In a Cloud Security Architect role, Giorgio Brembati works within the Check Point Software EMEA team of specialists for southern Europe. He supports customers and companies in adopting strategies, architectures and solutions to secure their environments in public and private cloud contexts.

In this expert interview, Giorgio Brembati provides a technical deep-dive into ransomware as it relates to cloud computing.

How has ransomware affected cloud computing infrastructure?

Most organizations today rely on the cloud, and over the last few years, we have seen it become one of the crucial components of IT organizations. We have seen companies moving virtual desktop infrastructure (VDI) environments and virtual machines (in a lift/shift approach) and then start utilizing native services. When we take a look at the protection that is put in place along with this first migration technique, we can see how native systems do not provide threat prevention capabilities. Companies should rely on anti-malware and emulation techniques to prevent known and unknown attacks that may reach IaaS systems from both traffic and workload perspectives.

In what ways are cloud technologies uniquely vulnerable to ransomware?

In cloud environments, we frequently see the extensive usage of Platform-as-a-Service services with databases and storage. In a context defined by a shared responsibility model that represents a customer as responsible for the data, the correct configuration of these services becomes crucial to implementing proper security practices. These services are based on extensive flexibility and availability, and bring up the question of how to control the exposition and settings in our storage or database provided as service. If we then expand our view to how companies use cloud environments today, we can identify a trend that focuses on multi-cloud environments, making these security practices even harder without multi-cloud security solutions.

Can you speak to newly developed ransomware strategies for the cloud?

As the attackers’ methodologies evolve, we can observe how today’s ransomware attacks are changing on a technical level, and also see how the attack behavior has changed. Recent attacks have shown how attackers are moving to a double-extortion technique. In such attacks, affected companies are then asked to pay a ransom to recover the data and to avoid seeing their private data publicly shared on the web. We can interpret ransomware attacks as attacks that aim to ask for a ransom from the customer, while attackers rely on different attack strategies (such as encryption or data exfiltration techniques). So, it is crucial in cloud environments, where one of the most significant risks is related to misconfiguration, to have the correct tools in place to control exposures or issues in the permission configurations which can be made by mistake. Similarly, it’s crucial to to guide teams through the right mitigation strategy.

What would you say are key ransomware prevention considerations for the cloud?

When we look at the cloud environment, we can distinguish systems based on Infrastructure-as-a-Service services (virtual machines) and strategies based on Platform-as-a-Service. In the first scenario, one of the critical prevention techniques is the use of systems that analyze the traffic using threat prevention technologies. This approach on one end would ensure attacks could not hit these systems by analyzing traffic flows for known and unknown attacks and ensure there will be no communication with the Command-and-Control server. When we look at PaaS services, it is crucial to make use of solutions that can detect misconfigurations of these systems and to implement automatic remediation to reduce the attack surface and to close any unwanted expositions.

How should organizations backup cloud data to avoid ransomware?

One entry point for ransomware to cloud infrastructure could be the public perimeter. Alternatively, ransomware that infects on-prem data could also have implications for the cloud, even if the data is encrypted. For instance, infected on-prem data that syncs to cloud backups will lead to cloud compromise. One strategy that can help us mitigate these worst-case  scenarios is use of “versioning” technologies; the concept behind these features is to define any existing data as immutable. Therefore, if a newer file is synced to the cloud systems (even if encrypted), it would not change the original file, but it will effectively become a newer version, leaving the original file untouched.

Did you like this article? To get cutting-edge insights, analysis and resources in your inbox each week, sign up for the Cyber Talk newsletter.