Ransomware

rising
A look at how to
battle ransomware
in the cloud

PARTNER
Ransomware, a form of malware Ransomware climbs to the cloud
that seeks to encrypt or According to Forrester, ransomware attacks are being

withhold data unless a ransom executed at an alarming rate. In the first six months of 2021,
ransoms increased to $590 million. As highly commoditized
is paid, continues to rise in attacks become the norm, hackers continue to embrace land

2022. In fact, in just two years, and expand tactics to compromise unsecured remote access
software, overprivileged identities, and unpatched software.
ransomware has experienced While ransomware operators have historically focused on
a 600% increase in attacks. attacking Windows environments, the ability to monetize
expanding Linux/container environments is becoming
This trend is not surprising since cybercriminals
essential for ransomware operations.
remain quite effective at extracting money from
businesses spanning all sizes and industries.
Attackers are consistently improving their existing Top tactical security priorities for all organizations that have been breached
tools to make them even more sophisticated, leaving “Which of the following initiatives are likely to be your organizations top tactical
information/IT security priorities over the next 12 months?” (Top 11 responses)
under-resourced security teams struggling to keep
up. The pace of attacks has also increased with the
Improving application security capabilities and services 21%
adoption of ransomware-as-a-service (RaaS) toolkits
and ransomware affiliate programs. Now just about Improving identity and access management tools and policies 20%

anyone, technical or not, can exploit victims for Implementing artificial intelligence (AI)
technologies to improve security
19%

ransom with ease. Improving threat intelligence capabilities to proactively identify 18%
security threats targeted to your organization or industry

Improving security analytics capabilities 18%

This paper takes a look at the market landscape, (SIM, SIEM, NAV, SUBA)

what’s driving the spike, best practices to reduce Establishing and/or enhancing e–discovery practices 18%

risk, and how Lacework can help organizations stand Securing industrial control system (ICS) or 18%
operational technology (OT) environments
up to ransomware with better visibility, detection, and Introducing cyber risk qualification 17%
technologies to support board reporting
investigation to speed response.
Moving security services to the cloud 16%

Improving mobile security capabilities services 16%

Securing internet of things (IoT) within the enterprise 16%

0% 15% 25%

Base: 778 security decision–makers who have experienced a breach in the past 12 months
Source: Forrester Analytics Business Technographics® Security Survey, 2021

According to the CRA, the top three

most common attack vectors were: Despite the arsenal of security tools to help IT security teams
respond to attacks, ransomware remains rampant. Ransom
payments are easier to collect than other types of fraud due to
the reliance on digital currencies like Monero. Many security
36% Remote worker endpoint
professionals feel powerless to prevent these attacks because
of their evolving sophistication. The CRA State of Ransomware
study revealed some showstopping statistics. More than 40%
of respondents suffered at least one ransomware attack during
Cloud infrastructure/platform 35% the past two years. Of those attacked, 58% paid a ransom,
29% found their stolen data on the dark web, and 44% suffered
financial losses.
32% Cloud app (SaaS)
Source: State of Ransomware Study

© 2022, Lacework Inc. All Rights Reserved. Ransomware rising | 2

Ransomcloud, special for compromising the cloud
As organizations move more of their sensitive data into the cloud, criminals are setting their sights on a new target: cloud
services. “Ransomcloud” is a term coined to refer to a certain type of ransomware that targets cloud data in a variety of ways,
including these three favorites:

1 2 3
Ransomware can compromise Criminals most commonly Criminals can target cloud
a victim’s endpoint, gain direct access by and storage providers and
and then explore what phishing individual users. share credential databases
is accessible from this If successful, they can explore in hopes of accessing private
compromised asset. connected resources and encrypt content, often by way of password-
If cloud services are discovered, or extract sensitive information sprays against a large set of known
they can leverage locally stored from the cloud services that the accounts, compromising endpoints
credentials or otherwise ride compromised user has access to. In a directly, or sometimes even
access into cloud services in order majority of cases, they move laterally, leveraging exploits. If successful,
to gain access to additional assets either through remote interaction and if personal accounts have a
and resources. (This is the most or automation via their malware, business link, a single attack can
commonly used method.) to access adjacent resources. If compromise many accounts and
the ransomware piggybacks on a customer data.
connection to an online file sync
service, it can then gain access to
cloud assets and resources, and
encrypt stored data or even the
hosts themselves.

ChaChi Linux Variant

PYSA, which is short for “Protect Your Systems
Amigo,” is the handle of a prolific ransomware group,
also known as “Mespinoza,” who are currently the
third most impactful ransomware gang by number
of victims (according to metrics from Ransom-
DB). While they are known for targeting Microsoft
Windows environments, in September 2021 Lacework
discovered a Linux version of ChaChi, a customized
variant of an open-source Golang-based RAT that
leverages DNS tunneling for command-and-control
(C2) communication. This sample was configured to
communicate with known PYSA infrastructure.

© 2022, Lacework Inc. All Rights Reserved. Ransomware rising | 3

Best practices
Hoping your cloud provider’s native security controls will save have focused on attacking Windows environments, but the
you won’t protect you. In many cases, the data stored in a cloud adoption of containers and Linux workloads has increased
service is considered a shared responsibility between the cloud the attack surface and attackers are quick to monetize these
provider and the customer. A cloud provider may be responsible environments using ransomware operations.
for ensuring that data cannot be accessed without legitimate
It’s important to have visibility in order to prevent an attack,
credentials, but it is not their responsibility for what happens if
comprehensive detection tools to identify the attack, and
those credentials are stolen from a customer.
context to help you investigate and respond quickly.
As adversaries evolve their techniques, it’s important to ensure
your Linux environments are up to date, actively monitored, and
backed up appropriately. Historically, ransomware operators

Ransomware decision tree tied to cost

Before an attack During an attack After an attack

Prevention Detection Investigation

Early Incident
Compliance Hardening Root Cause
Detection Response

Cloud Security Posture Behavioral Anomaly Detection 180 Day Data Retention
Management (CSPM)
File Integrity Monitoring Context Rich Event Cards
Vulnerability
Host Intrusion Detection Command Line Visibility
Multicloud
Runtime Detection 3rd Party Remediation/Orchestration

Visibility Insights Action

Extensive visibility across Comprehensible, accurate Automated understanding of your
your entire cloud environment detection of what matters most cloud to make investigations faster

© 2022, Lacework Inc. All Rights Reserved. Ransomware rising | 4

The following tips can help mitigate the risk of Visibility
ransomware in the cloud.
Lacework provides visibility into cloud assets and
· Require multi-factor authentication (MFA) controls for infrastructure to identify active exposures that may be used
data deletion and all external-facing assets as an initial attack vector to compromise a cloud workload.
Vulnerability management capabilities enable you to assess
· Enforce kernel module signing on Linux hosts to prevent
your cloud security posture by scanning cloud environments,
unsigned kernel modules from being loaded onto
containers, non-OS packages (such as Python, Ruby, and Go),
compromised machines
and workloads for vulnerabilities.
· Implement least privilege to limit roles and exposure
to privilege escalation vulnerabilities and work toward By hardening your systems and infrastructure, and monitoring
automated guardrails to reduce configuration mistakes identity management and access controls, you can reduce
the risk of infiltration and a potential ransomware attack.
· Establish cloud security policies and a cloud posture
Lacework helps you focus on the appropriate safeguards and
management process that accounts for managing
best practices, including guidelines and control frameworks
vulnerabilities and auditing the supply chain frequently
like the ones provided by the Center for Internet Security (CIS)
· Monitor and alert for configuration benchmarks and Benchmarks, NIST, PCI, HIPAA, ISO, and SOC 2.
best practices
By connecting Lacework with your cloud providers, you gain
· Use password best practices and be sure to eliminate
visibility into cloud controls that leverage the CIS Benchmarks
dead accounts
and custom Lacework policies to help mitigate against
· Deploy effective storage security for backup ransomware in the cloud. For example, within AWS, there are
and restoration two pre-built custom Lacework policy checks: “S3 Object
· Invest in automated threat intelligence and correlation Versioning” and “multi-factor authentication (MFA) Delete.” S3
Object Versioning allows S3 objects to be “versioned,” so when
a file is modified, a historical record is created. If an attacker
modified a CloudTrail log file to remove traces of their activity,
Defend against ransomware in the the defender could compare the old version of the file and the
cloud with Lacework current version to see exactly what the attacker removed.

Lacework helps organizations improve their cybersecurity Lacework offers a policy to track “MFA delete” in S3 buckets
posture by focusing on prevention, detection, and the ability to combat an attacker from disabling the versioning and
to investigate and respond quickly. These features build overwriting/deleting existing versions. This feature forces MFA
communication between internal and external stakeholders to either change the versioning state of the specified S3 bucket
and help align cybersecurity risk management with broader (i.e., disable versioning) or permanently delete an object
enterprise risk management processes. version if both versioning and MFA delete are enabled on a
bucket. This means an attacker would need to compromise the
root user and their MFA device to disable versioning and MFA
delete on the bucket. This is possible in theory, but very unlikely
in practice.

© 2022, Lacework Inc. All Rights Reserved. Ransomware rising | 5

Insights
Lacework continuously monitors all activity to uncover known and unknown threats, and attacks that leverage zero-day
vulnerabilities. We deliver alerts with security context to ensure potential impacts are mitigated. Lacework’s ability to automate
correlation, pinpoint vulnerabilities, graph communication paths, and understand behaviors gives organizations a leg up in the
fight against ransomware. By identifying these misconfigurations and vulnerabilities across your environment, you can reduce the
risk of a ransomware attack compromising cloud accounts and workloads deployed on AWS, Google Cloud, and Azure.

Lacework provides early detection that is critical to detecting ransomware in the cloud. Ransomware is not usually executed
immediately after the initial compromise. The average dwell time of an attacker can range anywhere from five to more than 100
days. During this time, an attacker makes noise within the cloud environment. Lacework uses patented machine learning to
automatically learn activities and behaviors unique to your environment. With runtime visibility and anomaly threat detection,
organizations can alert on abnormal activity and detect an attack.

© 2022, Lacework Inc. All Rights Reserved. Ransomware rising | 6

Action
Lacework provides full incident response capabilities, including retention of behavioral, raw infrastructure, and historical data
for up to six months. These capabilities enable organizations to query across any timeframe, machine, app, or container to
understand what was executed. Users can also view our patented Polygraph visual representation of the attack chain to aid
in the forensic investigation and impact assessment. Lacework makes it easy to share data between our single platform and
your other tools to eliminate inconsistencies and streamline incident management. Easily enrich existing workflows through
integration with ticketing, messaging, SIEM, and workflow applications.

Lacework helps respond to ransomware attacks by providing configuration monitoring to alert defenders if a door is open,
vulnerability management to allow developers to identify complex software that can be exploited, threat detection to alert
users of unwanted software, and anomaly detection to detect if an attacker is accessing an environment.

Why Who What When Where

the event triggered the event triggered the event the event the event occurred
was triggered (user and/or machine) (user and machine) occurred (cloud region or
source IP address)

With Lacework organizations can:

· Determine the actual cause of the incident and
identify the vector of attack, the vulnerabilities
exploited, and the characteristics of the targeted or
victimized systems, networks, and applications
· Calculate the estimated monetary damage from
the incident (e.g., information and critical business
processes negatively affected by the incident)
· Determine if the incident is a recurrence of a
previous incident
· Measure the difference between the initial impact
assessment and the final impact assessment
· Identify which measures, if any, could have
prevented the incident

© 2022, Lacework Inc. All Rights Reserved. Ransomware rising | 7

About Lacework
Lacework is the data-driven security company for the
cloud that delivers end-to-end visibility and automated
insight into risk across cloud environments, so you can
innovate with speed and safety. The Lacework Polygraph®
Data Platform ingests data, analyzes behavior, and detects
anomalies across an organization's Amazon Web Services
(AWS), Google Cloud, Microsoft Azure, and Kubernetes
environments. This patented approach significantly reduces
noise and turns millions of data points into prioritized,
actionable events. Customers all over the globe depend on
Lacework to take software services to market faster and
more securely, while consolidating overlapping security
solutions into a single platform for better visibility and
coverage across a multicloud environment. Founded in 2015
and headquartered in San Jose, Calif., Lacework is backed
by leading investors like Sutter Hill Ventures, Altimeter
Capital, D1 Capital Partners, Tiger Global Management,
Counterpoint Global (Morgan Stanley), Franklin Templeton,
Durable Capital, GV, General Catalyst, XN, Coatue,
Dragoneer, Liberty Global Ventures, and Snowflake Ventures,
among others. Get started at www.lacework.com.

Sources: CRA State of Ransomware Study

Get started today!

Request a demo

© 2022, Lacework Inc. All Rights Reserved. | 888.292.5027 | lacework.com 04/22