Preventing Ransomware Attacks in a Hybrid Cloud Environment

Ransomware attacks on hybrid cloud environments can be prevented by following best practices such as data encryption, IAM, and identifying misconfigurations.
Ransomware in the Cloud

Businesses interested in scaling up operations are turning to hybrid cloud environments as a cost-effective solution. Hybrid clouds provide the best of both worlds, allowing companies to expand their network without investing in additional, costly on-premises servers that must be maintained. While there are a number of benefits to a hybrid cloud environment, it is, of course, not without risk. The expanded attack surface, potential for misconfiguration, and lack of visibility introduce significant security challenges, and ransomware groups are taking advantage of this with new attack methods specifically designed to exploit cloud weaknesses.

Ransomware Attacks in the Cloud

Ransomware attacks exploit vulnerabilities, exposed credentials, or social engineering to gain access to an organization’s network and encrypt their data, demanding payment in exchange for its return. In recent years, ransomware gangs have gone beyond traditional extortion methods, threatening data leaks and DDoS attacks to apply additional pressure as companies become more sophisticated in their defenses and less likely to comply with demands. In addition, as organizations move to the cloud, ransomware groups have developed attacks designed specifically for the cloud environment.


In this type of attack, the victim receives a phishing email, and they click the link or open the attachment, infecting the system with malware. Once the local machine is infected, the ransomware looks for a cloud file sync that it can infiltrate to gain access to the cloud. Once it has cloud access, it can then go on to encrypt both the cloud and on-premises files.


In this attack, once the local machine has been infected, typically by phishing, it will attempt to steal cloud login credentials by masquerading as the cloud web portal. Keystroke loggers log details that are transferred to the attacker’s remote computer to bypass security measures such as multi-factor authentication.


Like many other ransomware attacks, this one starts with a phishing email, but it is specifically designed to encrypt cloud email accounts. Attackers send an email asking you to enable Microsoft AntiSpam PRO. You’re taken to a spoofed Microsoft login screen where you grant them access to your email account. The content of your emails is then encrypted, which can be crippling as email is the primary source of business communication.

Defending Against Ransomware Attacks


In a hybrid environment, your data is going to be moving from the cloud to your on-premises environment and back through the openly accessible internet. This puts your data at risk of corruption or theft through man-in-the-middle attacks if not properly encrypted. In a public cloud, the CSP will offer server-side encryption, which means that the data is encrypted after it is received by the CSP, but before it is written to the disk and stored. The CSP manages the key for this encryption. You can also choose to implement client-side encryption, which means that you encrypt the data before sending it to the cloud service provider. You should ensure that your data is encrypted while in transit as well as at rest. In the event of a ransomware attack, encryption ensures that the attacker will not be able to extort you with the potential of a data leak, as they will not be able to read any data that is stolen.

Identify Misconfigurations

One of the most challenging parts of cloud security is ensuring that everything is correctly configured to prevent accidental exposure. 67% of respondents in Fortinet’s 2021 Cloud Security Report say they see misconfiguration as the biggest security threat to public clouds. Investing in tools that allow you to aggregate information across both your cloud and on-prem environments will help you detect vulnerabilities and provide you with alerts when errors have occurred. Cloud Security Posture Management (CSPM) tools are designed to find misconfigurations that are putting your data at risk. For example, not enabling the Amazon S3 Block Public Access feature can open Amazon S3 bucket data to the public, a prime opportunity for ransomware attackers. CSPM tools can also help you identify cross-site scripting and SQL injection attacks to prevent malware infection.

Security Awareness

Security awareness is always one of the best ways to defend against ransomware attacks, and that remains true in a cloud environment. Prevalent attacks on cloud resources still start with a phishing attempt, which can be thwarted by security awareness training programs that help employees identify suspicious links. Recently, ransomware groups have also employed cloud technology to deliver their malware. For example, Petya ransomware was found being distributed by spear-phishing emails sent to HR departments. The emails contained a link to a Dropbox file that claimed to be a resume, but instead was an executable file. Learn more about how security awareness can prevent ransomware attacks in this blog post.

Identity and Access Management

Identity and access management is more important in the cloud than ever before. You can no longer rely on the traditional network perimeter to verify a user’s identity. Implementing simple practices such as rotating access keys and turning on multi-factor authentication are great first steps for securing access. Companies must also work towards adoption of policies like zero trust, least privilege, and network segmentation, that while difficult to comprehensively implement, can effectively limit the ability of a hacker to move laterally within a system once they have access.


The cloud is inherently harder to hit with ransomware as a successful ransomware attack relies on being able to gain access to the files and the victim not having a reliable backup to restore from. The shared responsibility model states that cloud service providers are responsible for a portion of the security of the cloud, with how much they’re responsible for depending on the service level you’ve selected. This may put your information at risk if an attacker targets the CSP, but it can also provide an additional level of security to your data that you wouldn’t have, managing security entirely on your own, on premises.

While your cloud service provider is not likely to provide you a backup of your data in the event of a ransomware attack, you can plan ahead and create backups of important buckets so that you have a copy to restore from. You can also employ a different cloud service provider as your backup vendor to reduce the likelihood of your backup also becoming compromised. One thing to remember with cloud backups is that it will require additional storage, which will increase your costs, and any backups you add will also need to be correctly secured. If there is a misconfiguration in your cloud backup, it could end up being worthless.

In conclusion, all of the traditional methods of ransomware protection still apply to the cloud, but you must now also pay attention to misconfigurations in your cloud environment that could provide an easy in for attackers. To learn more about ransomware recovery, download RH-ISAC’s Ransomware Resilience Guide.


Cloud Security Planning Guide

Learn best practices for managing a secure cloud environment.

More Recent Blog Posts