Ransomware rumblings in the cloud: stormy weather predicted
Ransomware rumblings in the cloud: stormy weather predicted

Without doubt, ransomware is now the technique of choice for cyber-criminals with a recent PhishMe report showing that 93 percent of all phishing emails contained encryption ransomware.

It's not hard to see why. Ransomware has proven so effective at extracting hard cash from its victims – faced with a £400 bill to restore access to vital data, plenty of small firms simply pay up and move on.

As a result, it's been big news too – speculation as to the origins of ransomware code has filled many a column inch. 

In my view, however, we should be thinking less about ransomware's past and a lot more about its future – and by that, I mean a future in the cloud.

Cloudy with outbreaks of extortion

There are a number of factors that make cloud services and data obvious targets for ransomware attackers – and they all relate to the scale of the opportunity and the enormous payoffs on offer.

Clearly, the potential financial upside for attackers is the most important – and the numbers here dwarf the £8 billion cost of WannaCry.  A recent Lloyd's of London emerging risk report, estimated that a ransomware-style attack on a cloud service provider could trigger total, worldwide losses of £92 billion.

With that kind of bounty on offer, does anyone really think hackers won't move on to the cloud at some point?

If that was not enticement enough, the cloud also represents a relatively easy target.  Not because of some inherent flaw in the model, but because of the near ubiquity of cloud adoption and a widespread failure to properly mitigate the risk of ‘denial of access' attacks. 

A big target

To put that in context, Microsoft's latest earnings announcement reported Office 365 revenue growth of 45 percent, while revenue from its cloud unit rose by about 11 percent to £5.6 billion in the fiscal fourth quarter ended June 30. 

Indeed, according to Microsoft, Office 365 now serves over 100 million users, and is adding new users at a rate of 40 percent annually.  

Bear in mind that the vast majority of ransomware attacks are delivered via email – a service at the heart of Office 365, and the size of the target base for cyber-criminals becomes clear.

A soft target?

In addition to all that, cyber-criminals will not have to look very hard to find the cloud's Achilles Heel – it is in the API approach that makes the cloud tick by enabling businesses to store and access valuable data, and business critical applications, in the cloud.

Whether it's CRM, payroll or any other critical business processes, this is the kind of data that companies rely on every day and would pay a high price to recover.

Add to that end users' flawed approaches to securing the increasingly vital services and data they entrust to cloud vendors, and the cyber-criminals that eventually find ways to target the cloud will be eyeing something of an open goal.

Access denied

I'm not suggesting this is about to become a major issue overnight.  I think it I'll take a while yet – not least because success for hackers will require an element of credential theft as well as malware development, even if many of the tools they need are already out there.

Even so, once they have the credentials and the mechanisms necessary to gain access through a SaaS environment they will have the ability to deny access to data or threaten to damage it – and that threat is where the extortion can find its leverage.

In fact, the San Francisco Metro has already fallen victim to just such an attack.  On that occasion, hackers took over more than 2,000 computers used to operate San Francisco's public transport system.  Using a variant of the HDDCryptor malware to encrypt data, they demanded a ransom of 100 bitcoin (£58,514).

One basket syndrome

An issue compounding this risk is that fact that all too many businesses rely solely on protections provided by SaaS or cloud providers – some of which are simply not geared up to defend these types of attacks.

Mimecast's third quarterly Email Security Risk Assessment (ESRA), for instance, found that prominent cloud-based email service providers, including Google G Suite and Microsoft Office 365, are coming up short by not blocking thousands of email-borne attacks.

Granted, Exchange Online comes with certain data protection capabilities, but these are designed primarily to protect against loss caused by failures in Microsoft's own software and hardware.

But what about threats like accidental deletion, data corruption, cyber-criminal attacks, and malicious users or administrators? 

Microsoft and other cloud vendors can't protect against them, so it's just a matter of time before an organisation relying on their services will suffer data loss – including via a ransomware style attack.

Is cloud back-up the solution?

The burgeoning array of Office 365 cloud backup solutions on the market suggests there may indeed be a simple solution, but they really only solve one problem: backup and restore.

Cloud ransomware attacks pose a rather more complex problem.   That is, as soon as an attacker hijacks a user's cloud access, or manages to get any form of admin privilege, they can encrypt all of the data in the cloud. This is serious scale data capturing, and a big issue for any firm affected.

If the solution relies on backup, the burning question is how far back in time an organisation can afford to go as it restores data.  An hour? 24 hours? Longer? 

In a real time world, back and restore is simply not good enough.

Cyber resilience

The focus has to be on cyber resilience – that is, prevention coupled with an ability to get back up and running quickly, with a minimum of disruption and zero data loss, in the event of a successful ransomware attack.

In many cases that will mean working with a third party cloud service capable of safeguarding data and providing rapid access when the worst happens.  This is a speed of reaction that can only be delivered by pairing independent data storage with real time synch and rapid recovery, as well as alternative access routes to key systems like email when the worst happens.

The truth is that cloud ransomware defence will quickly move beyond the prevent stance, with mitigation quickly taking over as the default position.  And those cloud-reliant businesses with the foresight to put some kind of real time synch and recover plan in place early will likely weather the storm better than most. 

Contriubuted by Neil Murray, CTO, Mimecast  

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.