To pay or not to pay is the question for cloud ransomware

This article was contributed by Art Poghosyan, CEO of Britive.

As ransomware attacks proliferate in the cloud and cause varying degrees of damage, enterprises are right to wonder – is paying a ransom the appropriate move?  The answer, of course, is subjective: it depends. Since many businesses assume cyberattacks are inevitable, even in the cloud, most have recovery budgets to cover costs, and remediation strategies to counterbalance inflicted reputational harm and operational downtime.  

Cybersecurity insurance can offset financial losses — to an extent. According to Cybereason, 42% of companies that suffered an attack in 2021 recouped only a small portion of the financial damages caused by ransomware through insurance coverage. What’s more, in a survey of 1,263 companies, 46% of victims that submitted a ransom payment got their data back, but much of it was corrupted.  

Just like cybersecurity, ransomware attacks are evolving. Data exfiltration and encryption still predominate, but hackers also threaten to disclose sensitive company information to the public. This scenario gives the hacker leverage and accelerates a company’s willingness to pay.  

It is important to note, however, that despite the evolution of cybercrime, hackers still tend to use tactics that are technologically unadvanced. In cloud, this means exploiting misconfigurations or gaining entry to a network via identity breaches, e.g. over-privileged user accounts, or user accounts with standing permissions.  

Good security hygiene can defend enterprises from most ransomware attacks. According to recent research, 93% of cloud security professionals said their breaches could have been prevented. Few of us perform better, or make wiser decisions, under extreme pressure. That is why it is critical to have a plan before a breach occurs. It is preferable to invest in business continuity through proactive cloud security than it is to absorb a loss, update security controls, and ameliorate the unfavorable press that comes in the wake of an attack.  The goal is to diminish the likelihood of ransomware by reducing vulnerabilities in the cloud.

What organizations can do to diminish the likelihood of ransomware

Eliminate standing privileges 

Enterprises have thousands of human and machine users that need access to cloud environments to complete tasks. But according to recent research, users often receive excessive privileges that remain open perpetually. Standing privileges give hackers an entrance to cloud environments. These identities, whether they are company employees or third-party contractors, can perform ransomware and potentially move laterally across your cloud environment and seize control.  

Implement cross-cloud discovery 

A typical DevSecOps operation can easily generate thousands of data access events every day. Therefore, it’s critical to gain deep insight into who’s doing what across your cloud services to uncover security blind spots, such as over-privileged users and machine IDs.   

Minimize the blast radius of your highest risk cloud users 

Permanent elevated privileges leave you open to increased data loss and account damage due to insider threats and hackers 24/7. Temporarily granting and expiring Just In Time Privileges minimizes the potential blast radius of your privileged human and machine identities. 

Eliminate the risks posed by permanent hard-coded secrets 

Hardcoded API keys and credentials — typically with elevated privileges — are sitting targets for exploits. Keep in mind that there are 20x more machine IDs using elevated privileges than there are human users. Utilizing JIT secrets can significantly reduce your credential exposure. 

Minimize your exposure to account takeovers and insider threats 

Most cloud accounts become over-privileged over time. Contractors and employees often maintain access after they leave. Enforcing Least Privilege Access (LPA) through regularly right-sizing overly-broad permissions and eliminating unused accounts and credentials reduces your attack surface and stops hackers. 

Identify and mitigate high-risk privilege-based activity cross-cloud 

Privileges drift. Over-privileged accounts get hacked and misused. Do you know if and when this happens? Integrate a solution with your UEBA, SIEM, and data lake technologies to gain centralized cross-cloud visibility into cloud privileges and risky activity. 

Streamline the process of auditing cloud accounts and privileges 

Discovering all of your human and machine identities privileges — especially those that are over-privileged — is critical when performing internal cloud audits. The goal is to quickly gain insights into high-risk identities, privileges, and activities from a unified cross-cloud access model. 

Ultimately, deciding to pay a ransom or not is a business decision. Interplay must exist between IT leaders and business executives. Executives have to understand the extent to which operational downtime will impact revenue and IT needs to consider what negative customer and industry ramifications may arise. Remember: ransomware doesn’t take down technology; it takes down business. The more you understand about your business, and how technology is directly tied to business operations, the better off you will be. Do the next right thing and address security vulnerabilities now — before attackers can strike. 

Art Poghosyan is the CEO of Britive.