The ransomware crisis keeps getting worse, with most companies and organizations experiencing a ransomware attack in 2021. The cybersecurity situation is even more dangerous for cloud service providers, because of the number of clients they serve. If a hacker gains access to a normal corporate network, they’ve compromised one company, but if they can infiltrate a cloud service provider, they can potentially access the networks of dozens or even hundreds of companies.
This trend has been further energized by a shift in the way ransomware gangs operate. In the past, the main focus of ransomware was to shut down businesses, putting financial pressure on victims to pay the ransom. More recently, however, there has been more emphasis on stealing sensitive data and threatening to release it to the public.
Cloud service providers are prime targets for such attacks because it’s possible to collect huge amounts of data at once. Instead of breaking into a corporate network and looking for sensitive data, hackers can look at a much wider data set, searching for anything that might be harmful to companies if released to the public.
Financial data, medical and legal records, usernames and passwords, and trade secrets are all prime targets. This highlights the fact that a great deal of the increased security burden that comes with a worsening ransomware threat landscape will fall on cloud service providers.
Lockbit 2.0 attempts to corner the ransomware market
Lockbit 2.0 is a prime example of the move towards so-called “double extortion” attacks that focus on stealing data.
The ransomware market functions much like any legitimate market, with different ransomware developers competing to market their software to hackers. Developers advertise ransomware on underground hacking forums, and hackers who use it then share a percentage of their earnings with the developers.
In attempting to corner the market, Lockbit 2.0 has aggressively positioned itself with a number of features that make it faster than other ransomware variants, and also make “double extortion” easier.
As the ransomware threat grows, so too does the cybersecurity response. This is putting pressure on ransomware designers to make their software faster and more efficient. Lockbit 2.0 incorporates an encryption method that only encrypts about 4 kb of data per file— just enough to render the file unusable. The Lockbit 2.0 team claim makes it the fastest on the market.
It also includes special tools which automatically steal data as quickly as possible.
Rising danger of insider threats
As companies have increased their anti-phishing measures and tightened up cybersecurity, hackers have also been looking for new ways to infiltrate networks. Lockbit 2.0 is one of the first gangs to pursue recruiting insiders as a way to break into networks.
Almost all ransomware variants replace the desktop wallpaper of affected systems with a ransom note containing the attacker’s contact information. Lockbit 2.0 has started to add an offer to company employees— help the hackers access corporate networks in exchange for a percentage of the profits.
The message promises the opportunity to earn millions and promises to protect the anonymity of the insider. This could be a tempting opportunity for a disgruntled employee to earn multiple years worth of salary quickly and easily. It’s also yet another attack vector for employers and cybersecurity professionals to worry about.
Adapting to the changing threat landscape
So what can cloud service providers do to adjust to the new reality? Business as usual, unfortunately, is not an option. It’s not really an option to just leave security to the cybersecurity guys— everyone in an organization needs to have a basic level of cybersecurity understanding.
AWS recently released ransomware mitigation guidelines for cloud service providers. It emphasizes five main points, including:
- Encryption. With the rising threat of data theft and extortion, it’s more important than ever to implement measures to safeguard client data and sound key management policies. Workflows should be segmented so that each process only has the minimum possible permissions required to do its jobs.
- Make data recoverable. A secure backup policy is essential to ransomware mitigation. Being able to restore encrypted data makes it much more difficult for ransomware hackers to shut you down, which severely reduces their ability to demand a ransom.
- Keep up to date with patches. Ransomware hackers are very quick to exploit any vulnerabilities that are leaked, so it’s important to have a regular update and patch schedule.
- Follow a security standard. Security standards developed by industry leaders provide a convenient metric for checking if your cybersecurity is up to snuff.
- Monitor and automate responses. The best way to stop a ransomware attack is to prevent the hacker from gaining access to your network. The next best thing is to detect if an intruder enters and stop them before they can do any damage. If unusual activity is detected, automating a shutdown of the network can limit the extent of the damage an attacker can do.
Technology has brought huge productivity gains to our lives, but it has also brought many challenges. Unfortunately, it seems that some of the gains digitization has brought us will have to be dedicated to maintaining a higher degree of vigilance in cyberspace.