Ransomcloud: Ransomware’s Latest Manifestation Targets the Cloud

Within the mob of malware, ransomware is leading the pack. While other malicious software ransacks computer systems, ransomware goes further by making demands. It’s the age-old tactic of extortion but re-enacted in the digital world. As we’ve become more dependent on the internet, the playing field for this particular strain of malware has expanded immeasurably. At the same time, cybersecurity threats are growing – in 2020, malware and ransomware attacks increased by 358% and 435%, respectively – and are outpacing societies’.

Though ransomware may have started as an opportunity operation, it has since become an established criminal enterprise. Just as a legitimate business adapts to remain competitive, ransomware gangs do the same. The mass shift to the cloud is a prime example of this.

Cloud migration is not a new phenomenon, but the pandemic has certainly expedited it. To maintain business continuity, companies have transferred their digital assets and operations to a cloud computing environment, minimizing the use of on-premise databases. Unfortunately, cybercriminals have recognized this shift and the valuable data now held within the cloud, leading to ‘ransomcloud’ attacks.

Such attacks occur through three key methods: File sync piggybacking, remote connection with stolen credentials and attacking the cloud provider. Here is how these approaches work.

File Sync Piggybacking

The first type of ransomcloud attack leverages phishing to infect the victim’s local computer. However, contrary to popular belief, the malicious email attachment or link often does not contain the malware payload. Instead, it delivers a small program that runs in the background and installs the malware.

Once in the system, the malware disguises itself as a popup permission request from trusted software. By approving, the malware is activated and can disseminate across the entire network to any connected machine. As it spreads, threat actors lookout for file sync services interacting with cloud services. Once identified, the ransomware piggybacks on the file sync, allowing threat actors to access, infect and encrypt data in the cloud.

If the organization has measures such as air gapping in place, ransomware may be unable to compromise a route to the cloud and settle on local infection instead. This explains the rise in the use of Google Drive, Slack, Microsoft Teams etc., to distribute malicious software. These applications sit between the cloud and on-premise devices. Once compromised, it becomes incredibly difficult to reverse the impact. This is where advanced cloud access security broker (CASB) tools prove useful as they sit between the on-premise and cloud infrastructures, vetting the traffic between them.

Remote Connection With Stolen Credentials

The second tactic sees threat actors monitor network connections for authentication attempts. They then capture the user’s cloud credentials, usually by presenting a fake login portal masquerading as the real cloud platform. By tracking the keystrokes on the infected local computer, connection details can be copied to a remote computer and automatically entered into the real cloud platform.

As the local malware captures and transfers the keystrokes to the remote computer, cyber-criminals can access the cloud via simultaneous login. Therefore, potentially bypassing two-factor authentication methods. Now, they have a connection to the cloud and the same access as the cloned user.

Attacking the Cloud Provider

Lastly, a ransomcloud attack could arise by targeting the cloud provider directly. This is the most damaging and lucrative method for the attacker because if they are successful, it would mean they have compromised the entire cloud platform. In short, they could demand ransoms from all customers of the compromised service. Read more:https://bit.ly/3uSWLjO

Leave a Reply

Your email address will not be published. Required fields are marked *