Cloud ransomware threats rise, targeting S3 & Azure

A new report by SentinelLabs outlines the top threats and trends impacting cloud security, with a focus on ransomware threats.

The State of Cloud Ransomware in 2024 report provides insights into how ransomware attacks are increasingly targeting cloud-based storage services such as Amazon's Simple Storage Service (S3) and Azure Blob Storage. The report highlights the typical mechanics of such attacks, which involve finding an accessible storage service, copying the file contents to a destination controlled by the attacker, and then encrypting or deleting the files from the victim's instance.

Despite rigorous security measures implemented by Cloud Service Providers (CSPs), researchers are still discovering ways to bypass these controls. AWS' Key Management Service (KMS), for example, provides users with a 7-day window between a key delete request and its permanent deletion, which allows time to detect and mitigate a cryptographic ransom attack. However, attackers continue to exploit any vulnerabilities they find.

Ransomware actors are also leveraging cloud services for data exfiltration. Recent reports include findings from modePUSH in September 2024, which indicated that BianLian and Rhysida ransomware groups have utilised Azure Storage Explorer to exfiltrate data from affected environments. Similarly, Trend Micro reported in October 2024 that a ransomware actor imitating the Lockbit group used Amazon's S3 storage for data exfiltration from Windows or macOS systems.

SentinelLabs has identified a Spanish-language Python script called RansomES, which enables actors to exfiltrate files to S3 or FTP before encrypting the local versions on Windows systems.

Web application attacks are another facet of cloud-based threats that the report addresses. Web applications, often hosted via cloud services due to their minimal configuration requirements compared to full operating systems, are vulnerable to extortion attacks. SentinelLabs describes several ransom scripts targeting PHP applications, including a Python script named Pandora. This script is reportedly multi-functional and targets various web services but is not associated with the Pandora ransomware group that targets Windows systems.

Another PHP ransom script identified by SentinelLabs is linked to the IndoSec group, an Indonesia-based threat actor. This script acts as a PHP backdoor, enabling attackers to manage, delete files, and perform ransom attacks.

The report stresses that cloud ransom attacks are an evolving threat, but organisations are now better equipped to counteract these attacks due to improvements in CSP security measures and a broad array of cloud security products that aim to mitigate risks.

SentinelLabs advises organisations to use Cloud Security Posture Management (CSPM) solutions to discover and assess cloud environments. CSPMs help detect issues such as misconfigurations and overly permissive storage buckets, which are primary enablers of the aforementioned cloud ransom attack techniques. In addition, organisations are encouraged to enforce sound identity management practices, such as requiring multi-factor authentication (MFA) on all administrative accounts and deploying runtime protection for all cloud workloads and resources.