When Ransomware and Your Data Move to the Cloud, How to Strengthen Protection

Written by ShardSecure

Ransomware has been a serious threat for quite some time. But over the last two years it has captured the lion’s share of attention from enterprises, government agencies, and law enforcement as it now presents an increased globalized threat.

A February 9, 2022, alert from the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the National Security Agency (NSA), reported 14 of the 16 U.S. critical infrastructure sectors experienced ransomware attacks in 2021. Partner agencies in Australia and the UK see similarly widespread threats, with the UK going so far as to say it is the biggest cyber threat the country is facing. Just a few weeks later, with global unrest escalating, cyberthreats are now making headlines as weapons of warfare with warnings of possible attacks against US and international satellite communication (SATCOM) networks. Dubbed the “golden era” for cybercriminals, between April 2020 and July 2021 ransomware attacks rose 150%. In the current geopolitical climate, 2022 could go platinum.

Threat actors are diversifying their targets and approaches and no organization is out of scope. Warnings highlight the emergence of “triple extortion” techniques whereby cyber criminals threaten to publicly release stolen sensitive information, disrupt the victim’s internet access, and/or inform the victim’s partners, shareholders, or suppliers about the incident if the ransom is not paid. Threat actors are also moving away from “big-game” and toward mid-sized companies to try to fly below the radar. And, as more entities have moved to the cloud over the last two years, threat actors have as well – actively targeting cloud infrastructure to compromise data backup and storage systems in the cloud.

Although threat actors continue to diversify their methods, their goal remains the same – to make money by seizing high-value data and only unlocking or returning it when payment is received. But the reality is that even when organizations pay the ransom, there is no guarantee threat actors won’t resell the data or target them again. Research shows ransomware-related data leaks increased by 82% in 2021, up from 1,424 in 2020 to 2,686 in 2021. Of organizations that pay ransoms, almost 80% suffered a second attack and nearly half (46%) of the recurring attacks were suspected to be by the same group that executed the first attack!

Changing the narrative of cloud-based ransomware attacks

Moving to the cloud is great for the innovation, agility, scalability, and efficiencies it enables. But it also increases the attack surface. With threat actors increasingly setting their sights on cloud infrastructure and data, how can organizations that have embraced the cloud protect their data more effectively?

Some organizations may mistakenly think their cloud provider is keeping them safe and they don’t have to worry. But cloud providers operate with a shared responsibility model and the lines of responsibility for protecting data in the cloud can become blurred. Even if the arrangement is crystal clear, highly resourced threat actors are unrelenting in their pursuit. Storage misconfigurations and other security lapses that frequently make headline news are also concerning.

Imagine this scenario: An administrator at your cloud provider is tricked into executing a script that encrypts all of your data. Now what?

Ransomware attackers often take a two-prong approach, first stealing the victim’s compromised data before encrypting it with the ransomware. The idea is that, if the victim doesn’t pay the ransom, the attacker will simply publicly release the data. Encrypting your data in the cloud is a great layer of defense, but key management can be a challenge. Clients tell us that users sometimes upload encryption keys to shared repositories to facilitate collaboration or copy keys and store them on laptops to have an offline copy. Threat actors can obtain access to keys due to poor cyber hygiene and the victim’s data is simply decrypted. Even if threat actors are unable to decrypt encrypted files, they can encrypt encrypted files so that you can’t access them.

To strengthen security, organizations are looking to layer, and in some cases replace, encryption with additional methods like microsharding to mitigate risk from exfiltration of data or re-encryption of their files. Microsharding is a three-step process that consists of shredding data into microshards that are too small to contain sensitive data, mixing microshards along with poisoned data to make it more unintelligible to unauthorized users, and distributing it to multiple storage repositories to ensure it is incomplete at rest. This approach leaves the threat actor with only an unintelligible fraction of the complete data set.

Microsharded data is self-healing. What that means is that multiple data integrity checks are performed during the microsharding process. If changes have been made to the data at rest, the affected data is reconstructed to its last known good state. It doesn’t matter if the data has been encrypted, modified, or even deleted. Users’ work is unaffected and security teams are alerted to initiate investigation and response. Data from the affected storage location can be moved to an unaffected location while the incident is remediated. Most importantly, threat actors are stopped in their tracks because it’s virtually impossible to reassemble the data which makes it of no value and neutralizes any data leakage threat.

No one approach will neutralize the ransomware threat. In a scenario such as the one above, a breach of a storage location, or accidental or intentional exposure of a storage location online are all areas where microsharding can help you maintain business continuity and data integrity. And it can be used in combination with encryption with little to no additional work required. A strong defense-in-depth architecture including offline backups, encryption, good cyber hygiene, and microsharding, coupled with other approaches your cloud provider may offer as part of a shared responsibility model, is still your best defense to mitigate cloud ransomware risk.