How to Protect Against Ransomware Attacks on Your Cloud Storage
Even with its advanced technology, the cloud isn’t impervious to ransomware attacks. Learn how to protect your data and what to do if an attack occurs.
Ransomware attacks on cloud storage are becoming increasingly common and destructive. This form of malware unexpectedly encrypts an organization’s or user’s key files and renders them unreadable. In recent years, ransomware has become more pernicious, with hackers and criminals demanding payouts in the form of cryptocurrency or other difficult-to-trace electronic payment instruments in exchange for decrypting valuable data and/or restoring essential services. Organizations in many sectors have been affected, disrupting business operations and destabilizing critical infrastructure. Companies relying on legacy systems are especially at risk, as such systems may not be maintained or up to date with patches and upgrades.
The nature of cloud storage makes it a tempting target for ransomware attacks because of its omnipresence, connections, and accessibility. Fortunately, there are multiple measures organizations can put in place to defend against ransomware attacks. For cloud storage, a ransomware prevention strategy is an essential component of an overall cybersecurity posture.
Ransomware protection for cloud storage is essential for keeping files intact, accessible, and safe. Unfortunately, ransomware attacks and attacker strategies are evolving to become more intelligent and insidious while tapping into high-value, cloud-based enterprise data lakes. For most organizations, integral, accessible, and secure data is fundamental to business continuity. Inaccessible, incomplete, and insecure data can lead to severe recovery challenges such as:
Very quickly, business (or elements of business) can grind to a halt, which is usually the goal of a cloud ransomware attack.
Any strategy for protection against ransomware integrates multiple layers of defense. The U.S. National Institute of Standards and Technology has laid out five functional pillars of a comprehensive and successful cybersecurity defense program for private- and public-sector organizations. These are:
Identify systems and processes that are essential to your operations to invest in added protection against disaster.
Fine tune the protective measures being taken for essential processes, software, or data.
Lean on Cloud DLP to identify long-term data protection strategies for information that might appeal to ransomware attacks.
Develop a disaster recovery plan based on the identified systems and associated protective measures.
Develop a cybersecurity resilience program to back up core programs and software.
The systems and processes that have the greatest chance of being targeted by ransomware must be identified. What would the business impact be if these systems or processes were unable to operate? Identifying these systems and processes will help with prioritizing and focusing on managing risk.
When it comes to cloud security, it’s better to be informed about risks than to avoid them. Being thoroughly informed about risks will help you confront security vulnerabilities you currently face, rather than simply managing risks you’re already aware of.
Cloud service providers often make this risk-informed approach more efficient and easier for you by creating and maintaining the tools and controls you need to mitigate security threats. Tools now exist that allow discovery, monitoring, and analysis of all your organization’s assets in one place for the purposes of security analytics, IT operations, auditing, and governance.
Establish safeguards that will ensure the delivery of critical services operations processes to contain or limit the impact of cybersecurity attacks or incidents. Such safeguards could include frameworks such as zero-trust, which segments environments, protects and authenticates device integrity and user access, authenticates executables, integrates endpoint protection, filters malware and spam, reduces phishing risks, patches consistently, and provides continuous controls assurance. A few examples of strategies and products to consider incorporating include:
Email is at the center of many ransomware attacks. Email can be exploited to phish for credentials to use for illegitimate network access or directly distribute ransomware binaries. It should be noted that legacy on-premises email systems are particularly vulnerable in this manner. Using email with phishing and malware protection allows you to quarantine emails, defend against anomalous attachments, and protect against spoofed inbound emails.
User accounts that are compromised permit ransomware attackers to gain footholds in an organization, performing reconnaissance, obtaining unauthorized data access, and installing malicious binaries. Wherever possible, it’s recommended to use products that provide extra account takeover protection and detect anomalous user activity.
A zero-trust access model grants authorized users point-in-time access only to individual apps and not an entire network. Permissions are continuously checked to test whether ongoing access is still permitted. This stops lateral movements across a network that attackers use to look for sensitive data and expand infections. Remote Desktop Protocol access to resources is one of the most common methods that ransomware attackers use to acquire access to insecure legacy server systems.
Safe browser technology can warn users about millions of malware downloads every week. Threat protection can prevent infections by previously undiscovered malware—including ransomware—via deep scanning of files and real-time URL checks.
It’s best to have as many users as possible running operating systems with low on-device footprints. Where possible, these operating systems should be read only, with verified booting, sandboxing, safe browsing, and a constantly invisibly updating OS. If possible, don’t rely on legacy devices, which have larger vulnerability gaps.
Define ways to continuously monitor your organization to identify all possible cybersecurity incidents or events. In terms of ransomware, this can include keeping an eye out for intrusion attempts, installing Data Loss Prevention (DLP) solutions for detecting leaks of sensitive organizational data, and scanning for signs of ransomware propagation and execution.
Being able to see and inhibit nefarious activity connected to ransomware as quickly as possible is crucial for stopping business disruptions. There are apps that provide threat detection solutions for identifying all threats, including ransomware, at unrivaled scale and speed. You should focus on active threats in your environment and try to accelerate your response times to them.
Use DLP technologies to detect data that could appeal to ransomware attackers. With Cloud DLP, you’ll be able to detect which (if any) sensitive data is accessible to the public and whether any access credentials are contained in exposed code.
Form an incident response team in your organization that can limit and mitigate the impact of a ransomware event. Invest company time and resources into developing a disaster recovery plan that can help support a proactive response immediately after enduring a ransomware attack.
If a ransomware attack occurs, always secure your internal communications with your teams and any external communications with your customers and partners.
Develop a cybersecurity resilience program with a backup strategy to restore core assets and systems affected by ransomware incidents. It’s critical to support recovery timelines so you can lessen the impact of any cyber event and get back to running your business.
If you’ve been attacked by ransomware, you should identify a point-in-time backup image that you’re sure isn’t infected. Being able to identify such a point will allow for quick recovery of your data. Recovering data rapidly means you can resume business functioning expeditiously. Files that are synced with remote copies may be able to be recovered more readily than those files that aren’t synced.
In planning a defensive posture against ransomware attacks, consider these questions:
Guarding against ransomware attacks is critical for all organizations. Establishing best practices and answering the above questions are only the beginning of building a mature and resilient cybersecurity posture.
Remember that you shouldn’t focus on just one single line of defense. Your cybersecurity program should enable you to detect, identify, respond to, recover from, and prevent multiple kinds of attacks. You need a wide range of solutions from a highly resilient and battle-tested platform that works with your business in an integrated way across many elements.
It’s valuable to train your employees to recognize strategies used by ransomware attackers and to ensure that all countermeasures for securing data in the cloud are taken. Examples of ransomware attack strategies include stealing data prior to encrypting it, threatening to leak this data, and executing distributed-denial-of-service attacks to distract and occupy security teams while seeking to accomplish other goals such as leaking data or encrypting business-critical data.
Cloud solutions such as Seagate® Lyve™ Cloud can offer added protection against ransomware attacks via object immutability and best-in-class data-at-rest protection. A built-for-multicloud storage-as-a-service solution with predictable, capacity-based pricing, Seagate Lyve Cloud is compatible with Amazon Web Services (AWS) S3.
Managers should strive to stay on top of all device and cloud software and system updates.
In addition, it’s important to continuously back up cloud storage, including versioning and organizing information in data lakes. In this respect, Seagate Lyve Cloud’s compatibility with AWS S3 is especially helpful.
Business continuity and disaster recovery plans are critical for organizations, and increasingly, it’s essential for these plans to integrate ransomware-focused instructions in case such attacks occur.
Explore Seagate’s Cloud solutions