5th anniversary of WannaCry: Cloud ransomware

Do you remember May 2017 when the world got struck by the WannaCry virus? WannaCry was a worldwide ransomware attack, first recorded in Europe on Friday 12 May 2017. It targeted corporate networks running Windows environments and paralysed companies across multiple critical industries, including health, banking, and food globally.  

Despite the increasing prevalence of cyber-attacks since WannaCry, many businesses still have weak or outdated cyber security processes, making it easy for threat actors to gain access to their data and systems. Recent research from Check Point suggests that the cost of recovering from a ransomware attack far outweighs the ransoms now being demanded by cyber criminals. Ransom payments take advantage of digital currencies and are instant, untraceable, and easy to collect. All these lead to more of the affected organisations deciding to pay cyber criminals to get decryption keys and speed up recovery processes, which in turn makes ransomware attacks extremely popular amongst cyber criminals.  

In parallel, in the last five years, many companies have migrated business-critical systems and data to public cloud and minimised their on-premises technology estate to achieve various business benefits, including resilience, flexibility and efficiency amongst others. However, cloud inherently provided a wider avenue for attackers. UK Cyber Security Breaches Survey 2022 results show that 39% of UK businesses identified a cyber-attack in the last 12 months, showing one out of three UK businesses have been breached. Out of those attacked, 21% were targeted by a more sophisticated attack type such as malware, or ransomware attack, showing the threat is still there. 

The adoption of cloud services has created opportunities for determined and well-funded attackers to target cloud infrastructure. Following are some avenues that our KPMG Cyber Incident response teams have observed to be playing a role in cloud infrastructure breaches. 

• DevSecOps and Agile development – Fast-paced changes can jeopardise security controls and validation gates that were considered as the holy grail of security 101. Weak processes and insecure coding practices leave room for attackers to exploit and gain access to entire cloud infrastructure estate. 
  
  
• Increased attack surface – Access via public internet provides a potential vector for the attackers to use and gain access to organisations. Hybrid cloud configurations have significantly increased the risks as it has widened the boundaries that need to be protected by the security administrators. At the same time, hybrid cloud has allowed attackers to use tunnelled accesses between on-premises and cloud implementations to steal privileged access and increase the dwell time. 
  
  
• Increase in zero-day vulnerabilities – In most cloud implementations, administrators consider the baseline configurations (i.e., virtual machines images) as secure unless proven otherwise. However, a good practice is the complete opposite: the baseline configuration should be considered insecure unless it has been hardened. With the increase in zero-day vulnerabilities, it has become easier for attackers to find potential targets and use these vulnerabilities as means to gain access to the network. 
  
  
• Trust structure – Most cloud adoptions have complex trust relationships and some of these relationships are never tested to guarantee security. The controls to prevent network lateral movement are mostly found inadequate - if one network segment gets compromised, this gives cyber criminals access to many, if not all, virtual networks within the company’s cloud infrastructure. 

In our view, cloud infrastructure is here to stay, and organisations need to develop safeguards to ensure delivery of critical business services and contain potential impact of ransomware attacks. But how do you go about it? 

1. Threat assessment – start with identifying risks to your cloud assets, systems, data, people, and capabilities. This will help to ensure the cloud security and incident response controls you choose are appropriate to the risks your organisation faces and are aligned with your cloud and cyber strategies.
   
   
2. Cloud architecture – review your cloud security architecture and improve Identity & Access Management (IAM) capabilities by using Multi-Factor Authentication (MFA), just-in-time access for Remote Desktop Protocol (RDP) traffic, and private endpoints for your storage accounts. Ensure you have set up your cloud forensics and incident response environment in advance (incl. golden images, access to passwords, keys, and other certificates), so it is immediately available when you need it. Finally, make a clear inventory of your IT assets, ensure these are regularly patched, take backups in accordance with your RPO requirements and save immutable copies in isolated networks. 
   
   
3. People – understand shared responsibility model between a Cloud Service Provider (CSP) and your organisation, define clear cloud security processes, and get buy in from the leadership team. The Oracle and KPMG cloud threat report 2020 shows that 69% of CISOs were involved in cloud projects only after a security incident, leading to no security oversight of cloud infrastructure adoption. In addition, provide regular cyber security awareness training to end users, so your employees can securely report any suspicious/phishing emails. Finally, use rotation and cross training for your cloud security response team, so it has the right level of access and is capable to work 24/7 to respond to a potential incident. 
   
   
4. Automated detection and response – cloud infrastructure brings unmatched automation capabilities, so consider using cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation and Response (SOAR) tools to automate security monitoring, threat detention and incident response of cloud infrastructure. By using alert library, investigation playbooks, and leveraging existing automation processes within your organisation, you can free up human capital for more important activities, such as coordination of different teams and communications to internal and external stakeholders. 
   
   
5. Testing – once you have developed your incident response plan, it is crucial to regularly test it and conduct full rehearsal of your security response and recovery capability with cloud focused adversary simulations, including restoration from backup for both data and applications. 

We can help you improve your cloud security and incident response capabilities, by providing multiple services: 

• Cloud security advisory – assess maturity and develop / implement your cloud security controls (incl. incident response playbooks) in Azure, AWS, GCP or OCI. 
• Cloud compromise assessment – review cloud resources to identify potentially compromised assets and assist with digital forensics as required. 
• Cyber response retainer services – have an incident response on-call agreement that allows clients to leverage KPMG Cyber Response Services at a moment’s notice to respond to cloud security incidents. 
• Cloud response platform – rapidly deploy cloud native security monitoring, automation, and orchestration capabilities to transform your incident response (using Azure Sentinel). 

For more information on where to start with your cloud security and incident response capabilities, please contact Adrian Bradley, Amit Gupta-Chaudhary, Oisin Fouere, Tahir Soomro, and Iakov Fedoseenko.