Home»Google Workspace Ransomware Protection»Ransomware 2.0 Attacks in the Cloud: Deep Dive

Ransomware 2.0 Attacks in the Cloud: Deep Dive

Today’s threats are coming from many different sources. Businesses have long been worried about the threat of ransomware. However, a new breed of ransomware poses a threat to the next infrastructure landscape of your business – the cloud.

“Ransomware 2.0” will pose new and alarming threats to your cloud infrastructure. These new variants of ransomware that have evolved from simple on-premises threats will use malicious cloud applications and browser plugins to compromise cloud environments and hold your data hostage. 

What is ransomware 2.0? How do hackers target cloud services? Why is ransomware so successful? How is it mitigated? How can SpinOne protect your cloud environment from ransomware 2.0?

What is Ransomware 2.0?

Ransomware 2.0 is a variant of ransomware that infects cloud environments using methods of attack that are associated with cloud Software-as-a-Service environments. These include malicious cloud applications and browser plugins. Traditional ransomware has morphed into a new variant of ransomware that is following the trend of businesses moving to cloud environments like G Suite and Office 365. 

According to current statistics, 94% of enterprises already use a cloud service and 83% of enterprise workloads are already in the cloud. Businesses are attracted to the operational expense model of cloud SaaS rather than large capital expenditures associated with on-premises infrastructure.  It also allows for greater flexibility, improved high-availability and disaster recovery, and much greater scalability.   

As businesses continue to migrate to cloud SaaS, attackers are quickly following suit by developing ransomware that can infect cloud environments. Ransomware enabled with cloud-native infection capabilities is what we are calling ransomware 2.0.

A great example of ransomware 2.0 is a new type of ransomware that was demonstrated as a proof-of-concept for infecting cloud email systems. At the beginning of 2018, security expert Kevin Mitnick brought to light the very dangerous and concerning ransomware that was shown to be able to encrypt cloud SaaS email services found in the likes of Office 365.  He dubbed the new variant of ransomware, “Ransomcloud”.  

How ransomware encrypts emails

In the initial demonstration of the attack, it was shown how with a simple social engineering email received by an unsuspecting user, a hacker could take control of a cloud email account and encrypt all the emails in their account.  

How Does Ransomware 2.0 Get Into Your System?

Ransomware 2.0 operates a bit differently to infect cloud-native resources as opposed to traditional ransomware that has its roots in on-premises environments. Instead of using a more traditional file download that infects an end user system, ransomware 2.0 is specifically designed for infecting cloud environments by using:

  1. Cloud SaaS applications
  2. Malicious browser extensions

Cloud SaaS Applications

As demonstrated by Mitnick with the “ransomcloud” attack, the infection begins with an email received by an end user recommending the user to install an “upgrade” to their cloud email environment. The “upgrade” of course is not an upgrade at all but rather a malicious attack on your cloud environment. The email may look very much like an official email from Microsoft or another legitimate vendor. The user is coaxed into clicking the “upgrade” link.  

After clicking the email link, a permissions request is prompted.  Once the user grants permissions, the malicious ransomware 2.0 application starts encrypting all the emails found in the user’s inbox in real-time. Again, the end user did not have to download a file, run the file, leading to emails being encrypted. Rather, the malicious cloud application simply needs permissions that are easily gained by coaxing an end user to accept a very familiar set of permission prompts to allow the application access to their account.  

Related: Does Ransomware Affect Cloud Storage?

Malicious Browser Extensions

Malicious browser extensions work on the same principle.  The delivery mechanism is only slightly different from malicious cloud SaaS applications.  Instead of installing a cloud SaaS app from the Google marketplace or Office 365 Business Apps, installing a malicious browser extension can easily do the same thing as the malicious SaaS application.  Capitalizing on the same types of permission requests, the malicious browser app is granted access to a user’s account and can start encrypting or leaking data.  

Why is it so easy for the ransomware 2.0 variant to obtain the permissions it needs?

OAuth Tokens

When the user accepts the permissions request, they give the attacker what is called an OAuth token. OAuth is an open standard for delegating access without giving someone your password. OAuth tokens are commonly used in cloud environments or web applications to allow third-party services to make API requests on behalf of a user.  These tokens allow authorization specific to an application being able to access specific user data that is granted, based on the OAuth token.  

The possession of this token is the means that allows a third-party application to access resources under the identity of the user.  When an end user accepts permission requests in a cloud environment, they are handing over the OAuth token or access.

Ransomcloud through the access permissions
Example of an OAuth token request

Using OAuth tokens by means of OAuth 2.0 is the standard that has been adopted by major cloud companies like Microsoft, Google, and Amazon.  OAuth Abuse is a common form of attack by attackers in cloud environments as shown in the ransomware 2.0 attack.

Malicious applications are created by attackers that use the OAuth tokens to retrieve details about an end user account. By design, once in possession of access tokens, attackers do not have to have knowledge of passwords and can effectively bypass two-factor protection on the account.

The simple permissions request is the only barrier keeping attackers from having this level of access to your account. Untrained or naïve users can easily be convinced to allow the permissions requested by a malicious application.  

Last year, PhishLabs reported on an attack that surfaced where attackers were not stealing user credentials along with a  password, but rather, they were targeting Microsoft Office 365 OAuth apps that allowed access to sensitive information by the use of this compromised OAuth token.
Do attackers have access to sensitive areas of your account with the OAuth token?  If users accept OAuth-type requests from malicious cloud-native apps, attackers can potentially have access to the following permissions among others:

  • Access to refresh tokens – the malicious applications have the ability to actually refresh the tokens needed to maintain access to critical areas of your account.
  • Read contacts – Access to read the contacts saved in your account.
  • Read profile – Access to read various information related to your account profile, including company information.
  • Read OneNote notebooks – OneNote notebooks are exposed to malicious applications along with the content therein.
  • Read and write to your email inbox – Malicious apps can read, update, create, and delete mailbox settings.  Ransomcloud maliciously takes advantage of these types of permissions granted to your cloud email.
  • Full access to files – Read, create, update, and delete files the user has access to.

Attacks based on these types of cloud-based attacks make use of OAuth tokens harvested by very targeted phishing campaigns.  Based on the ease of compromise and the way cloud authentication easily allows these types of permissions requests/consent, these new types of attacks are going to be the vehicle to deliver ransomware to your cloud environment in the future.

Read about The Biggest Ransomware Attacks in 2019

Valuable cloud data is what drives ransomware 2.0 attacks

Who are the targets of a ransomware 2.0 attack?  In the last couple of years, hackers are targeting their efforts on specific industries, businesses, and high-value targets in particular. While home users can also be victims of the attack, ransomware 2.0 is more commonly used to attack high-value business targets with many users who depend heavily on cloud applications.  

Dangers of third-party applications

Modern ransomware attacks are increasingly going to come from malicious cloud applications that integrate with cloud SaaS environments.  

Hackers have a built-in attack vector with a well-known offering in both the G Suite and Office 365 environments. The G Suite Marketplace and Office 365 Business Apps both provide a third-party application repository that allows integrating applications and other functionality into your cloud SaaS environment.  

Third-party apps can expose your cloud environment to an entirely new means of malicious attacks. Ransomware 2.0 infections count on users installing third-party applications in the cloud and blindly granting the requested permissions. The permissions requests allow the ransomware 2.0 infection to have the access it needs in the environment for encrypting, damaging, and even potentially stealing your data.  

Apps in your business SaaS environment can even be installed without the knowledge of IT departments. “Shadow IT” as it is called, refers to the installation and use of unsanctioned applications. These can present a tremendous danger to your organization in terms of both security and compliance. These unsanctioned applications can also prove to be the gateway for ransomware 2.0 infection in your environment.

Malicious software exposes your environment to data breach concerns.  In the IBM 2019 Cost of a Data Breach Report, it noted that malicious or criminal attack was the largest root cause of data breach.  

Data breach root causes:

  • Malicious or criminal attack – 51%
  • System glitch – 25%
  • Human error – 24%

Recent examples of ransomware attacks on cloud environments

Within the past few months, there have been attacks on multiple cloud service providers and vendors.  

A few examples of cloud environments that have been hit in recent months include:

  • iNSYNQ – July 19, 2019, this cloud provider of virtual desktops was hit by a ransomware attack that affected half of its customer base. Data was encrypted in customer environments.
  • SmarterASP.NET – November 2019, a hosting provider for ASP.NET environments had more than 440,000 customers affected by the ransomware attack that encrypted both provider and customer databases.
  • CyrusOne – December 2019, this cloud-managed service provider (MSP) had many customers that were affected by a ransomware attack that left data encrypted.

How to protect your business from ransomware 2.0

Mitigation of ransomcloud infection will be a multilayered approach involving several aspects of security.  This should include:

  • End-user training – Employees need to be trained as to the dangers of opening suspicious emails, what these look like, and how to spot them.  Also, scrutinizing any requests for permissions is key to helping prevent a ransomcloud infection.  
  • Advanced email security – Email is a very popular medium to deliver ransomware.  Protecting email infrastructure is an effective means to help reduce the chances of getting hit with ransomware and specifically ransomware 2.0. Filtering suspicious attachments, using advanced scanning solutions, and sandboxing emails (opening them in a secure virtual environment to see their intended actions) can all serve to protect your cloud environment.
  • File attachment restrictions – There are many known risky file types such as executables, VBS scripts, batch files, and macros. Restricting dangerous file types in attachments can reduce the risk of attacks.
  • Strict control over third-party applications – Ransomware 2.0 capitalizes on people’s tendencies to install applications and grant permissions without questioning the permissions requested.  Organizations must control and manage the specific applications that are allowed and verified as safe for installation.
  • Email backups – Backups are a critical part of the overall security posture of your business.  No security solution is 100% effective.  So, there is always a chance that data can be compromised by a ransomware 2.0 attack.  Email backups ensure that data contained in the inbox will be safely stored and versioned outside of the production email environment.  This allows restoring a previous version of email data if it has been encrypted by ransomware.
  • Client Access Security Broker (CASB) – Making use of an API-driven CASB solution can allow securing and protecting cloud environments from the likes of ransomware 2.0.  SpinOne from Spin Technology is an example of a CASB that allows protecting cloud environments from ransomware 2.0 and other threats by providing backups, ransomware monitoring and protection, cloud protection from malware, third-party apps protection, and AI/ML enriched intelligence for finding and mitigating threats.

How SpinOne Helps You Prevent and Recover From Ransomware 2.0

Your business needs to be ready for a ransomware attack in the cloud, including ransomware 2.0. SpinOne by Spin Technology helps your organization to protect business-critical data in your G Suite and Office 365 cloud environments from the threat of ransomware. It does this with a multi-faceted approach that includes both strong cybersecurity features and backups of your data.

When it comes to cybersecurity, SpinOne provides a proactive approach to securing your cloud environment and effectively does this using artificial intelligence (AI) and machine learning (ML). What cybersecurity prevention and recovery features are included in SpinOne?

    • Ransomware Protection – Using powerful AI, SpinOne analyzes your cloud environment for any anomalies that may indicate a ransomware attack.  SpinOne also examines file behavior. This is one of the most powerful and effective ways to quickly detect a ransomware attack. Once a ransomware attack including ransomcloud is detected, SpinOne blocks the source of the attack and begins automatically restoring the files that were affected in the environment.  It does this without any human intervention.  
    • Third-party Apps Protection – As described, ransomware 2.0 attacks your environment by means of a malicious application. It relies on the end user to grant the required permissions to begin the attack.  With SpinOne’s third-party apps assessment solution (SpinAudit), SpinOne analyzes the behavior of third-party apps to determine if they have malicious intent.  When new versions of applications are published, the application is rescanned to ensure the app has not become malicious. It allows whitelisting and blacklisting applications in line with your business policy.  It also provides visibility into where your data is shared and with who.
    • Automatic Backups – The core of the SpinOne solution that provides essential protection to your data is automatic backups.  With SpinBackup, SpinOne automatically protects the data across the services in your G Suite or Office 365 environment.  These versioned incremental backups allow automatic recovery of your data that may be affected in a ransomware or ransomware 2.0 attack.
  • Brute-force login protection – Attackers often try to compromise environments with brute-force login attempts.  Compromising accounts allows attackers to move laterally across an environment.  If an administrator account is compromised, an attacker can have total unrestrained access to your cloud environment.  SpinOne protects your environment from these brute force attempts by blocking the source of the attack and alerting administrators.  

SpinOne by Spin Technology provides an all-encompassing solution that not only protects your environment from a ransomware attack but also recovers from the attack quickly and in an automated way. Where other solutions only provide partial protection or recovery, SpinOne does this with a single seamless solution.

Depending on your organization’s needs and goals, Spin Technology provides solutions tailored to your individual business needs:

  • Spinbackup – provides automated backups and is included in all other Spin solutions
  • SpinSecurity – Provides ransomware 2.0 protection and many other cybersecurity features along with backup
  • SpinAudit – Protects against malicious third-party applications and allows applying policies organization-wide for applications that are blocked and those that are allowed to run.
  • SpinOne – Contains the capabilities of all Spin solutions

Start a fully-featured trial of SpinOne here.

Or see SpinOne in action!

Get a Demo


Davit Davit Asatryan Director of Product
About Author

Davit Asatryan is the Director of Product at Spin.AI

He is responsible for executing product strategy by overseeing the entire product lifecycle, with a focus on developing cutting-edge solutions to address the evolving landscape of cybersecurity threats.

He has been with the company for over 5 years and specializes in SaaS Security, helping organizations battle Shadow IT, ransomware, and data leak issues.

Prior to joining Spin.AI, Davit gained experience by working in fintech startups and also received his Bachelor’s degree from UC Berkeley. In his spare time, Davit enjoys traveling, playing soccer and tennis with his friends, and watching sports of any kind.

Featured Work: