RansomCloud: ransomware hits back with a vengeance!

Ransomware – that’s history, right?

Granted, this nasty old malware that encrypts, scrambles or otherwise blocks access to your files and data – unless you pay out a hefty bribe – can make a serious mess of everything from local machines to company networks to national infrastructure (who can forget WannaCry?)

But now, computing’s all about the cloud! Files are stored there, applications live there, platforms are built there, and big, multinational tech experts look after it.

Hold files to ransom, when they’re in this remote, shielded, highly secure environment? Humbug.

Ransomware reinvented

Not so – and for two reasons.

Firstly, storing files in the cloud has never been a panacea against ransomware attacks, because the ransomware can often simply get to the data held in the cloud through the file structure on the user’s device – it’s a ready-mapped entry point!

Oh, and if you think cloud service providers back up that data, they don’t – it’s usually purged and gone forever after 30 days. A lot of cloud service providers offer no backup at all. Microsoft specifically state in the Office 365 terms of service, for example, that the data is YOUR responsibility, not theirs, making backup essential

But secondly, a still more sinister breed of threat has emerged that is specifically designed to hold cloud applications (including email) hostage – RansomCloud.

It’s already here in force, and already on the up. Industry intelligence reports that 28% of IT service providers surveyed have seen ransomware attacks in SaaS (cloud) applications, with around 50% reporting attacks in Office 365 specifically, and 22% in G Suite.

It looks very much like we need to get used to the idea that our ever-growing cloud use will make RansomCloud attacks the ‘new normal’.

How does RansomCloud differ from ‘traditional’ ransomware?

In essence, RansomCloud uses techniques adapted from ‘traditional’ ransomware to exploit weaknesses and opportunities that are specific to cloud services.

So, whereas traditional ransomware would either use an infected attachment (like a spoof invoice) or a phishing link in a massive, widescale attack, RansomCloud attacks take a more targeted ‘spear phishing’ approach, to focus on specific users and identities.

The process that is then triggered by the phishing link often involves displaying a page that looks like a service update from a bona fide provider, and on this page the user is duped into giving the attacker credentials and permissions.

This plays right into the underlying rationale behind the cloudward evolution of ransom attacks – namely, that if the attacker can access one cloud-delivered service (say, OneDrive) then they can access others in the same stable (for example, Outlook email) without requiring a separate login and permissions – giving them for more data and file types to block, encrypt, or delete.

To see how exactly how RansomCloud works, ethical hacker Kevin Mitnick takes you through it step by step in this video. Take a deep breath as, one by one, the hapless user’s emails are visibly encrypted in real-time!

How much of a threat is RansomCloud?

If you watched the video above, you probably already have a feel for this.

But putting a monetary value on risk always focuses the mind, so consider this: in independent research published by Vanson Bourne in 2018, ransom attacks were costing UK businesses £346 million per annum to their bottom line.

Add to this the fact that, in the same period, 40% of UK companies reported falling to an average of five such attacks.

And now think on the fact that cloud application use is growing day by day – and UK businesses are near the top of the European league for cloud adoption, according to a recent report from Eurostat.

Put together, these form a very powerful argument to suggest that RansomCloud is a gathering storm that – if ignored – could rain very heavily on your parade.