Cloud Storage and Ransomware Recovery
Ransomware is when malware captures important data, locks it, and requests a form of ransom to retrieve it. Cloud storage is not immune from these kinds of attacks.
Cloud storage has helped organizations tremendously with large data storage needs while also providing extra security. But the increasing threat posed by ransomware has made system administrators and other professionals aware of the existence of security vulnerabilities, some of which are unique to cloud storage. Fortunately, however, risks to cloud data from ransomware attacks can be minimized if adequate defensive strategies are followed.
Ransomware is a form of malware that maliciously encrypts or otherwise scrambles an organization’s or user’s files, rendering them unreadable until a ransom is paid to an attacker, often in the form of cryptocurrency or other difficult-to-trace electronic payment instrument. Upon receipt of the ransom payment, the attacker typically commits to unscrambling or decrypting the data and/or restoring associated services that may have been affected by the data’s unavailability.
A ransomware attack occurs when an attacker or attackers succeed in delivering or implanting ransomware software that executes and encrypts or scrambles data at a predetermined time.
Once an attack occurs, there are few defenses against it. Numerous organizations have actually paid ransoms to recover their data, but secure recoveries have not been possible in all cases. In many incidents, the attacker is never caught, and in more than a few, the data is never recovered, despite a ransom being paid. The more critical the data that gets affected, the more it can harm a business. Truly insidious attackers plan their moves months or even years in advance, hacking into systems until they can locate data they feel is valuable enough and vulnerable enough to execute an attack upon.
Even if an attack ultimately fails, the successful delivery or planting of ransomware in the first place is often perceived as a triumph for the attacker—as well as an embarrassment for the organization targeted by the attack.
In a best-case scenario where a ransom is paid and data is recovered, it’s still possible that the recovered information has been copied, sold, distributed, or otherwise used in a malevolent manner. Vulnerabilities may continue to exist, and attackers may feel emboldened to consider further attacks or elaborations thereof.
Just because cloud storage is remote, that doesn’t mean it’s inherently protected from ransomware attacks. The nature of how cloud storage is used, as a backup or substitute for local storage, means that it will be vulnerable to ransomware attacks as files that get encrypted at a local level get synced with or transferred to the cloud.
In fact, as cloud storage and cloud backups become increasingly popular—especially for large organizations—ransomware is evolving to target cloud storage and cloud data specifically.
Fortunately, there are some positive attributes of cloud storage that offer advantages in terms of protection against and recovery from ransomware.
By its nature, cloud storage makes a tempting target for ransomware attackers. In general, any locations where there are large quantities of high-value data should be considered at risk. In many cases, significant caches of an organization’s most valuable information are stored in data lakes on cloud servers to make them widely and easily accessible. But this widespread accessibility and sharing translates to more opportunities for attackers to penetrate security defenses.
In many cases, whether intentionally or not, cloud data is relied upon by organizations to maintain business continuity. Because of this, some organizations may be willing to go to great lengths to recover this data in the event of an attack, and attackers are often aware of this.
Cloud storage is subject to different types of ransomware attacks:
File sharing services are attractive because they can enable efficient file exchanges and backups. But data that gets synced or backed up to the cloud can be scrambled or encrypted by ransomware before this happens, so the version that gets saved to the cloud can be scrambled or encrypted too. If the cloud version then becomes the primary file, other users may try to copy or use it; as such, they too will be affected.
RansomCloud attacks start with phishing emails to individual users. A user clicks on a benign-looking link or opens an attachment, and then they are prompted by a fake dialog box to log in to their cloud-based email account (in Microsoft Office 365, for instance). The ransomware then encrypts scores of messages (up to an entire inbox) via access it has gained to the cloud from the user inadvertently providing their login credentials. It’s less than commonly known that large companies like Microsoft and Google don’t provide backups by default for their cloud-based services. Even if a user performs religious backups on their local systems, data stored in the cloud is virtually never included in these.
Ransomware can also target cloud service vendors. In August 2019, a Wisconsin-based company called Digital Dental Record (DDR) and its cloud service provider PercSoft told 400 of DDR’s customers—which were all dental practices—that PercSoft’s DDS Safe cloud platform for dental practices had been attacked by ransomware, meaning that much of the data for their dental surgeries had been encrypted. Fortunately, PercSoft was able to interrupt the attack as it was occurring, and much, though not all, of the data was able to be decrypted. But by targeting the cloud vendor, this attacker was able to inflict a particularly large amount of harm.
As opposed to traditional backup tools, which may rely on in-house backups that are recycled regularly by IT staff who have many additional responsibilities, cloud backup solutions are typically handled by service providers who are dedicated to just one function: remote storage and backup. Chances are they’ll do a better job.
Remember that both ransomware itself and data that gets encrypted or scrambled may go undetected for days or even weeks before a problem is noticed. With traditional backups that get recycled, an older backup may get overwritten before it’s discovered that a problem exists. With a cloud service provider, it’s much more likely that backups will be discrete and archived, so data can be restored more reliably.
Seagate® Lyve™ Cloud is a simple, efficient, always-on cloud storage service that comes with its own encryption capabilities, object versioning, and immutability options to defend data against ransomware, corruption, and deletion. With strict adherence to globally recognized security standards, Lyve Cloud features enterprise-grade identity management support, automatic data replication and encryption options for at-rest and in-flight states. Security is a core design tenet of the Lyve Cloud service that’s built into infrastructure, software, features, and processes, aligning with industry standards and third-party products such as Amazon Web Services (AWS) S3.
AWS S3 provides object storage using a web service interface. AWS S3 can be used to store any type of object used in internet apps, data archives, backup and recovery, disaster recovery, data lakes for analytics, and/or hybrid cloud storage. Each object is identified with a unique, user-assigned key.
Seagate Lyve Cloud is designed to be compatible out of the box with AWS S3. Users of Lyve Cloud can manage and create S3 buckets and enable object immutability and object versioning to make objects immutable for fixed periods of time. S3 requests are authorized according to an access control list connected to each bucket, and they support versioning (see below).
By using versioning, cloud storage administrators can, in many cases, overcome ransomware by restoring a backup version created before an attack occurred (and ideally before the ransomware was delivered and/or installed). Depending on the interval of the versioning, data loss may be minimal or even close to zero. Because this is a possible solution for ransomware attacks, it’s wise to activate and maintain it ahead of time, and even to perform test restores so you’re familiar with the entire process.
Making multiple backup copies increases the chances of successful recovery from a ransomware attack. The more copies there are, the greater the chances that every copy will not be affected by any one attack. In the early 2000s, photographer Peter Krogh established the 3-2-1 strategy for backups, wherein two copies of data are local but stored in different mediums (with one being the live production copy and the other being a backup), while a third copy is stored remotely (preferably offsite) in another physical location. This strategy has become something of an industry standard. As it stands today, 3-2-1 is still a worthwhile strategy to employ, but the demand for different mediums for the two local copies is not as important if the connections between the copies are minimal to none.
While cloud storage solutions like Seagate Lyve Cloud and AWS S3 were developed with security in mind and follow industry standards set by the International Organization for Standardization (ISO) and the National Institute of Standards and Technology, they’re constantly being upgraded and augmented with new technologies and processes to become even more secure from all types of attack methods—including ransomware.
For instance, Lyve Cloud is both ISO 27001- and SOC 2-certified. But Seagate has a roadmap for additional certifications in the future based on customer needs. Seagate’s mature Information Security Management System management team is comprised of talented data security industry veterans who have instituted strong processes, rigorous controls, and comprehensive safety policies in governing the management of Lyve Cloud. This has resulted in a reliable, highly secure exabyte storage service that’s aligned with principles of Trust Services Criteria: security, process integrity, availability, confidentiality, and privacy.
The Lyve Cloud development team has used best practices from leading standards and benchmarks to determine best-in-class hardening guidelines for the Lyve Cloud hardware and software stack. System and infrastructure deployments are managed via automated configuration management tools to ensure compliance with desired state and hardening standards. This allows for consistent security and configurations while supporting rapid scaling of service.
Lyve Cloud was designed with massive-scale multitenancy in mind from the beginning. Service/process isolation and strict network segmentation yield multiple layers of security controls. A highly resilient and available infrastructure supports customers’ tenant-isolated components, such as encryption, key management, core object storage, and the application programming interface (API) gateway. Lyve Cloud has been thoroughly black-box, white-box, and gray-box penetration tested.
S3 bucket and storage-as-a-service subscription management are enabled with two-factor identification. Clients can tweak bucket permissions to have write- or read-only access. They can also create service accounts and choose corresponding access permissions. Service accounts will have their own secret access keys, and their credentials will grant access for applications targeting clients’ S3 buckets. Clients can also enable audit logs for each S3 bucket to maintain records of S3 bucket access and usage. Within the Lyve Cloud portal, clients have unobstructed visibility into Lyve Cloud S3 storage use.
Lyve Cloud’s comprehensive data protection assures integrity and confidentiality of data throughout its entire life cycle. This includes secure communication via transport layer security 1.2 with 256-bit advanced encryption standard Galois/Counter ModeM) (AES-256-GCM), integrity and authentication validation in the API protocol, robust envelope encryption of object storage using secure key management, and cryptographically secure erasure processes.
See the Seagate Lyve Cloud Security White Paper for more details.