Enterprises, small companies and everyone in between is adopting cloud-based tools and environments for their business and personal needs. RightScale's 2016 State of the Cloud report found that 82 percent of enterprises were using a multi-cloud strategy, meaning they are using the infrastructure services of more than one cloud provider. In addition, according to projections made last year by Intuit, 78 percent of small businesses will be fully in the cloud by 2020. By saving data in virtual environments, companies are becoming more flexible and saving money on their IT infrastructure, allowing them to do better business and enhance revenues in the long run.
The cloud is an amazing technology that is helping organizations improve productivity, collaborate better, scale their IT strategies and increase cost-effectiveness within their infrastructure. But there might be something sinister afoot where it comes to cloud computing: Ransomware.
The problem with Cerber
Ransomware is the bane of companies across the board; by locking up data and applications and encrypting them so that they can't be accessed, hackers blackmail organizations into giving them money, usually in bitcoin. Ransomware can infiltrate company networks by various means, but one of the more popular ways is by convincing an unwitting employee to open an infected email attachment.
Even programs with reasonable security controls are being exploited by hackers. Using social engineering techniques, malicious actors are finding ways to infiltrate company networks and render data and applications useless. For example, Trend Micro researchers recently found that a specific strain of malware has been causing havoc for users of tools in Microsoft 365. The latest variant is called RANSOM_CERBER.CAD, and it's being used to target home and business users of Microsoft's cloud-based productivity platform.
"This variant of Cerber is able to encrypt 442 file types using a combination of AES-265 and RSA, modify the machine's Internet Explorer Zone Settings, delete shadow copies, disable Windows Startup Repair and terminate processes from Outlook, The Bat!, Thunderbird and Microsoft Word," Trend Micro researchers wrote. "After querying the affected system's country, the ransomware terminates itself if found running in countries under the Commonwealth of Independent States."
The first instance of Cerber ransomware emails was spotted by Trend Micro researchers in May 2016 and even before that, but lately the strain of malware has been even more active. Back in March, Trend Micro threat response engineer Rhena Inocencio wrote that RANSOM_CERBER.A was able to play an audio message using a computer-generated voice –a creepy announcement that a user's files have been encrypted and that a ransom must be paid in order for access to be relinquished to the rightful owner.
Another frightening thing about Cerber is that it may have been created with the purpose of being sold to other hackers as something of a white-label malware strain, which people with malicious intent could acquire and then send out with a customizable message attached.
"Peeking closer at this config file we discover that this particular ransomware is quite easily customizable –allowing the owner to change the ransom note, the targeted extensions as well as blacklist countries," Inocencio wrote. "This suggests that CERBER itself was designed to be sold to other enterprising cybercriminals, to be tailor-fit for their needs."
Cerber isn't the only ransomware on the prowl looking to use cloud environments for nefarious purposes. In addition, according to SC Magazine contributor Doug Olenick, another new strain of malware called cuteRansomware is using Google Docs as a jumping-off point for infiltrating networks. By utilizing Google Docs, malicious actors can both deliver malware and exfiltrate data via command-and-control – and these functions may go undetected due to traditional security tools' lack of visibility into SSL.
Social engineering and phishing: Ransomware's best friends
Other companies have been lucky in their dealings with cloud-based malware, but barely. According to KrebsonSecurity, for instance, a company called Children in Film recently discovered the importance of having backups of all data. The company's entire operations runs off of cloud environments, so when an unwitting employee opened an unknown email attachment, the whole organization was restricted access to its data and applications.
"Someone in my office was logged into Outlook and opened up invoice attachment and BAM!, within 30 minutes, every single file on our Q drive had 'vvv' added as file extensions," said Toni Casala, a representative for Children in Film.
Thankfully, the cloud provider had been performing daily backups of the firm's files, but it still took the company almost a week to restore all of them. Another point of note was that Children in Film had just ceased operations for the calendar year, so the disruption wasn't as massive as it could have been – not to mention there was a weakness in the malware that allowed security firms to retrieve the data without Children in Film ever paying the actual ransom.
Casala's experience isn't universal. Children in Film got lucky – the company had several fortunate things happen that wouldn't normally take place in a situation like this. In most circumstances, the ransom would have to be paid, and in the worst situations, critical downtime would take place during peak business season. It's for this reason that companies have to consider their options as far as cloud security solutions are concerned.
Cloud security solutions are necessary
Companies have traditionally been hesitant to invest in cloud-based tools due to the common idea that the cloud is less secure than on-premises infrastructure. However, this is nothing more than a misconception – cloud environments provided by a dedicated cloud partner are just as secure, it not more so, than your on-premises solutions. In fact, MarketsandMarkets found that by 2019, the cloud security market will be worth a whopping $8.71 billion – meaning companies are investing ever more in tools to make their environments more protected. Not to mention that since cloud providers are responsible solely for their main product (the cloud), they can focus more of their budgetary resources on creating as safe an environment as possible for their customers.
This doesn't mean that organizations shouldn't be careful when moving their data and applications to the cloud. As demonstrated by the Cerber attacks and the situation experienced by Children in Film, backing up data and ensuring cloud infrastructure is as secure as possible is critical in order to prevent any sort of intrusion. Keeping data safe is paramount, because targeted attacks can come in many forms.
Ransomware infections have spread beyond traditional platforms and it's important to ensure protection, especially within your cloud environments.