The rise of ransomcloud attacks: What enterprises can do to protect themselves

Ransomcloud attacks target the customers of cloud service providers rather than cloud service providers themselves

New Update

Today, almost every company uses the cloud in some form or the other, from enabling the creation of remote workplaces to creating new business models in healthcare and education. Research firm, Gartner, has predicted that end-user spending on public cloud services in India will total $7.3 billion in 2022, an increase of 29.6% from 2021.


With the growing preference for cloud and the comfort and economics for businesses to store data in the cloud, hackers have turned their attention to cloud-based platforms. In fact, with a growing number of organizations storing sensitive data such as consumer and financial data in the cloud, we are witnessing a trend of attackers carrying out ransomcloud attacks, or ransomware attacks specifically targeting data found on the cloud. 

Ransomcloud attacks target the customers of cloud service providers rather than cloud service providers themselves. The encryption starts on the cloud and not on a local machine. This means the attacker must have valid user account credentials for a cloud account and have access to all files and resources permitted to the user account. The attacker can then use phishing, a known data leak, cloud misconfiguration, malware stealers, DDoS attacks, or any other way to gain control of the user’s cloud account. Once inside, they can deploy ransomware that encrypts and steals the victim’s information.

Companies with a multiple-user cloud account with access to permitted files and resources are at the most risk. This is because the primary attack vector for these kinds of attacks is phishing. Compromise here means the ransomware attack has a greater attack surface to play with. Other groups at risk are those who reuse their passwords. The consequences of doing so can include double extortion i.e., losing all your files and being subject to extortion to prevent the attacker from leaking your private information.


Recommended countermeasures

It is important to understand there is a shared responsibility for the security of the data between organizations and the cloud services provider. To avoid the threat of ransomcloud, businesses need to first ask their cloud provider for planning strategies on how to recover from a ransomware attack and other types of outages. They also need to consider what security measures they have in place to protect against attacks of this nature, while ensuring they are using two-factor authentication and allowing permissions for cloud resources only to user accounts which need them – otherwise known as the principle of least privilege.

Privileged and administrative accounts in cloud environments need to be managed, protected, and monitored just like privileged accounts in a traditional datacenter. Organizations should establish a single control point to manage the credentials of cloud administrators, developers and other users accessing the management consoles and portals of the various cloud platforms.


It is also important for businesses to use anti-phishing tools and ensure employees undergo security awareness training. As part of this, the importance of employees using a complicated password that includes letters, numbers, and special characters must be established, with it being made clear that passwords must not be re-used across services. Businesses should also mandate password changes at appropriate intervals. 

Backups are also vital. Organizations who proactively backup files can dramatically reduce the impact of ransomware and avoid having to make a choice between paying a costly ransom or losing data forever. Instead, once the files are encrypted, victim organizations can locate the ransomware files on infected machines, remove them from the system and then restore the affected files from backup. 

Enterprises must also understand that not all data needs to be saved. In fact, data should be saved only if necessary, and not longer than necessary. This can be defined according to business or regulatory requirements.  This approach reduces the attack surface, and helps enterprises use resources more efficiently. Further, it is absolutely vital that important information like user details, passwords, private consumer information and other classified information must be stored in an encrypted or hashed way. 


Based on our own experience of mitigating ransomware attacks, we believe that the combination of the above stated best practices can prove to be extremely effective. 

Sumit Srivastava Profile Picture

The article has been written by Sumit Srivastava - Solutions Engineering Manager - India & SAARC at CyberArk