Cloud environments are a notorious ransomware attack hot spot. It’s a calculated strategy on the part of the cybercriminals. As the old adage goes, ‘follow the money’, and that’s exactly what they’re doing.
Predictions suggest cloud infrastructure spend will reach over US$135 billion in 2026, accounting for over 67 per cent of total compute and storage infrastructure spend.
Cloud environments have grown in popularity due to their convenience, scalability, and cost-effectiveness. As organisations migrate their data and applications to the cloud, the potential for criminal exploitation in the cloud also escalates. Attackers are keenly aware of the valuable assets stored within these environments, and these malevolent actors are relentless in their pursuit of this data.
In the digital realm, data is power. But not just any data. Attackers are not interested in your vacation photos, or the grocery lists stored in your phone or laptop. They are interested in the information that allows them to gain control, primarily focusing on financial, professional, and personally identifiable information (PII). Put plainly, they want data that provides them with the leverage to demand substantial ransoms, leaving individuals and organisations in a precarious position.
In 2022, organisations appeared to be beating back the forces of ransomware attackers, with ransomware payments falling from US765.5 million to US456.8 million from 2021 to 2022. However, that glimmer of hope was dashed when it was revealed that ransomware actors successfully extorted US$449.1 million in the first half of 2023 alone. Again, in the first half of 2024, we saw the value extorted by ransomware attackers reach US$459.8 million.
The reason for the ebb and flow is debated. It could be that organisations were more brazenly declining to pay the ransom, or perhaps widespread awareness forced a serious uptick in security measures. What we do know is that there has been a definite increase in what’s known as ‘encryption-less ransomware’.
As the good guys evolve strategies of defence, the bad guys evolve strategies of attack. Organisations are more frequently and effectively backing up data and making use of decryptor technology to combat attacks that leave hostage data encrypted. As a result, the threat actors are skipping the process altogether. Instead, they’re opting for a simpler, less technically complex, and less time-consuming process of gaining access to sensitive data and releasing it straight to the public or auctioning it off.
Security is an arms race, and the party that stays two steps ahead is the one who wins.
A Problem Shared Is A Problem Halved
So, how do we combat this escalating threat? This battle requires a model of shared responsibility.
Security is not the sole responsibility of the service provider or the user. It’s a collective effort where all parties collaborate to protect data and infrastructure effectively.
Government organisations have a role to play as well in this shared responsibility model. Mandates and regulations are necessary, but they should be developed in such a way that strikes the balance between security and operational efficiency.
The processes for implementing security controls must also be eased out to be as streamlined as possible. Complexity is the enemy of security and leads to mistakes. The easier it is to implement these controls and the more user-friendly they are, the more likely organisations will be able to adhere to them. The key? Attaining simplicity without compromising on security.
Our adversaries understand the benefits of a less complex attack method, and we must as well.
Humans Make Mistakes
One of the primary challenges in the fight for security is human error. Humans are susceptible to the mistakes that trigger a ransomware attack, and even the simplest mistakes made throughout the course of day-to-day business operations can lead to significant vulnerabilities. Add to that the proliferation of AI tools to assist in the sophistication and therefore effectiveness of phishing emails, scam text messages and social media posts, and it’s clear it’s a minefield out there.
Merely instructing people on best practices isn’t enough; we need to go a step further.
Simulated training scenarios allow individuals to proactive identify and respond to threats in a controlled environment, improving their preparedness and resilience.
At the 2024 World Economic Forum, Bill Gates pledged to rid the world of spam within two years. Unfortunately, we’re still waiting on the delivery of that promise. In the meantime, although we can’t remove the threats completely, we can minimise the attack surface to mitigate the impact.
The allure of the cloud environment is matched by the determination of our cyber adversaries. We can’t win unless we remain two steps ahead.
