Ransomware attacks are changing. Moving to a new cloud-based format, it is imperative that businesses, organizations, and individuals safeguard themselves.
In a recent statement, Microsoft announced that the hacker group Storm-0501 has stepped up its use of cloud-based ransomware attacks. This signals a shift from their more traditional methods that have involved endpoint-based attacks. They do this by taking large amounts of data, which they then destroy along with all backups within the environment from which it was taken. Ransomware then demands payment in exchange for the seized information. This can be done quickly and without the use of traditional malware.
Storm-0501's New Method of Attack
This shows the importance of increasing security on the cloud, both for individuals and businesses. You can find cloud security explained simply online, with breakdowns of some of the most dangerous threats. These can range from data breaches, to insider threats and account hijacking. Crucially, they also detail the key components of cloud security.
Intrusions into the cloud using this method involved the use of vulnerabilities in Microsoft Defender. It used differing Active Directory domains with Directory Synchronization Accounts and a Global Administrator account. The attackers then began a series of takeovers, according to Microsoft Threat Intelligence. From there, it targeted Azure, Microsoft's own cloud computing service for building applications and services on the web.
A systematic stealing of sensitive data followed. Storage snapshots, restore points, and recovery services were disabled. If data could not be deleted from recovery services, the attackers began to encrypt it using new keys. This employed a hybrid strategy of both old and new methods. The ransoms were delivered through Microsoft Teams, with individuals contacted through a series of compromised accounts.
Who is Storm-0501?
Storm-0501 is a threat actor. This is any individual or collective that causes harm to digital networks. These usually indulge in cybercrime activities, like hacking, data theft, extortion, and ransomware attacks. They have been active since at least 2021, when they attempted to steal $131 million from the Brazilian bank Evertec. They also targeted several US school districts. Originally, their method was to deploy ransomware known as Sabbath, but they have since joined several ransomware-as-a-service platforms.
Last year, Microsoft announced that the group had moved from on-premises ransomware attacks to hybrid cloud structures. During this change, they used backdoors through federated domains or encrypted on-premises devices. The latter is one method they are moving away from, instead choosing to focus on the clouds for their attacks.
The difference between the two methods is that when using on-premises ransomware, Storm-0501 will use malware to encrypt vital files on compromised networks. They then set a ransom for the encryption key. Cloud-based ransomware differs in that it takes data, stores it, and then deletes it. Thus, those receiving the ransom are paying to get the data back, as opposed to unlocking it from encryption. This new method does not require any malware deployment.
The Fundamentals of Cloud Security
Cloud security is not always something that should be left to providers alone. There are plenty of internal changes and systems you can put in place that will help safeguard you from cloud-based ransomware attacks.
The first is to create an inventory of assets and make sure all data is backed up. Data and assets can then be classified by their sensitivity and importance. You can then categorize how important each one is, and how much damage it would cause if it were compromised. From here, you can consider the threats to it and the damage it would cause if lost or exposed.
Once you have a hierarchy, you can begin to manage user access rights. Access controls should be provided, with the most sensitive assets only accessible to the higher parties in the organization. Staff should be trained on their access levels and how to secure them, no matter how far down the chain they are.
Even with the best paid plans, your system may still be breached. Thus, it helps to plan for when it does eventually happen. Form an incident response team, which will create a response process. Make sure you have a mix of skills in this, from public relations to technical experts. Make sure that dry runs are tried out, and processes are continually updated as lessons are learned.
Traditional ransomware encryption techniques are being increasingly intercepted and blocked before they can encrypt devices. This has been due to better technologies deployed to defend against and detect it, along with awareness and education. This fundamental shift is a direct result of this, as threat actors begin to pivot away from these methods to cloud-based theft.
Conclusion
As a business owner or CEO, you must ensure you prepare. It is not just enough to rely on your providers. Start to implement internal procedures as documented above, and you will soon ensure that your company is secure. Even if breaches do occur, you will have the protocols in place to limit the damage.
Featured Image by Pexels.
Share this post
Leave a comment
All comments are moderated. Spammy and bot submitted comments are deleted. Please submit the comments that are helpful to others, and we'll approve your comments. A comment that includes outbound link will only be approved if the content is relevant to the topic, and has some value to our readers.
Comments (0)
No comment