| Category | Details |
|---|---|
| Threat Actors | BianLian, Rhysida, IndoSec, Cl0p Ransomware group |
| Campaign Overview | Cloud ransom attacks target cloud-based storage services or use cloud services for data exfiltration. Techniques include encrypting or deleting files in cloud storage or using cloud resources to exfiltrate sensitive data. |
| Target Regions | Not specified explicitly, but includes global cloud service users. |
| Methodology | Misconfigured cloud services, use of AWS KMS for cryptographic ransom, and custom ransom scripts targeting web applications and storage systems. |
| Products Targeted | Amazon S3, Elastic Block Store (EBS), Azure Blob Storage, web applications, and managed file transfer apps like Progress MoveIT. |
| Malware Reference | RansomES (Python script), Pandora (PHP ransom script), IndoSec backdoor script. |
| Tools Used | Azure Storage Explorer, Amazon S3, FTP, OpenSSL (for AES encryption). |
| Vulnerabilities Exploited | Misconfigured S3 buckets, CVE-2023-34362 (SQL injection in Progress MoveIT). |
| TTPs | Using misconfigured storage buckets, exploiting vulnerable APIs for encryption, employing red teaming tools for ransomware attacks, and utilizing remote web services for encryption. |
| Attribution | RansomES script likely by a researcher or individual with an interest in threat intelligence; IndoSec attributed to an Indonesia-based threat actor. |
| Recommendations | Use CSPM tools for detecting misconfigurations, enforce MFA for admin accounts, deploy runtime protection for cloud resources, and block risky APIs using SCP policies. |
| Source | Sentinelone |
Read full article: https://www.sentinelone.com/blog/the-state-of-cloud-ransomware-in-2024/
Disclaimer: The above summary has been generated by an AI language model.
Leave a Reply