Full Report
The latest Palo Alto Networks Unit 42 Cloud Threat Report found that sensitive data is found in 66% of cloud storage buckets. This data is vulnerable to ransomware attacks. The SANS Institute recently reported that these attacks can be performed by abusing the cloud provider’s storage security controls and default settings. “In just the past few months, I have witnessed two different methods for
Analysis Summary
# Incident Report: Cloud Storage Ransomware Leveraging Native Encryption
## Executive Summary
This summary outlines observed threat actor tactics leveraging legitimate, native cloud security features to execute ransomware operations against cloud storage buckets. Attackers have successfully encrypted data by manipulating cloud encryption key management mechanisms (like AWS S3 SSE-C or KMS keys with external key material) to deny access to the victim organization. The primary impact is data inaccessibility, highlighting the critical need for organizations to understand the default configurations and limitations of their cloud storage security controls.
## Incident Details
- Discovery Date: Within the past few months (as reported by SANS/Unit 42)
- Incident Date: Ongoing observation period (Recent instances identified)
- Affected Organization: Multiple organizations using major cloud providers (AWS specifically mentioned)
- Sector: Unspecified (Applicable to any organization using vulnerable cloud storage configurations)
- Geography: Global (Related to major cloud providers)
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly detailed, occurs prior to encryption phase.
- Vector: Abusing legitimate cloud provider storage security controls and default settings. Specific methods observed include leveraging **AWS S3 SSE-C** (Server-Side Encryption with Customer-Provided Keys) and **AWS KMS keys with external key material**.
- Details: Attackers utilize their access rights to the cloud environment to apply encryption to buckets using keys they control or can manipulate, rendering the data inaccessible to the legitimate owner if the keys are subsequently lost or deleted by the attacker.
### Lateral Movement
- Not explicitly detailed; focus is on direct interaction with storage security policies and encryption mechanisms that the attacker can control.
### Data Exfiltration/Impact
- Impact: Data rendered unusable/inaccessible via ransomware encryption mechanism.
- Details: In one disclosed campaign, lifecycle policies were reportedly leveraged post-encryption to pressure victims into quicker ransom payment by threatening the permanent deletion of data versions/backups.
### Detection & Response
- Detection: Reported by security researchers (Halcyon, Chris Farris) and SANS through observation of novel attack methodologies.
- Response: The article focuses on **proactive recommendations** rather than post-incident response, suggesting the immediate response should focus on recovering data via native controls.
## Attack Methodology
- Initial Access: Exploitation of misconfigurations or unintended usage of legitimate cloud security features.
- Persistence: Not explicitly detailed, but likely tied to maintaining control over the necessary cloud IAM roles/keys to execute encryption.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: By utilizing *legitimate cloud security features* (SSE-C, KMS configurations), the attack traffic may blend in with expected API calls.
- Credential Access: Not explicitly detailed, requires sufficient permissions to modify storage encryption settings.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed.
- Collection: Data is targeted but not necessarily exfiltrated; the primary goal is denial of access via encryption.
- Exfiltration: Not the primary focus of the reported attacks, which concentrate on ransomware/denial of access.
- Impact: Unauthorized encryption of sensitive data in cloud storage buckets.
## Impact Assessment
- Financial: Unknown, but potentially high due to ransom payment demands and recovery costs.
- Data Breach: Sensitive data located in 66% of cloud buckets is theoretically vulnerable to this form of locking/downtime.
- Operational: High risk of business disruption due to inaccessible, essential cloud-stored data.
- Reputational: High, especially if recovery is difficult or data loss is permanent.
## Indicators of Compromise
- Network indicators: None provided (Defanged: N/A)
- File indicators: None provided (Focus is on API/configuration changes)
- Behavioral indicators: Anomalous modification of encryption settings (e.g., AWS S3 SSE-C configuration changes, changes to KMS key usage policies).
## Response Actions
*Based on SANS Recommendations for Future Mitigation:*
- Containment: Immediate review and locking down of IAM policies governing storage encryption key management.
- Eradication: Not specified for this type of attack, but would involve reverting malicious encryption settings if possible.
- Recovery: Utilizing object versioning and backups (if enabled and unaffected) to restore data integrity.
## Lessons Learned
- Cloud adoption does not inherently guarantee security; understanding service-specific configurations is critical.
- Reliance on default cloud service settings, especially for services like S3, Azure Storage, or Google Cloud Storage, leaves organizations vulnerable as features like object versioning or locking are often *not* enabled by default.
- Native cloud encryption mechanisms (like SSE-C or external key material) can be powerful attack vectors when the keys fall under attacker control.
## Recommendations
1. **Mandate Secure Encryption:** Use IAM policies to enforce specific, controlled encryption mechanisms (e.g., mandate SSE-KMS using internally managed keys) and block the use of customer-provided keys (SSE-C) or external key material that attackers can easily manipulate.
2. **Enable Availability Controls:** Immediately enable and regularly test **object versioning**, **object locking**, and **backups** for all critical cloud storage buckets, as these are the primary defense against data immutability/ransomware.
3. **Review Lifecycle Policies:** Analyze existing data lifecycle policies, as attackers may leverage them to accelerate the ransomware timeline by deleting older versions or backups.
4. **Educate on Cloud Limitations:** Train security staff that file backup solutions (like OneDrive) differ significantly from core storage services (like S3/Azure Storage) regarding default availability features.