Council Post: The Future Of Ransomware 2.0 Attacks

The pandemic has forced businesses to start working from home on a massive scale, and SaaS platforms have switched from being a matter of choice to a necessity. While the long-term advantages of this global switch are yet to be discovered, SaaS security threats are already out there. One of the most threatening is ransomware 2.0.

It’s a new generation of attacks — using sophisticated types of ransomware — that spreads to the cloud and encrypts SaaS data of cloud services. The average ransom payment in 2019 amounted to $41,000, but a cyber liability insurance firm we partner with indicates that the real cost of a ransomware attack for a company with 50 employees has reached $73,000.

This cost includes:

• Ransom fee: $6,000.
• Forensics: $15,000.
• Legal: $20,000.
• Fines/Penalty: $12,000.
• Data Recovery: $20,000.

That said, ransomware has become a multibillion-dollar industry for cybercriminals. Like businesses, it has to show positive revenue traction year over year. To maximize profit, cybercriminals have to expand to new markets. Cloud SaaS services are a perfect opportunity, and there has never been a better time to target SaaS data.

Why is ransomware targeting cloud services?

• Cybercriminals are looking for new market opportunities. Many offline businesses are closed due to COVID-19, which reduces new opportunities for cybercriminals. Phishing attacks are up 667% since the pandemic began. Cybercriminals seem to be looking for new ways to generate revenue.
• Cloud services become mission-critical apps for successful businesses. IBM CEO Arvind Krishna recently said the spread of coronavirus will push companies to speed up their cloud adoption. Many organizations already can’t imagine their business without cloud services. Today, the majority of companies are using such cloud services as G Suite, Microsoft Office 365, Salesforce, DropBox and Box. If your business operations depend on Salesforce, you can’t replace it with an on-premises version of Salesforce; it doesn’t exist. Such organizations turn to SaaS. It’s only a matter of time until ransomware starts targeting cloud data.
• Cloud services accumulate a huge number of users in one ecosystem. This is another benefit for cybercriminals. Imagine the damage from a successfully designed ransomware attack that targets all G Suite, Microsoft 365 or Salesforce organizations in the United States. The economic impact would be devastating.
• A new generation of ransomware. Cybercriminals release more sophisticated algorithms each year. They are completely different from what we saw last year and spread more easily across networks. New ransomware blocks on-premises antiviruses and backup agents. It can delete backed-up data and download sensitive data. It can steal the victim’s saved credentials from web browsers and email clients and threaten to upload it to public view if the victim doesn’t pay the ransom. One example of is a ransomware called Ragnar Locker.

Here’s a cloud-to-cloud scenario of a ransomware attack targeting SaaS data.

1. A user gets an email that looks like it was sent from their cloud service provider. It requires the user to click a phishing link to update an app.
2. A user installs a malicious app or a Chrome extension that requests a scope of permissions to access G Suite or Office 365 SaaS data.
3. Once permissions are granted, the app starts encrypting data directly in the cloud.

Ransomware that targets the cloud is here. Within the next one to two years, this evolution will not only continue, but also accelerate, making ransomware 2.0 a turning point in ransomware history.

Cloud Security In The New Reality

The bad news is that there is no silver bullet that can help you to keep your business data secure in the cloud in the new reality, but the good news is that a combination of best practices can help you significantly reduce the impact of a ransomware attack on your organization. Here is what I would recommend.

Continually Monitor Your SaaS

Use a third-party provider to monitor your SaaS environment 24/7. The provider can identify new ransomware attacks in real time, remediate them, alert you immediately and provide an advanced incident response plan. One of the key components of such a solution should be ML/AI algorithms that can improve false positives and automate the process to reduce human factor significantly.

Back Up Your Data

Use an independent cloud-to-cloud backup provider to back up your sensitive SaaS data to secure cloud storage. AWS, GCP and Azure are the most secure and trusted cloud storage services. Daily backup is a very important part of this process.

Protect Yourself Against Phishing

Deploy an anti-phishing monitoring solution. The majority of phishing emails are designed to run ransomware attacks.

Monitor Third-Party Apps

Deploy monitoring and risk assessment of the third-party apps installed by your employees, such as marketplace apps, chrome extensions, add-ons, iOS apps, Android apps, non-marketplace apps and any other apps that have access to your SaaS data. Some of the apps can be time bombs and run ransomware attacks when you never expect it.

Train Your Employees To Watch For Threats

Educate your employees by implementing security awareness training on a quarterly basis. There are many online tools that can help you here. Continue doing all the necessary data security work: Manage files’ permissions and access. Outline clear security policies, and educate your employees on cybersecurity matters through corporate training.

Before ransomware 2.0, cybercriminals used one of two approaches: a broad one that targeted every end user in hopes of receiving a small payment, or a narrow one that used social engineering tactics targeted at specific organizations for a bigger ransom. The mass adoption of cloud services by a broad range of business sectors made them an attractive aggregation point for both approaches. Also, because it is a new market for ransomware, the cloud does not have proper protection, which can make organizations vulnerable. It’s a matter of time until cloud data is hit by ransomware 2.0. Is your business ready for it?