Ransomware Groups Use Cloud Services For Data Exfiltration

Cloud ransomware attacks have become a common approach from malicious actors to compromise the IT systems of their targets, according to SentinelOne.

Attackers are increasingly leverage cloud providers’ services to directly compromise their victims or exfiltrate data, according to a new report by SentinelLabs.

On the one hand, they target cloud-based storage services to compromise and extort victims. On the other, they use cloud services to exfiltrate the data they intend to ransom.

Alex Delamotte, a threat researcher at SentinelLabs, the cybersecurity provider’s research branch, published The State of Cloud Ransomware in 2024 on November 14.

Amazon’s Simple Storage Service and Microsoft Azure Blob Storage Targeted

Cloud services provide an advantage over endpoint and web server-based services by having a smaller attack surface.

However, the ubiquitous use of cloud services makes them attractive to attackers, who have developed new approaches to compromise them.

Despite being designed to securely store, manage, and retrieve large volumes of unstructured data at scale, cloud-based storage services, such as the Amazon Web Services (AWS) Simple Storage Service (S3) or Microsoft Azure Blob Storage, have become prime targets.

S3 buckets are one of the most referenced targets of malicious activity.

“The attacker takes advantage of an overly permissive S3 bucket where they have write-level access, which is often the result of misconfiguration or accessed in the targeted environment through other means, such as valid credentials,” Delamotte explained.

One technique exploits data retention measures implemented by cloud service providers (CSPs).

For example, AWS Key Management Service (KMS) defines a seven-day window between a key delete request and its permanent deletion, providing users with time to detect and rectify a cryptographic ransom attack against S3 instances.

Attackers are able to schedule a KMS key for deletion and be subject to the seven-day window before the key is permanently deleted in the victim’s environment.

They can leverage this in order to threaten victims with data deletion.

Another technique targets Amazon Elastic Block Store (EBS) volumes, which are highly available, durable block storage devices that you can attach to Amazon EC2 (Elastic Compute Cloud) instances, through a similar approach.

Typically, the attacker creates a new KMS key, creates a snapshot of the EBS volumes, encrypts the volumes and then deletes the original, unencrypted volume.

“This technique is still subject to the seven-day key deletion policy, which provides a window of opportunity for the customer to remediate before the key is deleted forever,” Delamotte added.

Leveraging Cloud Services to Exfiltrate Data

Additionally, several security providers have observed threat actors using cloud services to exfiltrate the data they intend to ransom.

“In September 2024, modePUSH reported that the BianLian and Rhysida ransomware groups are now using Azure Storage Explorer to exfiltrate data from victim environments instead of historically popular tools like MEGAsync and rclone,” reads the SentinelLabs report.

“In October 2024, Trend Micro reported that a ransomware actor mimicking the notorious LockBit ransomware group used samples that leverage Amazon’s S3 storage to exfiltrate data stolen from the targeted Windows or macOS systems.”

SentinelOne’s Mitigation Recommendations

To mitigate cloud-focused ransomware attacks, SentinelOne recommends two essential security measures:

• Use a cloud security posture management (CSPM) solution to discover and assess cloud environments and alert of issues such as misconfiguration and overly permissive storage buckets
• Always enforce good identity management practices, such as requiring multifactor authentication (MFA) on all admin accounts and deploy runtime protection against all cloud workloads and resources

Read now: Top 10 Infrastructure Elements of Ransomware-as-a-Service