According to a release from the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC): “In recent years, ransomware attacks have become more focused, sophisticated, costly, and numerous. According to the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Reports, there was a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019.” Ransomware attacks were prevalent in 2020 as well.
Attackers do not discriminate, although it appears focus has shifted over the years from targeting individuals to organizations who can make bigger payoffs and opt to do so to avoid downtime and the expense of rebuilding. It seems bad actors have begun to favor opportunities that enable them to maximize profits.
Who's Being Targeted
While ransomware attacks have been carried out against companies of all sizes across all industries throughout the world, The State of Ransomware 2020 (an independent survey commissioned by endpoint and network security provider Sophos) suggests organizations in the media, leisure, and entertainment sector were hit hardest with ransomware attacks, with the IT, technology and telecom sector and energy, oil/gas, utilities sector close behind.
This is on top of a barrage of news headlines highlighting attacks carried out on the healthcare as well as state and local government sectors. According to Comparitech research, there were 172 ransomware attacks against U.S. healthcare organizations over a four year period starting in 2016 that cost the industry more than $157 million.
Interestingly, of all the The State of Ransomware 2020 survey respondents who fell victim to a ransomware attack and had their data encrypted, 35% said data in the public cloud was affected while 24% said data in both the public and private cloud as well as on-premises was affected. Nearly six in 10 successful ransomware attacks (59%) include data in the public cloud.*
As more organizations move more critical operations to the cloud, it’s reasonable to assume that the next generation of ransomware attacks will increasingly focus on data in the cloud. The more reliant an organization is on a system, the more appealing it becomes from an attack perspective, and hackers are looking for mistakes and misconfigurations to exploit. Moreover, the public cloud could provide access to many more victims than otherwise may be possible via an on-premises data center breach.
Examples of Major Attacks
Specific databases may be targeted because attackers are aware of entry points due to human error. In one recent attack occurring in the summer of 2020, close to 23,000 MongoDB databases were the focus of a ransomware campaign. The attack centered on using an automated script to find databases left open without a password so that they could be wiped clean of any data, requiring the victim to pay 0.015 bitcoin (equivalent to $565 USD in January 2021) to get the information back. If payment wasn’t made within 48 hours, the data was to be published and GDPR enforcement authorities to be notified.
Misconfigured databases are a constant source of data breaches and are ripe for ransomware attacks. Hotel franchisor Choice Hotels found a ransom note demanding 0.4 Bitcoin in the Summer of 2019 after it was discovered close to three quarters of a million guest records were taken from a publicly available MongoDB database.
Mid-2020, Garmin fell victim to a ransomware attack via Evil Corp’s WastedLocker, in which their systems were locked down. This led to an outage for Garmin’s global positioning devices leaving everyone from individual consumers to governments and enterprise organizations with little to no navigation capabilities for multiple days. WastedLocker campaigns are customized for each target, but often begin with abusing stolen login credentials, some of which may contain administrator privileges. Unable to recover any backups and left with no other option Garmin reportedly paid its attackers $10 million dollars to recover their systems.
How To Prevent / Mitigate Ransomware Attacks In The Public Cloud
Under the shared responsibility model, cloud providers alleviate some of the operational burden placed on organizations. For example, AWS “operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the services operate.” This means organizations are responsible for protecting the data and workloads they store in the cloud. Per AWS, “Customers are responsible for managing their data (including encryption options), classifying their assets, and using AWS Identity Access Management (IAM) to apply the appropriate permissions.”
There are a number of steps an organization should take to create a layered defense strategy and ward against ransomware attacks and mitigate the fallout of attack should an organization be victimized. Some best practices specific to protecting data in public cloud databases include:
- Mandating configuration checks
- Regularly running vulnerability assessments
- Segmenting data
- Managing and tracking access
- Monitoring activity
- Maximizing backup retention and minimizing recovery point objective
- Ongoing security training
*It’s possible some respondents equated cloud-based services (e.g., Google Drive) and cloud backup (e.g., Veeam) with “public cloud”, rather than focusing solely on cloud providers such as AWS and Azure.
This is an excerpt taken from our white paper titled Ransomware and The Cloud. Interested in learning more? Download your copy today.
David LeBlanc, security expert and author of the most recently published 24 𝘋𝘦𝘢𝘥𝘭𝘺 𝘚𝘪𝘯𝘴 𝘰𝘧 𝘚𝘰𝘧𝘵𝘸𝘢𝘳𝘦 𝘚𝘦𝘤𝘶𝘳𝘪𝘵𝘺 and the widely read 𝘞𝘳𝘪𝘵𝘪𝘯𝘨 𝘚𝘦𝘤𝘶𝘳𝘦 𝘊𝘰𝘥𝘦 takes a look at complexities and best practices to mitigate cloud-specific ransomware threats this is webinar also titled Ransomware and The Cloud.