Threat Research

The Landscape of Cloud Ransomware in 2024

Securonix

Summary:

Cloud ransom attacks are increasingly targeting cloud services, exploiting misconfigurations and vulnerabilities in storage solutions like Amazon S3 and Azure Blob Storage. Attackers utilize various techniques, including the creation of new KMS keys and the use of scripts for data exfiltration and encryption. Organizations are encouraged to adopt robust security measures and Cloud Security Posture Management (CSPM) solutions to mitigate these threats.

Keypoints:

  • Cloud ransom attacks exploit the minimal attack surface of cloud services compared to traditional systems.
  • Attackers often target cloud-based storage services like Amazon S3 and Azure Blob Storage.
  • Misconfigurations in storage permissions can lead to unauthorized access and data encryption.
  • Cloud service providers have implemented security measures, such as AWS’s 7-day key deletion window, to mitigate risks.
  • Ransomware actors are increasingly using cloud services for data exfiltration.
  • Scripts like RansomES and Pandora are designed to facilitate ransomware attacks on cloud environments.
  • Organizations are advised to implement Cloud Security Posture Management (CSPM) solutions and enforce strong identity management practices.

    • MITRE Techniques

  • Data Encrypted for Impact (T1486): Attackers encrypt files in cloud storage to extort victims.
  • Exfiltration Over Command and Control Channel (T1041): Using cloud services to exfiltrate data before encryption.
  • Misconfigured Cloud Storage (T1530): Exploiting overly permissive access to cloud storage services.
  • Credential Dumping (T1003): Gaining access to cloud services through compromised credentials.
  • Remote File Copy (T1105): Transferring malicious scripts to cloud environments for execution.

    • IoC:

  • [file hash] 7bcffb6828915ae194e04739ebd12f57723a703b (RansomES)
  • [file hash] 2139d0e1e618b61b017d62cb8806929560ded9a7 (Pandora)
  • [file hash] 371ffe7849f9354e62919c203ed8f2e80b741622 (Pandora)
  • [file hash] 57566050459d210263f3184d72c48a6b298c187b (Pandora)
  • [file hash] 785beb4b83c906dba3d336c4cbd0f442b0cbaf90 (Pandora)
  • [file hash] bb37e7565afae3f90258ec2664f4da49f5eec213 (Pandora)
  • [url] hxxp://encrypt[.]indsc[.]me/api[.]php?type=encrypt (IndoSec)
  • [file hash] 9065e945947c939f55fbdf102a834f4ac5d87457 (IndoSec)

    • Full Research: https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/

    Tags: IMPACT, full, CLOUD, CREDENTIAL, EXPLOIT, EXFILTRATION