Mitiga Appoints Charlie Thomas as CEO READ THE RELEASE

Mitiga Announces $30M Series B Led by SYN Ventures READ THE NEWS

Customers
Why Mitiga
Request a DemoEmergency Assistance
Home
»
Blog Main

Contending with ransomware and extortionware has, unfortunately, become commonplace for enterprises. But the results can be anything but common. We at Mitiga have watched as attackers continue to up the ante creating what can be devastating impacts on organizations and the people they serve.

The Change Healthcare ransomware attack, for example, has affected millions of Americans, impeding their ability to get a prescription filled or paid for. That’s just one example of an attack with outcomes that produce mission-critical damages.

Why is it happening now?
Over the period of multiple years, the prevalence of unsecured and misconfigured cloud resources has led to numerous data security incidents that have caused all kinds of harm.

As organizations increasingly adopt cloud services, the threat of ransomware and extortionware in the cloud has become an increasing concern for CISOs and security teams.

One strategy that we have observed in recent investigations is deleting cloud resources instead of encrypting them. This “Living off the Cloud” type of attack could have less overhead in development and leverage the relevant cloud API requests instead of malware. In the most basic form of cloud ransomware attack, all the adversary needs to do is get access to the cloud data, copy it all to a different location, delete the original copy, and then hold the data for ransom.

The Risks of Cloud Ransomware

Cloud ransomware attacks are opportunistic, targeting public resources and compromised credentials. A recent IBMX-Force report found that cloud account credentials alone make up 90% of cloud assets for sale on the dark web, making it easy for threat actors to take over legitimate user identities to establish access into victim environments.

Assumptions about an organization's state of cloud security is another real risk when it comes to ransomware. These assumptions can come from confusion regarding both the logging available and the forensic value of these logs. It is important to not only verify that you have the correct logs enabled and configured, but you also understand how those logs can assist in the event of ransomware.

These assumptions can also plague an organization when there is a belief that if a log is enabled and has forensic value that you have adequate alerting in place. Each of these steps should be carefully reviewed to determine if you are ransomware ready.

Guidance for CISOs and Teams

To contend with ransomware and extortion in cloud and SaaS environments, CISOs and teams should focus on the following areas:

Understand the Threat Landscape

Identify your organization’s attack surface and perform vulnerability assessments against it. A few examples of this could include:

       -   Identify where your critical assets and services are.

       -   Run continuous assessments to identify vulnerabilities in your environment.

       -   Conduct penetration tests to gain comprehensive visibility into your attack surface.

Detect Early Stages of the Attack Chain

It all starts by first establishing baselines for normal user and system activity. With that in place, it's time to implement monitoring and logging solutions to detect potentially anomalous behavior. Be sure to set up alerts and notifications for suspicious activity, such as unusual login attempts or data access patterns. This could include:

       -   Identify baseline usage and metrics across critical and sensitive services.

       -   Create detections for deviations from the baseline.

       -   Leverage the logging available and create custom detections based on your environment.

            Default detections are not enough.

       -   Set escalation thresholds and response playbooks based on the type of alert received.

Conduct Tabletop Exercises Regularly

There really is no substitute for being prepared. Something we've seen that really helps with the incident response process is to simulate ransomware incidents to test your organization's incident response plans. Use those simulations to identify gaps and areas for improvement in your incident response processes.  

Ransomware incidents rarely involve just the technical team. These can become coordination and management challenges as well. It is important to exercise with other business units along with both internal and external stakeholders as they are likely to be asked questions and have significant roles in these situations. For executives, these exercises take an hour or two out of the day that is hard for busy leaders to find, but if you are able to outline the potential risks to the business clearly, through examples and data, it’s usually a meeting they’ll accept, and appreciate once it’s done. Your board will thank you too.

Combatting cloud ransomware and extortionware requires a proactive and slightly different approach from CISOs and security teams compared to what is thought of during on-premises ransomware. Cloud ransomware can happen quick and if there is no detection in place, the attacker will have the upper hand. This upper hand gets worse if you do not have the proper logs configured. During on-premises ransomware analysis, host forensics provides a fallback. However, in the cloud, without properly configured logs, you have little to analyze. Responding to ransomware can be difficult and it becomes more difficult when you cannot answer how or what happened. The steps outlined here may seem like a lot, but the extra preparation is paid back many times over in increased organizational resilience.

#

Need more advice to get ransomware ready? Our eBook will help you prepare.

LAST UPDATED:

April 22, 2024

Don't miss these stories:

Hunting Conditional Access Policy Bypass in the Wild: Leveraging Malicious Browser Extensions for Seamless Initial Access

Mitiga’s threat detection and investigation experts conduct a threat hunt showing how attackers can bypass credential collection techniques to gain access to further information.

Is Your CDR Vision Cloudy? Why Complete, Panoramic Visibility Across SaaS, Identity, and Infrastructure is a Must

Security teams need to recognize the shortcomings of traditional cloud security approaches and learn why agentless panoramic visibility is a must for effective CDR.

Understanding the Sisense Breach: A Guide to Cloud Threat Hunting for Sisense Customers

On April 11, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) announced its collaboration with private industry partners to address a significant security breach affecting Sisense, a prominent provider of data analytics services. This compromise, unearthed by independent security researchers, raised alarms within the cybersecurity community, prompting swift action from both government agencies and affected organizations.

The Rising Threat of AI-Enabled Adversaries: Preparing for the Next Wave of Cloud and SaaS Attacks

Learn how adversaries weaponize AI technology and strategies to defend against AI-enabled threats.

Cyber Trends for 2024: What Security Leaders Should be Executing Next

As we hurtle into this new year, it’s already clear that there is an evolving set of cyber risks that organizations will need to contend with successfully to manage threats and grow their organizational resilience in 2024. Below, I’ll outline three of the biggest ones, sharing recommendations and execution checklists that can help enterprises enhance their threat readiness and elevate security postures as the threat landscape continues to evolve.

How to Protect Your Business From the Most Dangerous Cyberthreats

Ransomware attacks are on the rise, and it now more important then ever to be prepared. Be prepared by having an up-to-date incident response plan. Learn more.