Why Ransomware Attackers Really, Really Like Cloud Computing

Written by Charles Cooper 1
October 26, 2016

Ransomware attacks haven’t crippled victims - yet. But it’s only a matter of time before a major attack takes place. Before the big one hits, MSPs should push their clients to take proper defensive measures.

Earlier this year, a ransomware attack shut down the Lincolnshire County Council’s computer systems. For a week, members were reduced to using pens and pencils after the council refused to pay the $500 ransom demanded by the attackers.

It was a vivid example of the disruption that ransomware can cause security executives, who are girding to contend with targeted ransomware attacks against current and planned cloud deployments.

No surprise there as malicious hackers, clearly creatures of habit, seek out the most promising targets. While the cloud has proven its security critics wrong up until now – it’s actually a lot more secure than many thought a few years ago – targeted ransomware attacks against the cloud are on the increase.

And the bad guys continue to demonstrate how easily it is to outwit their targets by using social engineering ruses. Despite repeated entreaties from IT departments to treat emailed links with caution, employees continue to ignore warnings and click on emails containing infected links. When the links include ransomware, the results can be especially dire.

As ransomware spreads through a network, it locks up data and applications, encrypting the information until organizations pay off the attackers. The resulting down time and the damage to reputation are even more expensive than the ransom they get forced to pay.

Cloudy landscape

The threat is expected to increase with the spread of plug-and-play tools and services, further complicating an already complex cloud security landscape.

For example, security company Trend Micro tracked the recent progress of a malware variant called Cerber that specifically targets users of Microsoft 365. The danger it poses is compounded by its ubiquity; indeed, Cerber is a white-label malware strain that can be marketed to other enterprising malicious hackers. Similarly, another crimeware-as-a-service product called Ransom32 also allows cybercriminals to launch their own ransomware campaigns.

Phishing threats are not the only challenge for IT security. Researchers have also spotted attackers who spread malware through IT-approved cloud-based applications such as Dropbox by uploading infected files to the cloud service, which then get shared by other users.

Cloud security provider Netskope took a look recently at the distribution of cloud malware attacks and offered the following statistical snapshot.

Enterprises used an average of 977 cloud apps compared to 935 last quarter.
56% of malware-infected files discovered in sanctioned cloud apps get shared with internal or external users, or shared publicly.
44% of cloud malware types make up the most common delivery vehicles for ransomware. These include Javascript exploits and droppers, Microsoft Office macros, and PDF exploits.

Apres moi, le deluge?

Managed service providers can help clarify the rules of the road for clients who might be new to the cloud. Security still poses the No 1 threat to cloud adoption and successful migrations depends on taking the right steps to either block or slow attacks.

At a minimum, MSPs should insist that IT establish a traditional firewall with a full complement of defensive measures, such as a VPN equipped with anti-virus and data loss prevention tools in order to block ransomware infections and prevent against data being accidentally exfiltrated. Organizations should also make good sets of data backups so they have a robust recovery capability in the event of an attack. That would give IT the option of refusing to pay the extortion because they’ve backed up their information.

So far, attackers have not pulled off a spectacular ransomware attack against a company cloud. Don’t read too much into that. The security threat to the Internet of Things was largely theoretical until the recent Distributed Denial of Service against DNS provider Dyn proved otherwise.

This content is underwritten by VMware — and is editorially independent. It is produced in accordance with conventional standards of business journalism.

Charles Cooper is an award-winning freelance author who writes about business and technology. During his 30-plus year career, he has worked as an executive editor at several leading tech publications including CNET, ZDNet, PC Week and Computer Shopper.