The pandemic year 2020 gave a launching pad for ransomware attacks. U.S. Acting Deputy Attorney General John Carlin recently told the Wall Street Journal, “By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events.” During the height of the COVID-19 pandemic, for example, ransomware operators targeted hospitals and healthcare organizations with unrelenting attacks. Ransomware accounted for 54.95% of healthcare data breaches and cost the industry $20.8 billion in downtime in 2020 alone. Blockchain analysis shows that the total amount paid by ransomware victims increased by 311% this year to reach nearly $350 million worth of cryptocurrency. 2020’s ransomware increase was driven by a number of new strains taking in large sums from victims, as well as a few pre-existing strains drastically increasing earnings. For a detailed report, you can refer to Chainalysis 2021 Crypto Crime Report.
Ransomware is a formidable cyber threat nowadays. They are evolved from an opportunistic model to a human-operated model during Q1 of 2020. Detecting, preventing, and protecting the digital estates in major public clouds are becoming increasingly important for all types of organizations. In this article, we’ll take a look at different public cloud providers like AWS, Microsoft Azure, Google Cloud & Oracle Cloud, and their respective services which could help protect and recover cloud resources from ransomware.
Powerful yet proven protection (the 3 T’s: Tactics, Technique & operaTing procedures) against ransomware and many other threats requires multiple layers of defense.
Let’s generalize the terminologies and look at the top pillars of protecting ransomware attacks.
Assess –
- Discover, and analyze all your digital assets in one place for tasks like IT ops, security analytics, auditing, and governance
- Create a Digital Assest Inventory with a matrix with the systems or processes which are most likely to be vulnerable for a ransomware attach
- Revisit your backup, restore and recovery objectives (RTO/RPO) for critical assets. Make sure you’ve resillient backup & recovery strategy for minimal disruptive business operations
- Revist BC/DR (business continuity/disaster recovery) plan and ensure that Mean Time to Recover (MTTR) meets your BC/DR goal. Do mock drills & simulations to ensure speedy recovery in an event of attack
Protect –
- Follow a strong protection mechanism for backups against deliberate erasure and encryption. Encourage the use of MFA, PIN, Immutable storages etc.
- Ensure point-in-time and zero trust access to the critical/qualified business applications and resources thus by limiiting the blast radius of unauthorized access
- Implement a security framework like The National Institute of Standards and Technology (NIST SP1800-25) CSF to establish a foundational level of security
- Design built-in security & security-first cloud arhcitecture models for data and application
Detect & Respond –
- Proactively spot and stop mallicious activity associated with ransomeware to prevent key business disruption
- For hybrid or multi-cloud architecture, consider implemeting a CSPM (Cloud Security Posture Management)/CCM (Cloud Compliance Monitoring) solutions automatically and continuously check for misconfigurations that can lead to data breaches and leaks.
- Based on organizational need few solutions/tools like SOAR (Security Orchestration, Automation and Response), XDR (Extended Detection and Response) & EDR (Endpoint Detection and Response) are worth to evaluate and prioritize based on the risk vs compexity of implementation
Recover –
- Limit the blast radius by isolating the compromised resources simultaneously ensuring the non-compromised critical assets are backed up and protected against erasure/encryption by ransomware attack
- Analyze, investigate and identify the root cause of the threat by engaging own IT team or third-party forensic incident response experts
- Limit the exposure of ransomware across environment by performing advanced threat hunting and determine any possibilities of any persistent threat actors
- Document the lessons learnt and improve security hygiene by preparing a comprehensive approach for managing future cyber risks
Now, let’s take a look at the services from major public cloud providers like AWS, Azure, GCP & Oracle cloud to deliver cyber resiliency for customers.
So in a nutshell, all public clouds have good measures to protect against ransomware attacks. Again “Security & Compliance” is a shared responsibility, and customers are responsible for “Security in the Cloud“.