A recent report by Palo Alto Networks Unit 42 Cloud Threat Report revealed that a significant 66% of cloud storage buckets contain sensitive data, making them vulnerable to ransomware attacks. The SANS Institute has also highlighted the potential for these attacks to be carried out by exploiting the cloud provider’s storage security controls and default settings.
Brandon Evans, a security consultant and SANS Certified Instructor, has witnessed two distinct methods of executing ransomware attacks using legitimate cloud security features in just a few months. One such attack campaign, disclosed by Halcyon, utilized Amazon S3’s native encryption mechanism, SSE-C, to encrypt target buckets. Another attack, demonstrated by security consultant Chris Farris, used AWS security feature KMS keys with external key material and simple scripts generated by ChatGPT. “This topic is clearly top-of-mind for both threat actors and researchers,” notes Brandon.
To combat cloud ransomware, SANS recommends that organizations take the following steps:
- Understand the capabilities and limitations of cloud security controls: Relying solely on the cloud does not guarantee data safety. “Most people’s initial experience with cloud services is through file backup solutions like OneDrive, Dropbox, iCloud, and others,” explains Brandon. “While these services often have file recovery capabilities enabled by default, this is not the case for Amazon S3, Azure Storage, or Google Cloud Storage. It is essential for security professionals to comprehend how these services work and not assume that the cloud will save them.”
- Block unsupported cloud encryption methods: Techniques like AWS S3 SSE-C and AWS KMS external key material can be exploited by attackers who have full control over the keys. Organizations can use Identity and Access Management (IAM) policies to mandate the encryption method used by S3, such as SSE-KMS using key material hosted in AWS.
- Enable backups, object versioning, and object locking: These integrity and availability controls for cloud storage are not enabled by default for any of the major cloud providers. When used properly, they can increase the chances of an organization recovering its data after a ransomware attack.
- Balance security and cost with data lifecycle policies: These security features come at a cost. “Cloud providers will not host your data versions or backups for free, and your organization will not give you a blank check for data security,” says Brandon. Each of the major cloud providers allows customers to define a lifecycle policy, which enables organizations to automatically delete objects, versions, and backups when they are no longer necessary. However, attackers can also leverage lifecycle policies, as seen in the previously mentioned attack campaign, to pressure the target into paying the ransom quickly.
To learn more, watch Brandon’s webcast, “The Cloud Won’t Save You from Ransomware: Here’s What Will”, by visiting https://www.sans.org/webcasts/cloud-wont-save-you-from-ransomware-heres-what-will/
For additional tactics on mitigating attacks in the major cloud providers, consider Brandon’s course, SEC510: Cloud Security Controls and Mitigations at SANS 2025 in Orlando or Live Online this April. This course is also available with Brandon later in the year in Baltimore, MD in June or Washington, DC in July.
