The latest Palo Alto Networks Unit 42 Cloud Threat Report found that sensitive data is found in 66% of cloud storage buckets. This data is vulnerable to ransomware attacks. The SANS Institute recently reported that these attacks can be performed by abusing the cloud provider’s storage security controls and default settings.
“In just the past few months, I have witnessed two different methods for executing a ransomware attack using nothing but legitimate cloud security features,” warns Brandon Evans, security consultant and SANS Certified Instructor. Halcyon disclosed an attack campaign that leveraged one of Amazon S3’s native encryption mechanisms, SSE-C, to encrypt each of the target buckets. A few months prior, security consultant Chris Farris demonstrated how attackers could perform a similar attack using a different AWS security feature, KMS keys with external key material, using simple scripts generated by ChatGPT. “Clearly, this topic is top-of-mind for both threat actors and researchers alike,” notes Brandon.
To address cloud ransomware, SANS recommends organizations to:
- Understand the power and limitations of cloud security controls: Using the cloud does not automatically make your data safe. “The first cloud services most people use are file backup solutions like OneDrive, Dropbox, iCloud, and others,” explains Brandon. “While these services usually have file recovery capabilities enabled by default, this is not the case for Amazon S3, Azure Storage, or Google Cloud Storage. It is critical for security professionals to understand how these services work and not assume that the cloud will save them.”
- Block unsupported cloud encryption methods: AWS S3 SSE-C, AWS KMS external key material, and similar encryption techniques can be abused because the attacker has full control over the keys. Organizations can use Identity and Access Management (IAM) policies to mandate the encryption method used by S3, such as SSE-KMS using key material hosted in AWS.
- Enable backups, object versioning, and object locking: These are some of the integrity and availability controls for cloud storage. None of them are enabled by default for any of the Big 3 cloud providers. If used properly, they can increase the chances that an organization can recover its data after a ransomware attack.
- Balance security and cost with data lifecycle policies: These security features cost money. “The cloud providers are not going to host your data versions or backups for free. At the same time, your organization is not going to give you a blank check for data security,” says Brandon. Each of the Big 3 cloud providers allows customers to define a lifecycle policy. These policies allow organizations to automatically delete objects, versions, and backups when they are no longer considered necessary. Be aware, however, that attackers can leverage lifecycle policies as well. They were used in the previously mentioned attack campaign to urge the target to pay the ransom quickly.
To learn more, watch Brandon’s webcast, “The Cloud Won’t Save You from Ransomware: Here’s What Will”, by visiting https://www.sans.org/webcasts/cloud-wont-save-you-from-ransomware-heres-what-will/
Interested in additional tactics for mitigating attacks in the Big 3 cloud providers? Check out Brandon’s course, SEC510: Cloud Security Controls and Mitigations at SANS 2025 in Orlando or Live Online this April. This course is also available with Brandon later in the year in Baltimore, MD in June or Washington, DC in July.
