Newsletter
In a recent study, Dig Security took a look into the persistent effectiveness of ransomware attacks, particularly those occurring in the cloud. Despite ongoing investments and emphasis on defensive cybersecurity measures, large organizations continue to succumb to ransomware attacks in the cloud. The research reveals a surprising disparity between current data security practices and the evolving tactics employed by ransomware groups. The study identifies four primary techniques in cloud-based ransomware attacks: data deletion, override, re-encryption, and disable key.
Data deletion involves threat actors deleting data after its exfiltration, thus granting them exclusive access. Its efficacy diminishes significantly with version control and a robust object lifecycle policy in place. An effective object lifecycle policy enhances the security of data stored in a cloud environment, making it more challenging for attackers to delete data discreetly.
The Object Override technique entails attackers systematically replacing each object in a cloud bucket with a blank file, rendering the data unusable. This method involves creating an empty file locally, which allows attackers to overwrite legitimate objects with the empty file. The attacker is effectively deleting the object without deletion permissions. This approach significantly disrupts data access and can be executed without elevating certain permissions.
Object Encryption/Re-encryption can be done to all objects within a targeted cloud storage bucket. This method involves reading each file in the bucket and subsequently re-uploading it using a localized encryption key. The crux lies in the file decryption process contingent on an attacker-held encryption key. Possessing the encryption key gives the attacker full control until receiving a ransom. This common technique can stretch organizational recovery timelines to weeks or months.
The adoption of Multi-Factor Authentication (MFA) and versioning in cloud environments is paramount in mitigating ransomware threats
Attackers exploit the Disable Key method, designed to protect data by scheduling the deletion of actively used encryption keys, thereby rendering encrypted data inaccessible. Notably, this process mandates a minimum seven-day advance notice. One might initially view this as an easily detectable and improbable attack vector. However, the reality is that in a production environment with a multitude of keys, the risk becomes significantly plausible.
Recent data security assessments by Dig’s statistics reveal concerning vulnerabilities. Only 10% of encrypted buckets utilize Customer Master Keys (CMK) for heightened security, and a striking 72% of remotely managed CMK buckets lack active monitoring. Data protection measures also showcase disparities, with 31% having versioning enabled, 67% implementing logging, but a mere 1% adopting object lock for crucial data tampering prevention.
Dig highlights the effectiveness of Data Security Posture Management in helping companies assess risks in the cloud. As organizations continue to battle with ransomware, it is crucial to implement new tools and practices that safeguard customer data.