Why are hyperscale and multi-cloud environments vulnerable to ransomware?
Unlike traditional, on-premise infrastructures, hyperscale and multi-cloud environments expand an organization’s digital footprint by creating new access points. This increased attack surface makes securing cloud infrastructures a challenge. Understanding the steps malicious actors use to successfully attack hyperscale and multi-cloud environments can help organizations take a more proactive approach to mitigate data breach risk. Consider the following scenarios:
Social engineering
Most ransomware attacks start with social engineering. Social engineering attacks prey on the end-user’s trust, emotions, and common decency to entice them into taking an action that’s against their best interests. All types of ransomware attacks require end-users to take an action, like clicking a link, that sets the process in motion.
This is especially true in times of uncertainty. An August 2020 report from INTERPOL noted that malicious actors used people’s fear of COVID-19 as part of their attacks. People’s fear in conjunction with the lack of available COVID-19 related information during that period made them more susceptible to a social engineering attack. This isn’t the only way that social engineering works, however - a malicious actor could pose as your boss sending you an employee appreciation gift card or could pose as a contractor that is trying to fix your HVAC system (Heating, Ventilation and Air Conditioning).
Even if employees are trained in countering malware and ransomware, social engineering preys on their trust and emotions to make them more likely to ignore or comply with a potential threat that they know they should report.
Executable ransomware
With executable ransomware, the end-user clicking on the document or link triggers the malicious code to write a file to the disk. This is what people usually understand as a computer "trojan." For example, the "fake anti-virus" trojan is a typical example of this type of ransomware. In this case, end-users are notified that there has been a threat detected on their computer, and they are led to do an internet search for "antivirus" to resolve the threat. Next, they may find "free" software online, download it, and install it.
Unfortunately, they have now downloaded and installed ransomware that executes when installed. Now, the trojan has been written to their machine, typically in a hidden location. From there, it could take a few minutes or a few months for the ransomware to spread across your network. On the malicious actor’s cue, the ransomware will execute.
Fileless attacks
Fileless ransomware installs in otherwise native, legitimate system tools. When the end-user clicks on the link or document, they download the ransomware code. However, unlike the trojan, they do not need to install the ransomware for it to impact their device. In a fileless attack, the malicious code uses a native scripting language, like macros, or writes into the device’s memory. This is why an unfamiliar spreadsheet that uses a macro to replicate a series of actions or a PDF that has formatting code in it can be dangerous.
Since fileless attacks do not need to write anything to a disk, they are increasingly common in hyperscale infrastructures. They hide inside legitimate applications, like Microsoft Word, which means that any web-based application, storage location, or database is at risk. Undetected, the fileless malware embeds its code into a centralized source, like an operating system running a server. From there, it can remain undetected until it encrypts and exfiltrates much of the data belonging to your organization.
Even more disconcerting, fileless ransomware leaves little forensic evidence because it does not save anything on a device. Therefore, during the investigation and recovery process, security analysts have a hard time finding and removing it.