The number of ransomware attacks, especially those involving Amazon S3 buckets, Azure Storage accounts and other cloud assets, has increased in recent years. Still, most organizations don't act to reduce these attacks or lower their impact. Our research shows, for example, that only 31% of S3 buckets have versioning enabled, an essential for data recovery, while just two-thirds of sensitive buckets have logging enabled, a prerequisite for detection.
In the battle against ransomware, understanding your enemy is half the victory. By diving into the minds of attackers and evaluating the pros and cons of their techniques, we can anticipate their next moves and fortify our defenses.
In this blog post, we cut through the theory and delve into the practical aspects of ransomware attacks involving cloud environments. To fortify our defense strategies, we draw from real-world data and simulations to explore attack vectors and evaluate both their prevalence and their potential impact.
By examining the modus operandi of ransomware attackers, we aim to understand them, gaining the ability to predict when a technique might occur, as well as the measures to effectively nip it in the bud.
Ransomware attacks in the cloud are carried out via four main techniques — data deletion, override, re-encryption and disable key, as seen in Figure 1.
First, let’s dive into each technique and look at the relevant CLI and required permissions, as well as its advantages and limitations from the attacker’s perspective.
During a ransomware attack, the attacker may decide to delete data to gain exclusive control over it. By understanding the mechanisms behind this attack, we can develop more effective counter-strategies.
CLI Command
Required Permission
Advantages
Limitation
Alternatively, an attacker can manipulate bucket lifecycle rules by setting them to delete objects automatically after a certain period and by bypassing the need for direct deletion permissions.
CLI Command
Required Permission
Advantages
Limitation
In this technique, attackers create a blank file and systematically replace every object in the bucket to, in effect, make the data unusable.
CLI Command
Required Permissions
Advantage
Limitation
Re-encryption of all objects in the victim’s bucket also involves multiple techniques, including reading every file in the bucket and reuploading it — this time with a local encryption key. In this way, the encryption key is the only way the victim can decrypt the files.
CLI Command
Once a customer key encrypts the object, the victim will receive the following error when trying to access the encrypted files.
Required Permissions
Advantages
Limitation
Another option is to re-encrypt all the files with a KMS stored in a remote account, which, in this case, is in the attacker's remote account.
CLI Command
Required Permissions
Advantages
Limitation
Data encrypted with KMS can be decrypted only with that KMS. Without the key, the data is inaccessible. Attackers can choose to schedule key deletion for the KMS to make the data inaccessible. It isn’t possible to delete the key immediately, but it must be scheduled at least seven days in advance.
In a prod environment with dozens of keys, it’s possible for such a case to go undetected for 7 days, which will lead to key deletion and data loss.
CLI Command
Required Permission
Advantages
Limitation
A more sophisticated ransomware tactic involves disabling the key material in S3 buckets encrypted with external keys. Unlike AWS-managed keys that have a mandatory delay before deletion, external key material can be deleted immediately, leaving the encrypted data inaccessible.
The attacker’s strategy is to remove access to the encryption key rather than manipulate the data directly.
CLI Command
Required Permission
Advantages
Limitation
If versioning is enabled on the asset, the attacker needs to make all noncurrent versions unavailable for the victim to complete the attack on the victim’s bucket. The techniques outlined above don't handle the remaining versions.
CLI Command (to delete remaining backups)
Required Permissions
Advantage
Limitation
After exploring the individual ransomware attack scenarios, comparing them across similar conditions helps us understand their relative levels of danger and efficacy.
Before doing that, though, let’s point out two key parameters that help us make a proper comparison.
The time dimension is important in ransomware attacks because it defines the window of opportunity to detect and respond to the attack. By measuring the speed of the ransomware techniques in handling varied quantities of data, we can rank their relative strength.
The strength of the direct deletion, override, and re-encryption techniques drops as the quantity of data increases. In contrast, techniques that are considered less efficient for small quantities of data, such as schedule for deletion and indirect deletion using life cycle policy, get relatively stronger as the quantity of data increases.
Timing is critical in cloud ransomware scenarios. The time required to delete, write or encrypt data can span hours, even days, in the cloud. This window is more than an operational concern. It’s a critical factor regarding the efficacy of attacks and the potential defenses against them. That’s why, when conducting our evaluation, we examined the execution speed of ransomware techniques via CLI and Python scripts on S3 buckets, with and without versioning.
The timing for the various actions are illustrated in the following table.
Our findings again highlight the need for security teams to reduce the mean time to detect (MTTD) and mean time to respond (MTTR) for attacks on their cloud infrastructure.
The table below summarizes our findings based on a comparison of the speed, impact and reversibility of each method. It not only highlights the most risky techniques, but also underscores the importance of timely detection and response strategies in mitigating potential damage.
While ransomware can devastate, you can take actions to neutralize the techniques and reduce the attack’s effectiveness.
Enforce separation of duties. Our 2023 State of Data Security Research shows that all principals with admin permissions also have consumer privileges. Use the divide-and-conquer approach to separate the permissions required to carry out a full attack by one principal.
Encryption
Data Protection Measures
These figures reveal significant gaps in current data security practices, highlighting areas where immediate improvements are necessary to bolster defenses against ransomware attacks.
Knowing how much time it takes to perform a ransomware attack on your data is the first step to choosing a prevention and detection strategy. But you’ll also need to enable logging of data events on your S3 buckets.
In a bucket whose versioning and MFA deletion aren’t turned on, the first sign of a ransomware attack will be multiple attempts to read / write files from the bucket. The detection requires critical mass before it’s deemed as an attack, and by nature, detection will raise an alert only after the attack has begun and the data has been exfiltrated or deleted.
If the bucket is protected with versioning and MFA delete, preliminary signs of an attack could include either removing the configuration of MFA deletion, versioning or changing bucket encryption configuration. These signs help us become aware of the attack before it impacts the data. And as long as it’s advancing, we’ll receive additional signs that something is happening that requires our attention.
As previously shown, the presence of noncurrent versions in a versioned S3 bucket adds complexity to a ransomware attack. This means that attackers have to navigate through additional steps to compromise the data, which in turn provides you with a longer time frame to detect and counteract the attack before any significant data loss occurs.
For insights into cloud security and a better understanding of how your data is exposed in the cloud, read our comprehensive State of Cloud Data Security 2023 report. This research sheds light on crucial aspects of cloud data security and provides actionable steps to defend your valuable data effectively.
If you haven’t tried Prisma Cloud and would like to test drive best-in-class Code to CloudTM security, we’d love for you to experience a free 30-day trial.
By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.