Ransomware hits the cloud

More flexibility and visibility with agentless coverage for workloadsRansomware attacks are on the rise. In the last two years, we’ve seen a 600% increase in attacks which is not terribly surprising given ransomware, a form of malware that seeks to encrypt or withhold data unless a ransom is paid, is profitable for attackers. This  is just one reason why it’s more important than ever to implement runtime visibility and anomaly threat detection. This way, organizations can alert on abnormal activity and detect an attack.

Ransomware climbs to the cloud

Just about anyone today, technical or not, can exploit victims thanks to the adoption of ransomware as a service (RaaS) toolkits and ransomware affiliate programs. Hackers continue to embrace land and expand tactics to compromise unsecured remote access software, overprivileged identities, and unpatched software. The average dwell time of an attacker can range anywhere from five to more than 100 days. During this time, an attacker makes noise within the cloud environment. If you are looking for abnormal behavior, you’ve got a much better chance of stopping a very expensive attack. 

Top 3 common attack vectors according to the Cyber Risk Alliance

  • Remote worker endpoint: 36%
  • Cloud infrastructure/platform: 35%
  • Cloud app (SaaS): 32%

Move over Windows, Linux is next

While ransomware operators have historically focused on attacking Windows environments, the ability to monetize expanding Linux/container environments is quickly becoming essential for ransomware operations. The adoption of containers and Linux has increased the attack surface. As adversaries evolve their techniques, it’s important to ensure your Linux environments are up-to-date, actively monitored, and backed up appropriately. 

Best practices 

It’s important to have visibility in order to prevent an attack, comprehensive detection tools to identify the attack, and context to help you investigate and respond quickly. The following tips can help mitigate the risk of ransomware in the cloud. 


  • Require multi-factor authentication (MFA) controls for data deletion and all external-facing assets
  • Enforce kernel module signing on Linux hosts to prevent unsigned kernel modules from being loaded onto compromised machines
  • Implement least privilege to limit roles and exposure to privilege escalation vulnerabilities and work toward automated guardrails to reduce configuration mistakes
  • Establish cloud security policies and a cloud posture management process that accounts for managing vulnerabilities and auditing the supply chain frequently 
  • Monitor and alert for configuration benchmarks and best practices 
  • Use password best practices and be sure to eliminate dead accounts
  • Deploy effective storage security for backup and restoration
  • Invest in automated threat intelligence and correlation


By connecting Lacework with your cloud providers, you gain visibility into cloud controls that leverage the CIS Benchmarks and custom Lacework policies to help mitigate against ransomware in the cloud. For example, within AWS, there are two pre-built custom Lacework policy checks — “S3 Object Versioning” and “MFA Delete.” S3 Object Versioning allows S3 objects to be “versioned,” so when a file is modified, a historical record is created. If an attacker modified a CloudTrail log file to remove traces of their activity, the defender could compare the old version of the file and the current version to see exactly what the attacker removed. 

Lacework helps respond to ransomware attacks by providing configuration monitoring to alert defenders if a door is open, vulnerability management to allow developers to identify complex software that can be exploited, threat detection to alert users of unwanted software, and anomaly detection to know if an attacker is accessing an environment. 

Interested in learning more about ransomware trends and the best tactics to fight it? Download this new Forrester report — The State of Ransomware Attacks and Defenses.