These attacks which are usually delivered through spear-phishing emails, block users from accessing systems and data until a ransom is paid. The victims that are targeted by the hackers are rich multinationals that have the potential to pay the ransom that is demanded.
Cloud service providers such as Amazon are now facing a serious threat on their platforms. Amazon’s CloudFront was compromised and used to host the Command & Control (C&C) infrastructure. This platform has been used successfully for ransomware on at least two multinationals in the food and services sectors, according to Symantec.
For CloudFront, their content delivery network (CDN) meant to allow businesses and application developers a simple and cost-effective way to share content with low latency, and speed was hijacked and used to spread the ransomware payloads. The CloudFront CDN allowed hackers to register S3 buckets for static content then use API calls to distribute malicious content from Amazon CloudFront service. These attacks take advantage of configuration vulnerabilities and weak services to deploy destructive ransomware payloads.
Like any other large-scale and easily accessible online service, the bad actors take advantage of these useful services to carry out their malicious campaigns. Malware is delivered through otherwise legitimate tools and remote access platforms that, if used well, could be beneficial to businesses and individuals. While ransomware is the main action taken, human operators deliver other malicious payloads through the cloud hosting platforms to steal crucial information such as credentials and access or infiltrate data from the compromised networks.
News about ransomware attacks often revolves around the effects they cause, such as payment of ransom, and the details of the attack. They leave out details of other damages such as the downtimes they cause, and domain compromise that results from successful attacks. Through successful, long-running campaigns that lead to long network compromise, the attacks, and compromise of organizations networks with their stealth nature.
Fighting and preventing malware attacks, as evident from the shift of attacks from organizations to service providers, will require a change in the mindset in the future. The future prevention campaigns should concentrate on comprehensive deterrence of attackers that slows down and stops attackers before they gain access to systems. These attacks will continue taking advantage of security weaknesses in cloud systems to deploy harmful payloads. This will be so until defenders those responsible for the defense apply security best practices in their cloud systems.
Cloud service providers should ensure that they have robust backups going forward. They must take data backup and protection seriously to ensure that they have a source of recovery in case of a successful ransomware attack. The backup should consist of having about three copies of data, with two of them stored in separate media while one is stored in an offsite location. By using an offsite data backup solution, businesses will have an easy time restoring data if bad actors lock them out with the intention of demanding ransom.