The truth becomes evident, to restore operations, the ransom must be paid. Imagine that over the last 3 hours, the IT and Security teams at your organization discovered that all network storage has become locked after a piece of malware, known as ransomware, found its way onto the network. The ransomware spread across the network, encrypting files, and removing access to devices as it went. Now everything that was on the network, including the data backups, is encrypted. There is no way to obtain the data and configurations needed to restore functionality from the encrypted backups. To get the organization back online, the ransom must be paid.
The growing threat of ransomware
Over recent years this has become an all too common scenario as there has been a spike in ransomware attacks, with attacks increasing more than 130% in 2022, and according to the 2023 Global Digital Trust Insights Survey, 45% of executives expect a continued rise in attacks.
As ransomware attacks increase, there is a need to find a way to prevent or mitigate the attacks. Businesses facing the threat of ransomware need to find ways to ensure that networks and applications are architected securely, critical data is backed up in appropriate intervals, and they will be able to recover from an attack with the least possible damage to applications, reputation, user data, and budgets.
Identifying vulnerabilities
During the post-incident analysis, the teams found multiple factors that made it easy for the ransomware to spread and difficult to effectively protect against the attack. The expensive data backups were created and stored on the network resulting in the backups themselves getting infected by the ransomware. The Intrusion Detection System was able to produce an alert, yet due to the cost, it only monitors the edge of the network for indicators of compromise and breached machines, allowing the ransomware to spread undetected within the network.
The initial source of the ransomware was traced to a sophisticated phishing campaign that created the opportunity for attackers to gain a foothold in the network. The ransomware then spread across all company devices on the company network. Network segmentation had been unmaintainable due to the cost and complexity of maintenance.
Cloud solutions as a defense
With seemingly everything stacked in favor of attackers, how can teams begin to reduce the impact of ransomware? The prevalence of public cloud offerings can be part of a solution. Leveraging a cloud solution can reduce the barrier of entry to implementing many of the controls that will reduce the impact and risk of ransomware. When implemented correctly, these controls act as a solid line of defense against ransomware.
The benefits of cloud providers
Running applications in the cloud often has the additional benefit of the cloud provider being responsible for the Infrastructure of the Cloud (See AWS’s Shared Responsibility Model). Cloud providers are large corporations that have the budget and experience necessary to secure the infrastructure, likely better than companies can secure an on-premises data center or network. What companies are unable to afford on their own cloud providers can use the pooled resources to provide at a reduced cost to the customer. This applies not only to infrastructure security but useful features like logging and auditing of activities within an account or organization as well. The cost of entry, lack of knowledge, and lack of experience that were only just recently limiting factors can now be shared with a cloud provider allowing all organizations to implement necessary defenses.
Leveraging cloud for backup and recovery
The benefits of public cloud offerings can be realized quickly and with minimal impact on your existing processes. Off-site and access-controlled backups provide a recovery point to restore from after a company suffers from a ransomware attack. The cloud provides the ability to get this off-site backup in a cost-effective manner. Replicating all data to object storage in the cloud can be set up and can restrict what can be written. Additionally, cloud storage can version any changes preventing encrypted copies from destroying the backups.
Get your Ransomware Protection Checklist
The full migration advantage
A full migration to the cloud provides the most benefits provided by the controls available. Public cloud solutions offer a large variety of services, which are useful in protecting from Ransomware and other malware. To mitigate the downsides of maintaining data backup in an on-premises environment (cost, may be vulnerable to the same attack), cloud providers offer backup services that are fully managed and scalable based on the needs of the organization.
These services are centrally managed and allow for admins to easily define what should be backed up and how often. The backups are then protected through redundancy and fine-grained access control models. Platform logs that record all modifications and events in the account easily monitor these backups and other activities in the cloud account. Other services can be configured to monitor the generated logs and automatically take remediating actions when pre-defined activities are detected.
Cloud services are designed with scalability and automation in mind, with auto-scaling groups and threat detection and remediation services that can take action to quarantine compromised services.
Simplified network segmentation and access control
In an on-premises environment, proper network segmentation requires hardware components and people to maintain the rules that enforce the segmentation, including any necessary cross-communication for applications to function correctly. These hurdles limit the ability to properly segment networks and applications. Cloud providers reduce these barriers by supplying Isolated Virtual Networking Environments. These environments provide the ability to deploy one or more services in a segmented network with control over the subnets, route tables, and network gateways. This means applications can be isolated from each other and even from the internet, if needed, at ease.
Cloud providers also facilitate Identity and Access Management services. Every service or action that can be performed in a cloud account can be allowed or denied for a role. These roles are then assigned both to services and users. Proper use of these roles prevents any user or application from performing actions that are not needed to function as designed.
Cloud-based applications and advanced security
The advantages of cloud-based applications are not limited to easier implementation of controls against ransomware. Cloud providers are continually making it easier to understand your cloud environment, detect and prevent incidents, and investigate advanced attacks. Public cloud offerings provide automated security assessment services to assess applications for vulnerabilities or deviation from best practices. Protection from denial-of-service attacks is simplified by taking advantage of public cloud services.
Cloud applications may be easier to protect, but moving to the cloud is not a catch-all solution or silver bullet to the issues presented by ransomware and malware. Whether you are on-prem or one of the 57% who started their cloud journey, it is still important that applications are written securely, proper data handling policies are followed, and everything is properly configured.
With all the controls of the cloud, your disaster recovery plan looks drastically different and begins with the IT team getting an alert that files are starting to be encrypted by a user. The team quickly disables the user’s ability to write data and isolates the infected machines for analysis. Any encrypted data is restored from backups that were isolated, and everything is back up and running before the first customer even notices.
