Cybercriminals are targeting the cloud as organizations move more data into the cloud.

According to Gartner, more than half of enterprise IT spending in key market segments will shift to the cloud by 2025. In 2022, more than $1.3 trillion in enterprise IT spending is at stake from the shift to cloud, growing to almost $1.8 trillion in 2025 according to the analyst firm.

Coupled with the ongoing ransomware spree, the sophistication of ransomware attacks targeting the cloud continues to evolve. IBM Security’s X-Force Threat Intelligence Index found that Asia saw more cyber-attacks than any other region in 2021, at around a quarter of the total attacks globally.

As organizations move more of their data into the cloud, criminals are turning their attention to so-called ‘ransomcloud’ attacks. It can cause massive disruption to business operations as hackers encrypt critical files from cloud-based platforms and lock users out. How can organizations in Asia protect themselves from this lethal cloud security threat?

CybersecAsia looked for some answers and insights from Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk.

What is ‘ransomcloud’, and how do ransomcloud attacks work?

Kok: Ransomcloud is a type of ransomware attack that targets the data stored in the cloud by customers of cloud service providers; such as Microsoft Office 365, G-Suite, etc. Attackers typically start by stealing credentials on an endpoint device. Once that is achieved, attackers employ lateral movement and privilege escalation in search of valid credentials to access the cloud. After obtaining that, attackers use ransomware to encrypt and steal information that’s stored in the cloud

In some cases, threat actors have also encrypted data locally before the infected endpoint device is synced to the cloud so that the data housed there gets encrypted as well.

Since data extraction from the cloud is less likely to trigger any data loss prevention (DLP) controls in place, attackers may find double extortion easier to pull off.

How prevalent is ransomcloud in Asia Pacific?

Kok: With enterprise IT cloud spending expected to hit USD1.8 trillion globally in 2025, and the sophistication of ransomware attacks evolving, threat actors are turning their attention to the so-called ‘ransomcloud’ attacks. It has the potential to cause massive disruption to business operations as hackers encrypt critical data and lock users out.

Companies in the region are increasingly vulnerable as cloud adoption continues to grow unabated in Asia Pacific. According to a recent survey by IDC, 44% of companies in Asia Pacific expressed the willingness to pay ransom to retrieve compromised files.

Massive payouts from these ransomware attacks lure and encourage threat actors to target organizations in the region, underscoring the urgent need to counteract known and unknown identity-based vulnerabilities by blocking credential theft at the endpoint.

Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk

How are cyber gangs increasingly developing and deploying tools/malware strains to target the cloud?

Kok: Ransomware groups are increasingly targeting the cloud, because they know that they can leverage cloud users’ lack of knowledge and misconfigurations in cloud infrastructure and application.

Furthermore, attackers are also seeking to exploit live migration, which is provided by most cloud computing services and enables virtual machines or applications to move between different physical devices without disconnection from the application or the client. Although practical, attackers can take advantage by effectively invading an automated live migration and compromising its cloud management system.

There is also the troubling trend of attackers migrating en masse towards malware-as-a-service. As a result, threat actors now no longer really need to be able to write malicious code, but can still attack enterprises simply through having the means to procure these tools.

Who is responsible for protecting data in the cloud from ransomware?

Kok: Efforts to protect against ransomcloud attacks are complicated by the fact that responsibility for the data stored in cloud service is often shared between the cloud provider and the customer. While a cloud provider is responsible for ensuring that data can only be accessed via legitimate credentials, they may not take responsibility for what happens if those credentials are stolen from a customer.

Therefore, organizations must ensure two things. First, they must be fully aware of the security features and limitations in the offerings from their cloud providers. They also cannot rely solely on a cloud vendor’s built-in security, as this potentially exposes organizations to unnecessary risk.

This can be achieved by taking an enterprise-wide, privilege-centric approach to access management, such as storing credentials in a secure digital vault, as well as rotating and controlling application credentials according to policy.

Steps like these help organizations execute their responsibilities, ensuring compliance and cloud application security.

How can businesses in the region address the ransomcloud threat? What measures should they take?

Kok: It is imperative that organizations anticipate ransomware attacks by planning and implementing effective security strategies. As elevated privileges on administrator accounts present the most attractive target for ransomware attackers, deploying Endpoint Detection and Response (EDR) solutions will prevent organizations from suffering the worst of ransomware attacks.

Foundational best practices such as implementing multi-factor authentication (MFA), managing profiles using the principle of least privilege and removing local administrative rights from endpoints also add an extra layer of protection.

Cybersecurity awareness among employees is also vital to improving an organization’s cybersecurity posture. Research has found that Asia leads other regions in the use of unauthorized cloud services and downloading content from unauthorized file-sharing networks. It is crucial for organizations to train staff and communicate the risks involved with using unauthorized cloud and file-sharing services.

There is also an urgent need to assess different aspects of organizations’ security culture and whether certain attitudes are normalizing unsafe practices. This includes the use of strong passwords and enabling MFA, as well as teaching employees to spot signs of phishing to help boost organizations’ cybersecurity stance.

Finally, while they are important to business continuity, data backups can actually make it easier for attackers to find and steal sensitive data. Since it often exists in two separate places, attackers can demand a ransom for the encrypted data and use the threat of leaking the stolen data to compel the victim to pay the ransom. While ransomware used to just be about attacking the availability of data, it has now evolved to attacking data confidentiality.

First emerging in late-2019, double extortion remains popular today and some attackers have even added a third extortion layer, by demanding payment from the victim organization’s customers or partners. This is why it is essential for organizations to layer protection and detection mechanisms, enabling an identity-centric, defense-in-depth approach that can mitigate such attacks without interrupting business operations.