Is Your Organization Prepared for Ransomware Strikes in Azure Storage?

In light of the recent surge in cloud ransomware attacks, Mitiga’s head of research offers recommendations to defend against them

Or Aspir, Head of research at Mitiga

October 26, 2023

3 Min Read
A stock photo showing speeding towards the light.
Getty Images

The cloud landscape is witnessing an unprecedented surge in highly sophisticated attacks, with threat actors transcending traditional exploits like crypto mining and data exfiltration. Instead, they are delving deeper into cloud infrastructure, executing intricate maneuvers such as lateral movement, orchestrating supply chain attacks and deploying ransomware on cloud data. In this ever-evolving realm of cloud security, a recent revelation from Sophos X-Ops highlights the exceptional proficiency of the BlackCat/ALPHV ransomware group in exploiting the cloud to their advantage.

Their latest endeavor involves the deployment of a new Sphinx encryptor variant, strategically targeting Azure storage accounts. What sets this apart is their covert approach, gaining unauthorized access to a victim's Azure resources and extracting Azure storage account keys, thereby assuming control over the data stored within those accounts. It is worth noting that this same group previously made headlines for their audacious infiltration of MGM's infrastructure, where they boldly claimed to have encrypted over 100 ESXi hypervisors.

The distinction between typical ransomware used in on-premise systems and cloud ransomware targeting Azure resources lies in their effects and methods of operation. Cloud ransomware operates in a cloud-based environment, potentially affecting critical cloud resources, including VMs, databases, and storage. Moreover, it leverages cloud-specific attack vectors such as exploiting misconfigurations, lateral movement within cloud networks and abuse of cloud services.

As organizations increasingly embrace cloud services like Azure, it becomes imperative to proactively fortify themselves against cloud-based threats, including ransomware attacks. In this rapidly evolving threat landscape, companies must develop robust defense strategies to secure their cloud resources effectively.

To protect against ransomware attacks in Azure Storage accounts, you can adopt proactive strategies, including:

  1. Network Access Control: Manage and restrict network access to your storage account, which can involve integrating it into a dedicated Virtual Network or implementing Firewall Rules to grant access solely to specific IP addresses.

  2. Managed Identities: Enhance security by embracing Azure Managed Identities instead of relying on access keys. This approach ensures secure access for services and applications while eliminating the risk of key exposure.

  3. Azure RBAC Implementation: Exercise precise control over permissions through Azure Role-Based Access Control (RBAC). Assign only essential permissions to users and applications, thereby reducing the attack surface.

  4. Key Rotation: If access keys are necessary, establish a routine for key rotation, regularly changing them, and discontinuing the use of old keys to minimize vulnerabilities.

  5. Azure Data Protection Utilization: Strengthen data protection with tools like Azure Blob Backup and Blob Versioning. These measures enable you to maintain access to encrypted or deleted objects, bolstering your defense against potential threats from malicious actors.

Additionally, one crucial proactive measure involves the collection of logs from Azure resources, such as activity logs. For Azure storage accounts, resource logs, like Storage Blob resource logs, offer essential insights for detecting malicious actions and enhancing visibility within the environment.

In today's tech-driven world, where cloud reliance is the norm, safeguarding your digital assets isn't optional – it's imperative. Prepare your organization to withstand changes and innovations in technology by fortifying your cloud security defenses.

About the Author(s)

Or Aspir

Head of research at Mitiga, Mitiga

Or Aspir, head of research at Mitiga, possesses more than 10 years of experience in cybersecurity engineering. Or’s journey began at Unit 8200, Israel’s elite military technology unit, and later on, working in several cybersecurity companies as a software engineer, researcher and team leader, contributing his expertise to companies such as Cyberbit and Fortinet (formerly enSilo), where he led teams of cybersecurity professionals in identifying and mitigating cyber threats. In his free time, Or dedicates himself to learning to play the piano, guitar, and drums, as well as sharing his passion for Salsa dancing as a former Salsa dancing teacher.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like