Written by:
MJ Kaufmann Ransomware threats are growing at an alarming speed, with recent research showing ransomware threats have almost doubled, increasing 84% compared to 2022. As these attacks become more frequent and sophisticated, no organization seems immune, posing a significant challenge to the security of cloud services, as seen with a recent attack on CloudNordic. This trend suggests the coming years could see even more intense cyber threats.
This blog will explore the recent attack against CloudNordic, investigate what went wrong, and provide actionable defense tactics to defend your cloud from ransomware.
Overview Of the Attack
In August 2023, CloudNordic, a host of cloud-based services, was utterly devastated by a ransomware attack. The magnitude of the attack was substantial, severely disrupting critical services, including email, website hosting, and other essential IT functions. This incident caused extensive damage to CloudNordic’s business operations, leading to catastrophic data loss for most customers.
This attack is unique because it targeted the cloud provider rather than the individual customers hosted. Based on the shared responsibility model, cloud customers assume that their providers will live up to their half of the responsibility, ensuring that infrastructure is secure. In this case, the ransomware devastated the back end, leaving customers utterly defenseless.
Attack Details and Timeline
The ransomware attack on CloudNordic was not a sudden, isolated event but the culmination of a long-developing problem. On August 18, during a crucial phase of server migration, the company’s vulnerabilities were exposed. Dormant malware present on the servers being moved activated, leading to the widespread encryption of both the primary systems and backup data. This orchestrated encryption process crippled the company’s infrastructure.
In response, CloudNordic took a firm stance against the attackers’ demands, opting not to pay the ransom. This decision is one of the hardest for any organization to make. While principled in denying attackers their financial goal, it left the company with the daunting task of rebuilding its entire system from the ground up. This was even more challenging, as there were insufficient backups to restore all customers completely, leaving most rebuilding from scratch.
What Could Have Stopped it
Most ransomware attacks, including this one, are preventable with reasonable security steps. By following defense-in-depth principles, organizations can build a strong defense against ransomware. It starts with monitoring for misuse in user actions or hidden threats in storage. From there, it branches out to a robust data-centric defense, implementing encryption, access controls, and backups to ensure the business can recover even if ransomware strikes. Combined, these defenses create an overlapping defense shell, so if any single control is breached, the others cover for it.
Detecting Misuse
Ransomware and similar cyber attacks often display usage patterns that deviate from regular users. Detecting these anomalies, such as unusual usage patterns, origin of access, and endpoint behaviors, is critical to identifying potential attacks early. Leveraging AI and machine learning to establish a baseline of typical user behavior enables rapid detection of deviations. With more automated systems, they can take the detection event and temporarily restrict access until it can be reviewed, cutting off attackers early on in the attack cycle.
Analyzing Cloud Stores
To build on this strategy, organizations also need to review storage for malware that has been ingested, as malware often remains dormant within cloud data stores, blending in with regular data and waiting for the right moment to activate. Advanced attackers strategically choose times like evenings, weekends, or holidays to launch their attacks, banking on reduced vigilance and detection likelihood. Regular and thorough analysis of cloud storage is vital in uncovering these hidden threats and identifying and removing malware before it becomes active.
Defending the Data
The other way to limit the impact of ransomware is to focus security on the data. It starts with encryption, essential to secure sensitive information, making it indecipherable to unauthorized parties. This, combined with implementing strong access controls like Role-Based Access Control (RBAC), restricts data access solely to those who require it for their job roles, thereby minimizing risks. When configured appropriately, all accounts will be limited, including administrators who, in traditional configurations, are often given access, creating a potential single point of failure.
On top of all this, we add backup and recovery strategies to account for situations when the worst case happens. Robust and frequent backups segmented off from the network so they cannot be encrypted by ransomware provide a way to recover in these scenarios. It still comes with the impact of restoration time, but it assures stakeholders that significant incidents such as ransomware will not permanently shut down operations.
Sotero Stops Ransomware In the Cloud
Sotero offers a cloud-specific solution for ransomware protection, focusing on safeguarding cloud resources and preventing the spread of connected internal resources. It utilizes behavior-based anomaly detection instead of traditional signature-based methods. By employing advanced machine learning, Sotero establishes usage and access baselines within cloud infrastructures, enabling it to monitor and identify suspicious activities effectively. This approach allows for early detection and response to malware threats, including access termination, logging, and alert generation, thereby reducing the risk of data exfiltration and potential breach-related fines.
Learn more about how Sotero can prevent ransomware in your cloud environment.