud data storage as well.
SpinOne is a solution that provides end-to-end protection against ransomware in the cloud by both proactively protecting your cloud environments and automatically remediating any damage as a result of a ransomware process.
Sign up for a fully-featured trial of SpinOne and check out SpinOne’s next-generation ransomware protection for the cloud.