26 April 2022
What is ransomcloud and how do attacks work?
By Nelson Ody, Cyber security expert and product manager, Cyber security, RM
“Ransomcloud” isn’t new, it’s been around since approximately 2019, and organisations need to bear in mind a ransomcloud attack is often simply an extended ransomware attack and should be treated as such. If a hacker, looking for data in other locations can’t find it, the organisation’s local data still gets hit. Now that 44% of the UK population is using cloud storage [statista.com] that means hackers’ attention to cloud technologies is growing by the day. The most common way for ransomcloud attacks to be initiated is in the same way as traditional ransomware attacks - successfully phishing an employee. Deloitte has also called out phishing as the number one delivery vehicle for ransomware [deloitte.com].
What’s more, the recent cross agency advisory report [ncsc.gov.uk] from the FBI, CISA, ACSC and NCSC shows that threat actors changed their targeting methodology over 2021, moving from “big game hunting” i.e., going after large targets to attacking companies of all sizes. It also states that to increase their success, the threat actors have also looked at specific target types. This includes targeting Managed Service Providers, as one breach leads to many victims, as well as attacking the software supply chain, again a single breach leading to many victims. In addition, they are also timing attacks to holidays or weekends to maximise their rewards.
Who is most at risk from ransomware targeting cloud and what are the consequences?
“Schools and trusts have increasingly become a target for general ransomware, which will include ransomcloud with the rise in the use of cloud software. In fact, the NCSC has highlighted several times [ncsc.gov.uk] that there’s been an increase in ransomware attacks on the UK education sector. More recently, Cantium Business Solutions found that [fenews.co.uk] 66% of UK schools surveyed claimed to have suffered a cyber-attack in the last 18-months. There’re a multitude of impacts that a ransomcloud attack could have on a school including potentially a large fine from the ICO, reputational damage as parent, student and staff details are compromised, student exam work completely lost and no IT for weeks leaving students and staff without the most used resource, as well as much more.
So as attackers often look to infiltrate systems via phishing, organisations must invest in their staff providing training and exercises. It’s key that they offer any technical to help identify phishing emails, as well as educating on the importance of multi-factor authentication and secure passwords. In addition, the change in targets to supply chains will mean that organisations need to pay more attention to that attack vector, both vetting their suppliers, but also demanding more in terms of assurance. Finally, schools and trusts should be regularly seeking professional advice from the likes of the Department for Education, NCSC, and technology partners to minimise the risk and/or mitigate the consequences.
Ultimately, those most at risk goes hand in hand with how an organisation is set up to mitigate and follow the advice and guidance from the NCSC and other official experts. Cyber hygiene and always being as prepared as possible is essential because unfortunately today, it’s a matter of when you get hit, not if. That means organisations must know how they will respond and how they will recover. If they aren’t doing that, then you are probably in the high-risk category.