Home»Google Workspace Ransomware Protection»2018 Ransomware Attacks: Cloud Risks

2018 Ransomware Attacks: Cloud Risks

There is certainly no shortage of cloud security concerns for businesses today. There are constantly new headlines, blog posts, statistics, and other information pointing to the fact that security breaches, malware, ransomware, data leak events, phishing and other security concerns are not going away. In fact, they escalating as attackers are getting more proficient with delivery mechanisms and new ways of infiltrating networks and end user systems.

The stakes today are higher than ever before. Data is driving business for most organizations who utilize technology to carry out normal business operations. Unlike only a decade or so ago, the number of businesses who don’t utilize technology for some type of business-critical operation is few and far between.

Ransomware is arguably the most alarming trend in malicious software being used by attackers today. It has wreaked havoc on businesses and their data over the past few years and continues to be a growing trend and tool of choice in holding data hostage among attackers. The past year in 2018, ransomware remained an ever-growing threat.

Let’s take a look at the top ransomware attacks this past year to review those cases and what was learned from them. Additionally, since organizations are moving more data in the cloud, is cloud ransomware a real threat for businesses?

Top Cloud 2018 Ransomware Attacks – What was Learned?

Attackers and threat actors in general have a wide range of tools at their disposal. However, ransomware has emerged as one of the tools of choice among attackers. It is simple in nature and can spread easily through various means.

Ransomware is as destructive as it is simple in nature. Data is irreversibly encrypted and cannot be retried without either paying the ransom, or restoring backups of the data prior to the ransomware encryption.

Aside from getting data back, organizations have to deal with the inevitable downtime that results from not being able to access data either during a restore of data, or paying the ransom. Let’s look at the following ransomware attacks that happened in 2018 to analyze the ransomware used and the results of the attacks.

  • Hancock Health Hospital attack – January 11, 2018
  • City of Atlanta ransomware attack – March 22, 2018
  • Port of Barcelona Spain and Port of San Diego – September 20 & 26, 2018
  • North Carolina Water Utility – October 4, 2018
  • San Diego Tribune and LA Times Newspapers – December 29, 2018

Screen seen by victims encrypted by ransomware

Screen seen by victims encrypted by ransomware (image courtesy of ZDNet)

Many if not all of the attacks listed were carried out by Russian government cyber actors. On March 16, 2018, the Department of Homeland security warned that Russian hackers were targeting U.S. government entities as well as organizations in energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.

In this same report, DHS and FBI characterized the activity as a multi-stage intrusion campaign by the Russian government. This campaign includes staged malware, spear phishing, and gained remote access into energy sector networks.

There was no doubt after attacks hit early in the 2018 year, that ransomware was again going to be a threat for businesses and their data. Let’s take a look at a few of the highly visible attacks that were perpetrated across various sectors.

Hancock Health Hospital attack – January 11, 2018

The 2018 year didn’t take long to meet up with one of the first news headlines featuring a high-profile ransomware attack. On January 11, 2018, Hancock Health, which is located in Greenfield, Indiana reported suffering from a ransomware attack that was a variant of the SamSam ransomware.

SamSam ransomware is a custom infection that can be deployed using a number of different attack vectors, including brute force attacks on weak accounts. In 2018, SamSam was known for using known vulnerabilities in the RDP protocol, Java-based web servers, or FTP servers. Its calling-card is the renaming of the victim’s files to “I’m sorry.”

This was the case with the Hancock Health hospital as a third-party vendor’s administrative account to their remote-access portal was compromised. The hospital is an example of how ransomware is effective. The ransomware hit during an extremely busy flu season and the cost of recovery outweighed the 4.0 bitcoins being demanded, which amounted to $55,000. Even though data could be recovered, the hospital chose to pay the ransom demands of the attackers to get business operations back up and running.

City of Atlanta Ransomware Attack – March 22, 2018

One of the first major headlines of the 2018 year that occurred shortly after the warning released by DHS and the FBI was the ransomware attack on the city of Atlanta Georgia. The city was affected by a massive ransomware attack starting on March 22, 2018. The city was affected by the same ransomware used in the Hancock Health hoptial attack, SamSam ransomware.

The city of Atlanta was running archaic infrastructure for IT services and audits had revealed tremendous vulnerabilities to existing systems. SamSam ransomware is known for targeting these types of legacy systems with known vulnerabilities in place. With the SamSam ransomware attack in the city of Atlanta, many systems were affected. These included government computers and systems, legal documents, police dashcam videos and investigation files.

The Wi-Fi at Atlanta International Airport was also affected, being turned off to hopefully help contain the spread of the ransomware infection across systems.

The city of Atlanta opted not to pay the ransom and has since had untold expenses paid to contractors and other private firms to help recover the data. This is perhaps one of the largest successful breaches of IT infrastructure by ransomware resulting in millions of dollars in damages.

Port of Barcelona Spain and Port of San Diego – September 20 & 26, 2018

The target of attacks in September of last year was against large sea ports, including the Port of Barcelona, Spain and the Port of San Diego. On Thursday morning September 20, 2018, the Port of Barcelona announced via Twitter that several of its servers had been hit with ransomware.

However, the Port of Barcelona evidently had contingency plans in place to handle the situation as operations were able to continue without any disruption to normal activities. No details were disclosed as to the variant of the ransomware used in the attack.

On September 26, 2018, a similar attack was carried out on the Port of San Diego as it was evidently targeted and hit with a ransomware attack. Attackers demanded bitcoin payment for an undisclosed amount. In the case of the Port of San Diego, different services were disrupted due to the attack and provided many inconveniences to the public with various access to permits, records, and other data.

North Carolina Water Utility – October 4, 2018

The Onslow Water and Sewer Utility or ONWASA in North Carolina was hit with ransomware on October 4, 2018. It was believed to be the EMOTET trojan that attacked their systems on October 4th and then nine days later the Ryuk ransomware started encrypting files on various systems. Ryuk is a form of ransomware that is used exclusively for pinpointed attacks of targeted systems. It intentionally only targets crucial assets and system resources and is generally controlled manually by attackers.

In the case of the North Carolina utility company, attackers sent an email to the organization demanding ransom. However, the utility decided it would not pay the ransom, but instead would rebuild operations and databases.

San Diego Tribune and LA Times Newspapers – December 29, 2018

Late in the year, two more high-profile ransomware attacks affected operations for both the San Diego Tribune and LA Times newspapers. Again, the Ryuk ransomware strain was used in carrying out the attacks on both newspapers. The attack delayed distributed on Saturday editions of the LA Times and San Diego Tribune. Sources inside Tribune Publishing did confirm the incident was caused by malware.

Top Ransomware Attacks in the Cloud in 2018

The above high-profile headlines are fair warning to organizations and businesses today that ransomware is indeed a very formidable threat to business-continuity and data used day-to-day. More and more businesses are utilizing public cloud for storing business-critical data and hosting business-critical services such as email and others.

With this fact widely known and certainly among attackers, these and other cloud environments are going to increasingly become targets for ransomware variants. In fact, a report by Massachusetts Institute of Technology (MIT) early in 2018 reported cloud computing businesses would be a big target for attackers. Let’s take a look at a couple of basic ways that ransomware can happen in the cloud. These include:

Many organizations with a cloud presence are utilizing some type of file synchronization to synchronize files from on-premises to public cloud storage. Two of the largest Software-as-a-Service vendors, Google and Microsoft, both have utilities to perform this synchronization of file resources. These include Google Backup and Sync and OneDrive that synchronizes files from local storage up to the cloud.

If infection happens locally to files stored on-premises and then is synchronized as a “change” to the file up to the cloud. All files that are encrypted by ransomware on-premises would be synchronized up to the public cloud environment by the synchronization utilities. This means the cloud copy would be encrypted the same as the local copy stored on-premises.

Another means of ransomware disrupting public cloud services for today’s businesses is the use of cloud-based email services that can be encrypted. A new variant of ransomware called RansomCloud is used to encrypt cloud emails. This type of attack generally begins with a phishing email that can appear to be an official email from Microsoft as an example.

Office 365 users may be misled by the official email from Microsoft and click a link embedded in the email stating “Microsoft is working to improve their cloud security”. All the user has to do is click the link to implement the new anti-spam software. It can lock users out of their cloud email, OneDrive files, and SharePoint sites.

Kevin Mitnick, formerly one of the most wanted “black hat” hackers, is now today a cybersecurity expert helping organizations with security. Kevin Mitnick defines ransomware as the “number one threat to your organization today”.

Specially using “Spear Phishing” as the tool, attackers want to get the end user to click on links under the assumption they are clicking a legitimate link when in reality, it is malicious. As he outlays, ransomware is actually evolving into the cloud and has demonstrated in several sessions how the “RansomCloud” attack can be carried out. You can see a video demonstration of this attack here.

How Organizations Can Protect Against Ransomware in the Cloud

As mentioned earlier, ransomware is extremely dangerous and organizations can only recover their data by either paying the ransom or restoring files and data from backups. An extremely concerning aspect of today’s public cloud environments such as found with Google’s Google Workspace and Microsoft Office 365 environments is they have no native enterprise backup mechanism built into the solution.

Both Google Workspace and Office 365 have only weak semblances of what you might consider a backup and only with certain services. With Google Workspace currently, users can restore “deleted” files for only a few days. Office 365 recently added the ability to roll back file “versions” for up to 30 days. However, both of these features are sorely lacking in true “backup and recovery” protection for organizations looking to maintain business continuity in the event of data loss.

Google Workspace does not even offer the ability to restore “versions” but only “deleted” items. Office 365 only offers rollback features for OneDrive up to 30-days, but none after that. No other services are included in this rollback feature, including email, which as demonstrated by Kevin Mitnick, is easily infected and encrypted by RansomCloud. Organizations today must take matters into their own hands to protect their data that lives in the cloud with true enterprise backups that offer the features and functionality needed.

Spinbackup provides the features and functionality needed by organizations today to be able to have the ability to restore data housed in the cloud effectively in the event of a ransomware attack such as RansomCloud. What features are provided by Spinbackup that can help protect organizations from ransomware?

Why are the above important when it comes to ransomware?

Automatic daily backups – 1x or 3x daily

This cannot be emphasized enough. Backups are essential. This applies both to on-premises and cloud environments. Spinbackup provides industry-leading backup capabilities to both Google Workspace and Microsoft 365, allowing organizations to have the ability to effectively recover data across the various Google Workspace and Office 365 systems. This provides peace of mind when considering the need to recover data in the event of a ransomware infection.

Unlimited Versions of Data

As opposed to the extremely weak or non-existent ability to roll back files in either Google Workspace or Office 365, Spinbackup allows organizations to have unlimited restore points for RPOs of files in the cloud. This allows retrieving the most recent copy of data or a copy that is potentially months old or older.

Multi-cloud backup storage

Spinbackup is in a field of its own when it comes to the cloud storage that can be used to store backups taken from either Google Workspace or Office 365. Backups from either of these clouds can be stored in either Google Compute Cloud Storage or Amazon AWS S3 storage. Organizations have the choice of their preferred storage for cloud backups when creating their account with Spinbackup. This allows businesses to more effectively align their cloud storage to existing public clouds for business reasons.

Additionally, it allows providing tremendous diversity of where data is stored for disaster recovery purposes as you generally do not want to store your backup data in the same environment or infrastructure as the source of the data.

Backup Data Encryption

When it comes to encryption in the context of ransomware, it is a bad thing. However, when it comes to the security of your data, encryption is very purposeful and useful for security. The same as encryption can keep you from accessing your own files when they have been encrypted by ransomware, it can also keep the bad guys from accessing your files. This is extremely beneficial from a security perspective.

Backups of production data contain the same data that exists in production systems. You don’t want someone to be able to read your backups easily as this essentially as dangerous as having access to production. Spinbackup encrypts data both in-flight and at-rest to ensure it is secured at all times, both across the network and when it is in storage.

Ransomware Protection

Spinbackup provides the exclusive ability to have automatic ransomware protection in the cloud. Spinbackup’s powerful machine-learning enabled protection is able to quickly identify ransomware processes affecting cloud files, block the process, and automatically start restoring files and services in the cloud that have been encrypted with ransomware! This means organizations have a powerful, proactive security mechanism watching their cloud environment at all times.

Risky Third-Party Apps Protection

One of the benefits of cloud environments for organizations is having access to powerful third-party applications that can be integrated into their cloud environment. This allows easily extending cloud functionality. However, third-party apps are certainly a security risk that organizations must take seriously.

While there are reputable applications available for consumption in Google Workspace and Office 365, there are apps that can post dangers of data leak and potentially ransomware. Spinbackup allows organizations to protect their cloud environments from risky applications and also determine if applications behavior patterns have changed with malicious intent.

Wrapping Up

Ransomware is extremely dangerous. It is perhaps the most concerning security threat for organizations today looking to protect their data. Recent high-profile ransomware infections that happened in 2018 are evidence that ransomware is only trending upward. As cited in the examples from last year, organizations only have two choices – pay the ransom, or restore from backup.

Backups are essential for any business today o recover from disaster such as inflicted by ransomware. Ransomware is not simply a threat for on-premises environments.

As shown in the “RansomCloud” attack as demonstrated by Kevin Mitnick, businesses using SaaS environments to host services such as file storage and cloud email need to beware. With a simple click of a link in a spear phishing email, an entire inbox can be quickly encrypted. Spinbackup provides true enterprise data protection for Google Workspace and Office 365 environments.

Not only is Spinbackup a data protection solution, it combines powerful security features along with the data protection feature to provide organizations with an all-in-one solution of backups and security that simply cannot be found in another solution.

Courtney Courtney Ostermann Chief Marketing Officer
About Author

Courtney Ostermann is the Chief Marketing Officer at Spin.AI, responsible for the global marketing program focused on driving brand awareness and revenue growth.

Previously, Courtney served as the Vice President of Corporate and Demand Marketing at PerimeterX, where she helped accelerate revenue and supported its acquisition by HUMAN Security.

She was also the Vice President of Corporate Marketing at PagerDuty, where she assisted with the company’s IPO, and has held marketing leadership roles at organizations such as Imperva, BMC Software, Oracle, and Saba Software. Courtney resides in the Bay Area and is a graduate of Colgate University. She is also a Board member at Lycee Francais de San Francisco.

In her spare time, she can be found standup paddling, wingfoiling, mountain biking, hiking, snowshoeing, and cross-country skiing.

Featured Work: