Predicting the Future of Ransomware and Crypto Mining in the Cloud

In Cloud Security, Ransomware by Andrew Cook

A few weeks ago, I participated on a panel at SecureWorld Boston on “The Future Threatscape -Ransomware and Beyond.” The audience asked some thought-provoking questions about the “next big cyber security threats.” While our discussion covered topics ranging from cyber warfare to quantum computing and virtualization, ransomware was one of the biggest concerns.

Ransomware is today’s menace. It’s profitable, simple to pull off, and can hit organizations of any size. We’ve helped clients recover from these attacks and have seen how quickly the damages can cripple unprepared organizations. In this blog post, we look at the future of ransomware and related attacks and speculate about what the migration to cloud environments might mean for the threat landscape.

The Rise and Fall of Ransomware

Ransomware is a business that requires victims to trust that the attacker will help after the ransom is paid. It also requires victims to have no better options. Maintaining this trust is so important that some sophisticated attackers provide a level of customer service for victims that would rival Amazon. However, as it becomes increasingly easier to launch a ransomware attack, more amateur attackers have joined the fray. They’re far less interested in maintaining that trust, and not as likely to release their hold on critical systems once the ransom is paid.

Another factor is that many organizations are responding to ransomware threats by improving their backup strategies, so they can quickly recover without needing to pay the attackers. As a result, the panel predicted that the ransomware market will begin to look less appealing for more sophisticated bad actors.

We’re already seeing signs that the next evolution of ransomware is crypto mining. This malware diverts computing resources to generate cryptocurrency for the attacker. Delta Risk has already responded to one outbreak of the “Bondnet Army,” a painfully persistent worming botnet intent on spreading crypto mining malware. With this form of malware, criminals try to stay on the network undetected for as long as possible to keep the money coming in via their mining operations. As long as cryptocurrencies remain a viable endeavor, the value of stealing computing resources to generate them will only increase.

Crypto Mining in the Cloud

Cloud services such as Google Cloud and Amazon Web Services (AWS) promise to provide every aspect of computing, including the network infrastructure, user workstations, servers, databases, and more. The appeal of cloud is clear: these environments offer powerful administrative features, pay-as-you-go prices, and a shared security model that takes some of those responsibilities off your plate. But for all the benefits, there are also some new risks.

When the panel shifted to future threats, I brought up a possible new trend: ransomware and crypto mining in cloud environments. The implications of this trend would present new risks and challenges for organizations migrating to the cloud.

The basic form of this attack is simple: compromise a cloud administrator’s account and spin up one or more super-sized crypto mining computers. Without proper monitoring, the victimized organization wouldn’t notice until they get a big bill. Besides crypto mining, an attacker that can control the instantiation of new machines within your environment has a powerful platform for all sorts of malicious activity. That power means most attackers will want to maintain access to your compromised cloud.

In cyber security, the techniques used to hide and maintain malicious access to a compromised environment are collectively called “persistence.” In the cloud, a simple case of persistence might mean setting up new cloud-administrator accounts. But let’s get more creative.

If these types attacks against the cloud catch on, I predict features like AWS lambda and auto-scaling will become new persistence techniques. These features allow the attacker to automatically spin up new instances once their first ones are discovered and terminated. Similarly, another area ripe for malicious cloud persistence is modifying organization’s gold-disk images. Once the malware is loaded into the image, every new machine will come pre-programmed to the attacker’s bidding. In these ways, the “resiliency” features of the cloud are subverted to provide resiliency for the attacker.

These were only a few ideas drummed up by a handful of experts sitting at a table for an hour. The cloud presents many more new threats and attack vectors, some known and some unknown. Cloud providers add new features every day and some existing features are poorly understood. With this complexity comes a whole new slew of malicious tactics that network defenders will need to consider and mitigate. 

Summary: How to Protect Yourself

Best practices for protecting against ransomware are already well-established: disaster recovery plans, backups, and business continuity strategies are paramount. Most organizations are not prepared or mature enough to manage the risks associated with migrating some or all of their IT to the cloud. Best practices for cloud security are out there, but most administrators and developers don’t understand them, or they lack the muscle memory or resources to implement them.

Stay tuned for a future blog about specific risks and best practices for protecting your cloud environments. In the meantime, I encourage you to get smart with what’s already out there from your cloud provider. For example, Amazon has published the “AWS Well Architected Framework” (and specifically the Security Pillar). For Google environments, check out the “Google Infrastructure Security Overview.”

Share this Post