Ransomware Mitigation Strategies for Major Public Clouds

The pandemic year 2020 gave a launching pad for ransomware attacks. U.S. Acting Deputy Attorney General John Carlin recently told the Wall Street Journal, “By any measure, 2020 was the worst year ever when it comes to ransomware and related extortion events.” During the height of the COVID-19 pandemic, for example, ransomware operators targeted hospitals and healthcare organizations with unrelenting attacks. Ransomware accounted for 54.95% of healthcare data breaches and cost the industry $20.8 billion in downtime in 2020 alone. Blockchain analysis shows that the total amount paid by ransomware victims increased by 311% this year to reach nearly $350 million worth of cryptocurrency. 2020’s ransomware increase was driven by a number of new strains taking in large sums from victims, as well as a few pre-existing strains drastically increasing earnings. For a detailed report, you can refer to Chainalysis 2021 Crypto Crime Report.

Ransomware is a formidable cyber threat nowadays. They are evolved from an opportunistic model to a human-operated model during Q1 of 2020. Detecting, preventing, and protecting the digital estates in major public clouds are becoming increasingly important for all types of organizations. In this article, we’ll take a look at different public cloud providers like AWS, Microsoft Azure, Google Cloud & Oracle Cloud, and their respective services which could help protect and recover cloud resources from ransomware.

Powerful yet proven protection (the 3 T’s: Tactics, Technique & operaTing procedures) against ransomware and many other threats requires multiple layers of defense.

Let’s generalize the terminologies and look at the top pillars of protecting ransomware attacks.

Assess –

• Discover, and analyze all your digital assets in one place for tasks like IT ops, security analytics, auditing, and governance
• Create a Digital Assest Inventory with a matrix with the systems or processes which are most likely to be vulnerable for a ransomware attach
• Revisit your backup, restore and recovery objectives (RTO/RPO) for critical assets. Make sure you’ve resillient backup & recovery strategy for minimal disruptive business operations
• Revist BC/DR (business continuity/disaster recovery) plan and ensure that Mean Time to Recover (MTTR) meets your BC/DR goal. Do mock drills & simulations to ensure speedy recovery in an event of attack

Protect –

• Follow a strong protection mechanism for backups against deliberate erasure and encryption. Encourage the use of MFA, PIN, Immutable storages etc.
• Ensure point-in-time and zero trust access to the critical/qualified business applications and resources thus by limiiting the blast radius of unauthorized access
• Implement a security framework like The National Institute of Standards and Technology (NIST SP1800-25) CSF to establish a foundational level of security
• Design built-in security & security-first cloud arhcitecture models for data and application

Detect & Respond –

• Proactively spot and stop mallicious activity associated with ransomeware to prevent key business disruption
• For hybrid or multi-cloud architecture, consider implemeting a CSPM (Cloud Security Posture Management)/CCM (Cloud Compliance Monitoring) solutions automatically and continuously check for misconfigurations that can lead to data breaches and leaks.
• Based on organizational need few solutions/tools like SOAR (Security Orchestration, Automation and Response), XDR (Extended Detection and Response) & EDR (Endpoint Detection and Response) are worth to evaluate and prioritize based on the risk vs compexity of implementation

Recover –

• Limit the blast radius by isolating the compromised resources simultaneously ensuring the non-compromised critical assets are backed up and protected against erasure/encryption by ransomware attack
• Analyze, investigate and identify the root cause of the threat by engaging own IT team or third-party forensic incident response experts
• Limit the exposure of ransomware across environment by performing advanced threat hunting and determine any possibilities of any persistent threat actors
• Document the lessons learnt and improve security hygiene by preparing a comprehensive approach for managing future cyber risks

Now, let’s take a look at the services from major public cloud providers like AWS, Azure, GCP & Oracle cloud to deliver cyber resiliency for customers.

	AWS	Azure	GCP	Oracle
Identify	AWS Systems Manager AWS Trusted Advisor AWS Audit Manager AWS Application Discovery Service Amazon Macie Amazon CloudWatch	Azure Security Center Azure Advisor	Cloud Asset Inventory Access Transparency Security Command Center Cloud Data Loss Prevention Cloud IDS	Cloud Advisor Oracle CASB
Protect	AWS Systems Manager Patch Manager AWS Shield AWS Web Application Firewall (WAF) AWS Network Firewall AWS Key Management Service (KMS) AWS Secrets Manager AWS CloudHSM Amazon Macie	Defender Azure Active Directory (AD) Azure Front Door Azure DDoS Protection Azure Firewall Azure Policy Web Application Firewall Azure Storage Service Encryption StorSimple Encrypted Hybrid Storage Azure Client-Side Encryption Azure Storage Account Keys Azure Storage Shared Access Signatures Azure Key Vault Azure Dedicated HSM Azure Information Protection Azure confidential computing	Cloud Key Management Confidential Computing Firewalls Secret Manager Google Cloud Armor Security Command Center Shielded VMs VPC Service Controls BeyondCorp Enterprise Policy Intelligence Resource Manager Titan Security Key reCAPTCHA Enterprise	Web Application Firewall OCI Vault Security Zones Data Safe
Detect	AWS Security Hub Amazon GuardDuty Amazon Inspector AWS Config AWS CloudTrail AWS IoT Device Defender Amazon CloudWatch AWS Systems Manager	Azure Storage Analytics Azure Sentinel Microsoft 365 Defender Azure AD Identity Protection Azure Firewall Azure Network Watcher Microsoft Defender for Cloud Apps Azure Monitor logs and metrics Azure Defender for IoT Azure AD reports and monitoring	Chronicle Cloud Logging Security Command Center Web Risk	Oracle Cloud Guard Threat Intelligence Services Oracle CASB Logging Analytics Oracle Application Performance Monitoring Vulnerability Scanning Service
Respond	Amazon Detective	Azure Monitor logs and metrics Azure Security Center Azure Sentinel DART Team	Security Command Center
Recover	AWS Backup AWS DataSync AWS Elastic Disaster Recovery	Azure Backup Azure Site Recovery StorSimple	Actifio GO++

So in a nutshell, all public clouds have good measures to protect against ransomware attacks. Again “Security & Compliance” is a shared responsibility, and customers are responsible for “Security in the Cloud“.