Comments
yourfanat wrote: I am using another tool for Oracle developers - dbForge Studio for Oracle. This IDE has lots of usefull features, among them: oracle designer, code competion and formatter, query builder, debugger, profiler, erxport/import, reports and many others. The latest version supports Oracle 12C. More information here.
Cloud Expo on Google News
SYS-CON.TV
Cloud Expo & Virtualization 2009 East
PLATINUM SPONSORS:
IBM
Smarter Business Solutions Through Dynamic Infrastructure
IBM
Smarter Insights: How the CIO Becomes a Hero Again
Microsoft
Windows Azure
GOLD SPONSORS:
Appsense
Why VDI?
CA
Maximizing the Business Value of Virtualization in Enterprise and Cloud Computing Environments
ExactTarget
Messaging in the Cloud - Email, SMS and Voice
Freedom OSS
Stairway to the Cloud
Sun
Sun's Incubation Platform: Helping Startups Serve the Enterprise
POWER PANELS:
Cloud Computing & Enterprise IT: Cost & Operational Benefits
How and Why is a Flexible IT Infrastructure the Key To the Future?
Click For 2008 West
Event Webcasts
Ransomware and the Cloud | @CloudExpo #InfoSec #DataCenter #Security
Is the cloud ready for new cyber threats?

It's been years since it became obvious that crypto isn't necessarily usable for benign purposes only. Back in the day, a variety of data encryption techniques were contrived to protect sensitive communication against MITM (man-in-the-middle) attacks and similar interception attempts. The creators of file-encrypting ransomware, however, have ventured to add a malicious component to the mix, using both symmetric and asymmetric algorithms to lock their victims' data and hold it for ransom.

The most common cryptosystems leveraged in these campaigns are RSA and AES. Although these two have fundamental differences, they are nearly equal as far as the reliability of encryption goes.

To top it off, ransom Trojans have evolved over time. The newer variants target files on a computer's local drives, network shares and cloud paths alike. The fact that cloud storage isn't safe either contradicts the main risk mitigation advice that security experts have been advocating, that is, to maintain data backups outside of the machine.

Anatomy of the Compromise
To get the big picture of the potential damage scope, it makes sense to scrutinize the workflow of the typical ransomware attack. On compromising a Windows computer, the offending program traverses every data repository reflected as a drive letter in the system hierarchy. Therefore, not only does this activity apply to local hard drive volumes but it also refers to mapped network shares and possibly cloud storage.

Even worse, the so-called DMA Locker extortion campaign that broke out in February 2016 demonstrated that drives don't even have to be mapped for the infection to hit them. Although this is still the exception rather than the rule, there are hardly any technical hurdles for it to become a trend anytime soon.

Over the course of the scan, the ransom Trojan compares files against a predefined range of formats in order to identify the most important user data and then encrypts it all. It will also attempt to disable VSS (Volume Shadow Copy Service) in order to thwart the easiest recovery technique.

So, is the offsite backup to the cloud really such an effective way of storing data? To its credit, this strategy does provide a great deal of protection of the one's sensitive files against straightforward locking by ransomware. But obviously, the cloud isn't bulletproof when it comes to the most sophisticated crypto assaults.

The "Children in Film" Incident
This case was the first major wakeup call in this particular context. Children in Film is an organization providing tools, advice, and support to child actors. The firm heavily relies on application hosting services outsourced to a cloud solutions company based in California. It uses a solution by Citrix Systems to remotely connect to the cloud and access the entire range of operational files, including QuickBooks, Outlook and Microsoft Office documents.

According to Toni Casala, the President of Children in Film, this strategy has numerous benefits for the company, because it poses an inexpensive way of managing their business without the necessity to hire more people on the IT department. Plus, the cloud provider is fairly responsive when it comes to tech support.

Unfortunately, the firm confronted ransomware at its worst just before last New Year's Eve. One of the employees received an email containing an attachment that looked like an invoice. This is a widespread social engineering technique that crypto ransomware operators use to spread their infections. Once the employee opened this eye-catching but booby-trapped email attachment, it took the ransom Trojan as little as half an hour to propagate across the firm's entire digital environment. As a result, more than 4000 files stored on the cloud drive were encrypted and could no longer be accessed.

This was an instance of TeslaCrypt, one of the most prolific ransomware programs at that point. It concatenated the .vvv extension to files and added ransom payment instructions into every path with locked data. Luckily, the provider of managed cloud services was able to restore the files from backup, which is done on a daily basis. It was a very time-consuming process, though. Furthermore, other clients on the same server were experiencing disruptions as well. Because TeslaCrypt features sophisticated code obfuscation techniques, it bypassed the antivirus defenses in the course of the attack.

The most likely reason why the infection reached the cloud storage in this case is that the hosting company's app mapped the cloud drive as a separate local drive on the HDD. The takeaway from this incident is that end users and companies need to make sure there is no such mapping in place.

The Cloud as the Entry Point
Not only is ransomware capable of affecting data in the cloud, but it may also use the cloud to propagate on a large scale. A strain dubbed Petya, for instance, uses a cloud-hosted payload to contaminate Windows computers. The extortionists broke fresh ground with this particular infection in several ways.

First off, it encrypts the master file table (MFT) rather than individual files, which prevents the operating system from knowing where files are and effectively renders the computer inoperable. Secondly, the circulation of Petya in the wild involves a ZIP archive hosted at Dropbox.

The would-be victims receive a phishing email masqueraded as a job application. This email contains a Dropbox link pointing to the aforementioned ZIP file. The archive holds two components: a photo of the purported applicant, and a malicious executable. When the latter is opened, the ransomware is loaded onto the target system, displays a request to gain administrator privileges, performs the MFT encryption routine, and generates a spooky BSOD with ASCII art skull and crossbones. To regain access to the OS, the victim needs to submit a ransom of about 1 Bitcoin or approximately 440 USD.

A Recap
In the course of ransomware evolution, these nasty programs have come to target data stored in the cloud. When using popular automatic synchronization tools such as Dropbox and OneDrive, the customers now run the risk of losing their backups along with files kept locally.

A common prerequisite for the worst-case scenario is the mapping of cloud storage as a letter drive in the system structure, although some ransom Trojans can affect unmapped repositories as well. Such an intricate tactic may result in compromising other users on the same server. Furthermore, even if the infection fails to spread over to an offsite storage directly, the mutilated local files may be auto-synced to the cloud.

Another facet of this issue has to do with the involvement of cloud services in ransomware distribution, where users are social-engineered into downloading malicious droppers from resources like Dropbox.

This twofold impact throws down the gauntlet to the security industry and cloud service providers alike. Meanwhile, relying on antivirus software alone is a lame preemptive technique, because most recent ransomware samples have smart AV evasion built in. It's hence preferable to adopt a diversified backup strategy, where at least one copy of the data resides on a device that's not permanently connected to the Internet.

About David Balaban
David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.

Latest Cloud Developer Stories
Nutanix has been named "Platinum Sponsor" of CloudEXPO | DevOpsSUMMIT | DXWorldEXPO New York, which will take place November 12-13, 2018 in New York City. Nutanix makes infrastructure invisible, elevating IT to focus on the applications and services that power their business. The...
Intel is an American multinational corporation and technology company headquartered in Santa Clara, California, in the Silicon Valley. It is the world's second largest and second highest valued semiconductor chip maker based on revenue after being overtaken by Samsung, and is the...
Digital transformation is about embracing digital technologies into a company's culture to better connect with its customers, automate processes, create better tools, enter new markets, etc. Such a transformation requires continuous orchestration across teams and an environment b...
Wasabi is the hot cloud storage company delivering low-cost, fast, and reliable cloud storage. Wasabi is 80% cheaper and 6x faster than Amazon S3, with 100% data immutability protection and no data egress fees. Created by Carbonite co-founders and cloud storage pioneers David Fri...
Digital Transformation and Disruption, Amazon Style - What You Can Learn. Chris Kocher is a co-founder of Grey Heron, a management and strategic marketing consulting firm. He has 25+ years in both strategic and hands-on operating experience helping executives and investors build ...
Subscribe to the World's Most Powerful Newsletters
Subscribe to Our Rss Feeds & Get Your SYS-CON News Live!
Click to Add our RSS Feeds to the Service of Your Choice:
Google Reader or Homepage Add to My Yahoo! Subscribe with Bloglines Subscribe in NewsGator Online
myFeedster Add to My AOL Subscribe in Rojo Add 'Hugg' to Newsburst from CNET News.com Kinja Digest View Additional SYS-CON Feeds
Publish Your Article! Please send it to editorial(at)sys-con.com!

Advertise on this site! Contact advertising(at)sys-con.com! 201 802-3021



SYS-CON Featured Whitepapers
Most Read This Week
ADS BY GOOGLE