Ransomware Realities: Exploring the Risks to Hybrid Cloud Solutions

Hybrid cloud frameworks offer a way for companies to combine the scalability of public clouds with the security and control of their private counterparts. Pandemic pressures have accelerated hybrid adoption. According to recent survey data, 61 percent of companies currently use or pilot hybrid clouds, while 33 percent have plans to implement hybrid options in the next two years. Meanwhile, research firm Gartner points to growing cloud ubiquity across enterprise environments driven by hybrid, multi-cloud, and edge environments.

Along with increased uptake, however, is a commensurate uptick in ransomware risks. With attackers leveraging the distributed nature of remote work environments to expand their attack impact, organizations must recognize potential challenges and develop frameworks to mitigate ransomware threats effectively.

What Are the Ransomware Risks of a Hybrid Cloud Environment?

Because hybrid clouds rely on a combination of public and private solutions, overall ransomware risks are effectively double.

Consider the recent ransomware attack on payroll provider Kronos. As noted by CPO Magazine, after details of the Java diagnostic tool Log4JShell vulnerabilities were made public on December 9th, hundreds of thousands of ransomware attacks were launched worldwide. One likely victim was Kronos, with the company’s private cloud forced offline after a ransomware attack leading to weeks of remediation. Private clouds are also under threat as attacks shift from outside to inside — even a single disgruntled employee with administrative access could wreak havoc on internal clouds by simply ignoring email protection warnings or clicking through on malicious links.

Public cloud providers, including Amazon Web Services (AWS), Google Cloud, and Azure, have begun publishing articles and offering resources to help mitigate the impact of ransomware in the cloud. While large-scale public cloud services have yet reported no major ransomware attacks, it’s a matter of when, not if, these attacks occur.

In practice, successful attacks on public or private clouds can lead to severe consequences.

Systems Downtime

Ransomware attackers encrypt key files and demand payment for release. As a result, the first line of defense against increasing attack impact is shutting down affected systems to focus on remediation. Cybercriminals may also pair ransomware efforts with dedicated denial of service (DDoS) attacks which force systems offline by overloading them with traffic volumes and resource requests, even as ransomware is deployed behind network lines.

Depending on the scale and severity of the attack, it could take days or weeks for IT teams to discover the full extent of the damage, remediate the issue and bring systems back online.

Monetary Loss

As noted by Dark Reading, the average ransomware payout hit $570,000 in the first quarter of 2021, more than $250,000 more than the 2020 average of $312,000.

But initial payouts are just the start of the problem. Even if attackers return control of critical files, companies must still spend time and money identifying the vulnerabilities that made ransomware attacks possible in the first place. Then, they must spend even more money remediating these issues and testing their new security frameworks.

There’s also the potential risk of costly data loss if enterprises choose not to pay and instead look to decrypt data using available security tools — or if they pay up and attackers aren’t true to their word. If security solutions aren’t able to remove ransomware before the deadline or criminals can’t (or won’t) decrypt data, companies are left with the daunting and expensive task of building data stores back up from scratch.

Reputation Damage

Eighty-eight percent of customers won’t do business with a brand they don’t trust to handle their data. Ransomware is a red flag when it comes to trust. Even if such attacks are inevitable, customers want to know that companies took every possible precaution to prevent data loss and need the confidence that comes with clear communication about the next steps.

As a result, the loss of data due to ransomware or the inability to articulate how information recovery will occur and how data will be better defended going forward can damage organizations. After a ransomware attack, businesses often face negative impacts on reputation, reduced customer confidence, and revenue losses.

Legal Challenges

Evolving regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA) all include provisions around the safe collection, storage, and use of data. Failure to comply with these regulations can lead to fines and legal challenges if ransomware attacks are successful.

Hybrid Cloud Security Measures

While it’s not possible to eliminate ransomware in hybrid cloud environments, there are steps you can take to reduce overall risk.

1. Deploying Offline Backups

If ransomware attacks are successful, malicious code can encrypt any connected devices. These include physically attached devices such as universal serial bus (USB) sticks or hard drives along with any online, cloud-connected drives across both public and private clouds.

To help mitigate this risk, it’s worth deploying secure offline backups that are not connected to internal hosts or external data sources once backup processes are complete. Consider a private cloud backup. To reduce ransomware impact, companies are best served by establishing a data backup schedule that includes provisions for device connection, data transfer, and device disconnection once the backup is complete. By utilizing multiple offline devices that are regularly backed up and then disconnected, businesses can ensure that data remains available even if primary systems are compromised by ransomware.

2. Implementing Two-Factor Authentication

Frustrating attacker efforts to gain network access can significantly reduce the risk of ransomware. Best bet? Start with two-factor authentication (2FA). While it remains relatively easy for attackers to compromise passwords using both social engineering and brute-force attacks, implementing 2FA solutions that leverage one-time text codes or biometric data can help protect networks even if account credentials are breached. What’s more, failed 2FA checks that accompany correct account information can signal to information technology (IT) teams that attack efforts may be underway, in turn allowing them to respond and remediate threats proactively.

Even more protection is available through multi-factor authentication (MFA) strategies that combine text codes and biometrics to frustrate attackers further. It’s also vital to create strong password policies that mandate regular password changes and include rules around required password length and the use of special characters or symbols to increase overall protection. While passwords remain one of the least secure forms of data defense, they’re not going anywhere. As a result, companies must address common password problems before they lead to compromise.

3. Disabling Well-Known Ports

While attackers are constantly developing new methods and leveraging newly-discovered vulnerabilities to distribute ransomware code, they’re also creatures of habit. If specific attack vectors continue to see success, they won’t abandon them simply because something new comes along.

Case in point: Ports connected to cloud services, such as ports 137-139, 445, and 3389, are common attack targets. By disabling these ports, businesses can remove some of the most-used ransomware distribution pathways, in turn forcing attackers to take more circuitous routes if they want to compromise and infect public and private cloud systems.

4. Turning off RDP

The remote desktop protocol (RDP) allows users to connect with another computer over a network connection and provides a graphical user interface to help streamline this process. The problem? Attackers can exploit insecure RDP deployments — which typically use transmission control protocol (TCP) port 3389 and UDP port 3389 — to access user desktops and, in turn, move laterally through corporate systems until they find and encrypt critical files.

While it’s possible to protect RDP with increased security measures, the collaborative nature of cloud deployments often makes it simpler to disable RDP up-front to reduce total risk.

5. Updating to SMB 3.1.1

The Server Message Block (SMB) provides a way for client applications to read and write to files and request server resources. Originally introduced for the disk operating system (DOS) as SMB 1.0, SMB has undergone multiple iterations, with the most current version being 3.1.1. To help protect cloud services from potential ransomware attacks, businesses must upgrade to version 3.1.1 and ensure that version 1.0 is fully disabled. Failure to do so could allow hackers to reactivate version 1.0 and leverage the WannaCry vulnerability to compromise systems and install ransomware.

6. Ensuring Encryption is Used for All Sessions

Encryption helps reduce the risk of compromise by making it harder for attackers to discover and exploit critical resources. Ideally, companies should use transport layer security (TLS) v1.3 for maximum protection. Much like SMB, it’s also important to disable TLS 1.0. Why? Because if TLS v1.0 is enabled, attackers could force your server to negotiate down to TLS v1.0, which could, in turn, allow an attack.

It’s also a good idea to boost encryption efficacy by using SSHv2.0 and disabling Telnet port 80 to frustrate common attacker pathways.

7. Prohibiting Macro-Enabled Spreadsheets

Macro-enabled Excel spreadsheets have long been a source of ransomware and other malicious code. If attackers can convince users to download and open these spreadsheets, criminals are then able to install malware droppers that in turn connect with command and control (C&C) servers to download ransomware.

Recent efforts see attackers sending emails to unsuspecting users indicating they’ve been the victims of credit card fraud. Customers call in, are directed to access a malicious website, and then download a macro-enabled spreadsheet that creates a ransomware backdoor on their device. To reduce the risk of ransomware, it’s a good idea to disable the use of macro-enabled spreadsheets across both in-house Microsoft Office and Office 365 deployments.

8. Increasing Total Visibility

Attackers rely on misdirection and obfuscation to install ransomware and encrypt key files. As a result, visibility is critical for security teams. The more they can see, the better they can pinpoint potential weaknesses and identify vulnerabilities.

The challenge? Increasing hybrid cloud adoption naturally leads to reduced visibility. With companies now using multiple private and public clouds to streamline operations, the sheer number of overlapping services and solutions in use makes it difficult to manage and monitor hybrid clouds at scale. To help address this issue, businesses need cloud security tools capable of delivering comprehensive and dynamic visualization that continually interprets access controls across cloud-native and third-party firewalls to help continuously validate security compliance.

9. Recognizing the Role of Due Diligence

No matter where your data is stored, you’re ultimately responsible for its protection. This is true regardless of the service you use. While your cloud provider may offer load balancing, availability, or storage services that help protect your data, due diligence around hybrid cloud security rests with data owners.

This means that if your provider suffers a breach, you bear responsibility if key security processes weren’t followed. As a result, it’s critical to vet any cloud security services provider before signing a service level agreement (SLA) and ensure robust internal backups exist if cloud providers are compromised, or last-mile connection failures interrupt cloud access.

Controlling Ransomware Risks in Your Hybrid Cloud

Unfortunately, it’s not possible to eliminate ransomware in hybrid clouds. Instead, effective cybersecurity in the cloud needs to focus on controlling the risk that comes with distributed data environments.

This starts with the basics, such as ensuring robust encryption, turning off commonly-used ports, and updating SMB and TLS software. It also requires the use of 2FA and MFA solutions coupled with staff education to ensure they recognize the impact of insecure passwords and practices — such as downloading compromised Excel spreadsheets — cloud security as a whole.

Finally, companies must recognize that ultimate responsibility for secure handling, storage, and use of data rests with them — and that the right cloud security services provider can make all the difference when it comes to reducing risk and enhancing defense in the hybrid cloud.

Want more info on ransomware? Check out this white paper on digital resilience and ransomware protection strategies.

Keep it Separate, Keep it Safe: How to Implement and Validate Cloud Network Segmentation

The distributed nature of cloud computing makes it a must-have for business, thanks to on-demand resource availability, network connectivity, and compute scalability.

But the cloud also introduces unique security challenges. First is a rapidly-expanding attack surface: As the number of connected third-party services powered by open-source code and APIs increases, so does the risk of compromise. According to the 2021 IBM Security X-Force Cloud Threat Landscape Report, more than 1,200 of the 2,500 known cloud vulnerabilities had been found within the proceeding 18 months. Additionally, 100 percent of penetration testing efforts by IBM X-Force teams found issues with cloud policies or passwords.

Cloud network segmentation offers a way for companies to reduce the risk of cloud threats. By dividing larger networks into smaller subnets — each of which can be managed individually — businesses can boost protection without sacrificing performance. Here’s how it works.

Why Is Cloud Network Segmentation Valuable to Network Security?

Cloud segmentation is part of larger defense-in-depth (DiD) security practices that look to lower total risk by creating multi-layered frameworks which help protect key data from compromise. DiD is built on the concept that there’s no such thing as a “perfect” security solution — since, with enough time and patience, attackers can compromise any protective process. By layering multiple security measures onto network access points or data storage locations, however, the effort required for compromise increases exponentially, in turn reducing total risk.

And by breaking larger cloud networks down into smaller subnets, the scale of necessary defense decreases, making it possible for teams to differentiate lower-risk subnets from those that need greater protection. Segmentation offers practical benefits for businesses.

Reduced Complexity

Segmenting larger cloud frameworks into smaller cloud networks allows teams to reduce the overall complexity that comes with managing cloud solutions at scale. Instead of trying to find one policy or process that works for cloud networks end-to-end — without introducing security risks to protected data or limiting users’ ease of access — teams can create purpose-built security policies for each network segment.

Increased Granular Control

Segmentation also offers more granular control over network defenses. For example, teams could choose to deploy next-generation firewall tools, such as those capable of discovering and analyzing specific user behaviors, or implement runtime application self-protection (RASP) functions on a case-by-case basis.

Improved Responsiveness

Smaller subnets additionally make it possible for IT professionals to identify and respond to security issues quickly. Here’s why: Given the geographically disparate nature of cloud services — one provider might house their servers locally, while another might be states or countries away — tracking down the root cause of detected issues becomes like finding a digital needle in a virtual haystack. While it’s possible using advanced detection tools and techniques, it could take days or weeks. Segmentation, meanwhile, allows teams to identify and respond to issues on a segment-by-segment basis quickly.

Enhanced Operations

Network segmentation also helps companies enhance operations by aligning with cloud security best practices such as zero trust. Under a zero trust model, user identity is never assumed; instead, it must be proven and verified through authentication. Segmentation makes it possible to apply zero trust where necessary — such as gaining access to network segments that store personally identifiable information (PII) or intellectual property (IP) — in turn helping streamline cloud access without introducing security risk.

How to Implement Network Segmentation

Network segmentation isn’t a new concept — companies have been leveraging physical segmentation of networks for years to reduce the impacts of a potential breach. As the name implies, this type of segmentation uses physical controls such as firewalls to create separate subnets and control traffic flows.

Cloud segmentation, meanwhile, comes with a bigger challenge: Creating network segments across digital environments that may be separated by substantial physical distance. As a result, cloud segmentation was often deemed too complex to work since the sheer amount of unique cloud services, solutions, and environments combined with the dynamic nature of cloud resources meant it was impossible to effectively portion out and protect these subnets.

With the right strategy, however, it’s possible for businesses to both segment and secure their cloud networks. Here, logical rather than physical segmentation is vital. Using either virtual local area networks (VLANs) or more in-depth network addressing schemes, IT teams can create logical subnetworks across cloud services that behave as if they’re physically separate, in turn increasing overall defense.

Worth noting? Validation of these virtual networks is critical to ensure protective measures are working as intended. In practice, this means deploying tools and technologies that make it possible to visualize access across all network environments — local or otherwise — to understand network topology and explore traffic paths. Validation also requires the identification and remediation of issues as they arise. Consider a subnet that includes multiple cloud services. If even one of these services contains vulnerabilities to threats such as Log4j, the entire subnetwork could be at risk. Regular vulnerability scanning paired with active threat identification and remediation is critical to ensure segmentation delivers effective security.

Closing the Cloud Security Gap with RedSeal

Cloud solutions offer the benefit of any time, anywhere access coupled with scalable, on-demand resources. But clouds also introduce unique security challenges around user access, data protection, and security threat monitoring.

As a result, protecting data in the cloud requires a defense-in-depth strategy that creates layers of protection rather than relying on a single service or technology to defend against evolving threats. Cloud network segmentation is one key component in this DiD strategy — by logically segmenting cloud services into smaller and more manageable networks, companies can reduce complexity, increase control and improve responsiveness.

But segmentation alone isn’t enough; enterprises also need the ability to visualize multiple micro-networks at scale, identify potential issues and quickly remediate concerns.

Ready to get started? Discover how RedSeal can help visualize, verify and validate your cloud network segmentation. Watch a Demo.