It has been described as the biggest threat to your IT security. It can strike without any warning signs. It can destroy your data. It can ruin your business reputation. What could possibly have such dire consequences? Ransomware.
Ransomware is a threat that your organization needs to prepare for, both on-premises and if you are using a cloud service provider for Software-as-a-Service offerings such as cloud storage and email. Ransomware has evolved over the years into an extremely sophisticated threat to your environment.
How have ransomware attacks evolved? How can you protect your cloud environment from new generations of ransomware? Let’s take a look at how next-generation ransomware can affect your cloud environment, and how you can protect your organization.
How have ransomware attacks evolved?
In the early days, traditional ransomware attacked anyone and everyone to lock files and demand ransom payment. This was certainly effective as attackers made large sums of money via cryptocurrency in the sheer numbers of infections that were proliferated across the Internet. The focus of attackers has now changed.
A new breed of ransomware and ransomware tactics infection tactics have made their way onto the scene. Attackers have certainly shifted their focus to much more lucrative targets – businesses. This is a paradigm shift from how attackers used ransomware a few years ago.
Also, traditional ransomware was a typically on-premises problem that organizations had to deal with. As public cloud environments have exploded, attackers are retooling ransomware to take advantage of this change.
Let’s take a closer look at how ransomware attacks have evolved in the following three key areas:
- Targeted attacks
- Cloud-capable variants
- Threat of data leak
Targeted attacks
Attackers have shifted to much more targeted approach by setting their sights on specific industries, sectors, or businesses. An example of this type of targeted attack was carried out by hackers in 2019 when attackers infected 23 Texas local government organizations.
In addition, attackers have carried out targeted attacks on various city government offices, hospitals, and other organizations that are at high risk for an attack. Many organizations in these sectors may have limited cybersecurity budgets, running antiquated security software, or lack the in-house expertise to ensure the environment is maintained in a secure manner.
This is an alarming trend with attacks carried out on businesses taking center stage. Take a look at this list of ransomware attack examples which take a look at the largest ransomware attacks in 2019. The noticeable trend is that major ransomware attacks are now planned, coordinated attacks on businesses. Specific targets are handpicked in an effort to increase the likelihood of ransomware payment.
Cloud-capable variants
Not only have the tactics that attackers are using evolved, the ransomware itself has become more capable, allowing it to effectively target cloud environments as well as on-premises. Attackers know that organizations are migrating more of their data and services to cloud environments. With cloud becoming the new normal for most businesses, ransomware is following suit. Attackers are developing ransomware that can more effectively target cloud environments.
How are attacks in cloud environments carried out? Next-generation ransomware is capitalizing on the way cloud environments are handling authentication for end users. Today’s cloud environments use a type of authentication to resources called OAuth and specifically OAuth 2.0. What is OAuth 2.0 authentication?
OAuth 2.0 allows your organization’s users to share data with third-party applications while not disclosing their usernames, passwords, and other information related to their account. Most of us have experienced OAuth 2.0 authentication when installing an application on our mobile device.
The third-party application requests permissions needed to install on your phone, tablet, or other devices. While OAuth 2.0 authentication provides a seamless way to grant the permissions needed for installing applications, it can open the door to an end-user installing a malicious third-party application that can compromise your business-critical data.
Attackers designing next-generation ransomware for the cloud are taking advantage of how the OAuth 2.0 authentication model works. The weakest link in the model is the end-user. All an end-user has to do for a malicious third-party app to have unrestricted access to emails, files, and other data is grant the requested permissions during the install. This, in turn, grants the OAuth token to the malicious application.
When a user grants an OAuth token to an application, the tokens do not require any knowledge of the user’s password and bypasses security mechanisms like two-factor authentication. In fact, an OAuth token has to be revoked to remove access.
If an OAuth token is granted access to a ransomware application in the cloud, the ransomware application now has all the permissions needed to start encrypting and holding the user’s files, emails, and other data hostage throughout the cloud.
This has been demonstrated as what has been coined by Kevin Mitnick as “Ransomcloud”. Using a malicious application that requests permissions to the user’s email account, Mitnick demonstrated how a user’s email inbox can easily be encrypted by the ransomware application which masquerades as a legitimate application requesting permissions.
When you think about the danger of an end-user granting permissions to a malicious application that is granted access to your organization’s business-critical data, the threat becomes very real. To make matters worse, many end users simply blindly accept the permissions requested by a third-party application without any scrutiny. In this way, a malicious application containing ransomware can easily gain access to the core of your business data in the cloud, and begin encrypting it.
The threat of data leak
New ransomware variants are now combining the risk of having your data encrypted with the threat of intentionally leaking your data on the Internet. This helps to put even more pressure on your organization to pay the ransom in order to prevent the release of sensitive information on the Internet.
There are several variants of ransomware that have adopted this tactic. These include:
- AKO
- Clop
- Doppelpaymer
- Maze
- Mespinoza
- Nefilim
Does the threat of data leak work? It certainly can. Data leak for an organization can be extremely costly as outlined by IBM’s 2019 Cost of a Data Breach report. Below are key finding from the report in 2019:
- $3.92 million – the global average cost of a data breach
- $150 per record
- 279 days to identify and contain a breach
- Highest country average cost – U.S., $8.19 million
- Highest industry average – Healthcare, $6.45 million
The threat of next-generation ransomware leaking your data is a very real danger with significant fiscal impacts. How can you protect your cloud environment effectively from new ransomware variants?
Next-generation ransomware requires next-generation protection
To protect your cloud environment from advanced ransomware threatening your data, your organization must take a proactive approach and use the right tools to secure your environment. This requires you have visibility, control, and enterprise-grade backups of your data.
SpinOne provides industry-leading ransomware protection for both Google G Suite and Microsoft 365. It makes use of next-generation technology, including artificial intelligence (AI) to detect ransomware. This ensures it is stopped quickly. What’s more, SpinOne makes use of an automated response process to not only stop the attack, but also automatically restore the data that is affected.
In this way, not only is your cloud data protected from a cloud ransomware infection, the environment is effectively remediated without any administrator intervention. How does this work?
SpinOne remediates ransomware with the following process:
- Machine-learning detects the ransomware attack via anomalous file behavior in the environment
- The source of the ransomware attack is blocked in real-time
- SpinOne quickly identifies any files that may have been affected by the attack
- Using enterprise-grade backups, SpinOne restores affected files that were identified with the last good backup
Process flow of SpinOne’s cloud ransomware protection
In addition to providing world-class ransomware protection and enterprise backups of your cloud SaaS environment, SpinOne provides additional tools that help to keep your cloud environment safe from malicious ransomware applications.
This includes SpinAudit which allows auditing third-party applications that have access to your cloud environment and whitelisting or blacklisting applications which may or may not be used in your environment. This further protects your cloud data from malicious applications like ransomware.
For a fully-featured trial version of SpinOne for your G Suite or Microsoft 365 environment, click here.