Ransomware and AWS: 6 ways to reduce your blast radius
How does ransomware work? What are common attack vectors? How can you reduce the risk of ransomware when building in AWS? Learn more from Mark Nunnikhoven.
Jun 08, 2023 • 17 Minute Read
In this post, we’ll talk about ransomware and AWS — how it works and how you can reduce your ransomware risk while building in the cloud.
Ransomware is everywhere. Unless you’ve been living under a rock for the past year (which may not have been a terrible place to spend the past 16 months or so) you’ve probably seen headlines about ransomware. It messes with everything from gas to healthcare to meat. (Leave our burgers alone, you monsters!)
Just earlier this month, it was reported that the U.S. government is now giving ransomware attacks the same level of priority as terrorism.
The government is fighting it.
People are writing songs about it.
But what can you do about it?
When it comes to ransomware and AWS, how does it work? What are the common attack vectors for ransomware? And how can you reduce your overall risk of ransomware when building in the AWS cloud?
Those are a lot of questions. Fortunately, Mark Nunnikhoven has a lot of answers.
Mark is a forensic scientist/writer/speaker/teacher/coach/builder who helps organizations navigate their cloud transformations while managing the risks of our digital world. Besides speaking at the ACG Community Summit, Mark has also written and chatted with ACG about everything from re:Invent keynotes to cloud security to 5 surprising things you can do with the AWS Marketplace.
In his session at the ACG Community Summit, Mark spoke about the importance of reducing your blast radius when it comes to ransomware and AWS.
This post covers some key takeaways from Mark Nunnikhoven's session at the ACG Community Summit. This is one case where the movie is better than the novel. Trust us — it’s worth a watch. Check out Mark’s full session here.
Table of contents
- What is ransomware?
- Who is responsible for ransomware?
- Will I get my data back if I pay the ransom?
- What are the odds of getting attacked again by ransomware?
- How much time and money does it take to recover from ransomware?
- Should you pay ransomware?
- How does ransomware actually work?
- How do we defend against ransomware?
- How do you create a ransomware disaster recovery and incident response plan?
- Ransomware and AWS FAQs
Note: The content below includes quotes and details from Mark that have been edited for clarity, brevity, and general awesomeness. Any mistakes or misunderstandings are most likely on the part of the editor, not Mark.
What is ransomware?
Ransomware is a type of malware that encrypts data and holds it for ransom. It’s a problem — a $42 billion problem. That was the estimated cost in US dollars of ransomware attacks globally in 2020. And 2021 shows no indication of that number dropping.
How’s it work?
One day you’re going about your business (maybe you’re in the middle of giving a presentation on ransomware at the ACG Community Summit), and you hastily click a notification that pops up.
Something like this.
Seems harmless enough. Until you see a screen like this.
Yikes. Red screens are rarely a good thing. (Note: The wallet in the image isn’t valid. Please don’t send money there.)
Now you’re locked out of our data by a criminal who holds it for ransom.
It’s the digital equivalent of breaking into the Louvre to steal the Mona Lisa. Of course, in a hypothetical art heist, the theft/ransom works because there’s only one copy of the Mona Lisa. But in the digital world, you should have multiple copies of your data. (You do have multiple copies of your data, right?) So . . . problem solved?
Nope. Today, ransomware has evolved to sniff out, lockdown, and destroy your copies, ensuring you’re like the Louvre without the Mona Lisa. (I don’t know how to say it in French, but in internet acronym-speak: “You’re SOL.”)
Watch: What Leaders Need To Know About Cloud Security
Is your business safe in the cloud? The answer is largely up to you. Watch this free on-demand webinar with Mark Nunnikhoven as he tackles the keys to cloud security that sticks.
Who is responsible for ransomware?
Who are these criminals behind ransomware? Forget what you’ve seen on TV. It’s not nation states. This is organized crime — a crime committed for profit. Criminals are trying to make as much money as they can, and they’re very good at it.
Will I get my data back if I pay the ransom?
Maybe! But it’s complicated.
Fortunately(?), because it’s organized crime and there’s profit involved, there are some rules in this game.
- The average ransom paid in 2020 was $312,493 USD.
- The largest recorded ransom paid was $4.5 million USD.
- If you pay the ransom, there’s a reported 97% chance that you’ll get an active key that would decrypt your data.
- However, 46% of the time, companies report there’s some level of corruption. And, of course, restoration isn’t immediate, so there's still a massive impact.
What are the odds of getting attacked again by ransomware?
- 80% of paying organizations reportedly get hit again. It makes sense. Once you’ve paid out, you’ve shown that you’re more likely to pay again.
How much time and money does it take to recover from ransomware?
- The average cost of recovering from a ransomware attack is $1.2 million USD. (That’s direct costs — not indirect costs like lost revenue for your business being down.)
- Not only are you forking out $312,000 to criminals, but youi’re also paying for overtime, new systems, consultants — all this extra stuff.
- It takes 16.1 days on average to recover from ransomware
“As a former incident responder, let me tell you, those 16 days suck,” Nunnikhoven says. “You’re working around the clock. You’re stressed out. You’re trying to make sure you got every piece of the attack off of your network — because if you don’t, it’s going to come back.”
Should you pay ransomware?
From a community perspective, you shouldn’t pay. Because the more criminals get paid, the more they’re going to attack.
But from a business perspective, you’re probably going to end up paying. Because if the choice is you can’t recover from your own backups and it will take you months to get back online OR you can pay a ransom to possibly get back online now, that’s a pretty straightforward business decision.
The ultimate answer may be, “Ehh, I don’t know!” But don’t just take it from us. What’s the U.S. government’s stance on it? Anne Neuberger, Deputy National Security Advisor, Cyber & Emerging Tech, offers a very politically correct version of “Ehh, I don’t know” — saying: “We recognize that victims of cyberattacks often face a very difficult situation. And they have to have to balance often the cost-benefit when they have no choice with regard to paying a ransom.”
How does ransomware actually work?
Back when ransomware ransoms were around $300 to $500, it was very simple. Ransomware would land on your system and lock you out. This approach was highly automated and designed to hit as many people as possible.
Fortunately, we don’t see this as much anymore.
Unfortunately, attackers have now expanded what they’re doing.
Attackers are now going toward multi-stage attacks. They’re researching you, figuring out where you’re weak, learning everything about you, and then they’re landing other malware designed to figure out what the best attack is. Then they’re exploring your network, looking for backups, weaknesses, and high-value data. Then, they strike.
The typical workflow of a ransomware attack
- Criminals use social media and corporate websites that list who executives are. This sets up an easy way for attackers to get a foot in the door by name-dropping people.
- They then research mobile apps, websites, and GitHub looking for keys. How many of us have built Android or iOS apps that have AWS keys inside of them? If it’s published, attackers can get those. That’s a key attack vector for people to get into your accounts.
- When they land, it’s almost always phishing. Non-stop phishing. 94% of all malware is delivered through phishing emails. Because it’s easy. As a criminal, I can do enough research to know enough about your company to make my email believable. “The amount of research and A/B testing they do in phishing emails — if it wasn’t so evil, it would be a thing of beauty,” Nunnikhoven says.
- Everything you’ve been taught about phishing is wrong. The number one thing they tell you is don’t click on links. But links were built to be clicked on. So not clicking? Not going to happen.
- Here’s the key to avoiding phishing. If you click on a link and are asked to take an action — like log into Google, download a file, or run a program — stop. Then question the source of the link. Because if you’ve looked at any marketing link in the past fives years, you know there’s no way you can tell what’s legitimate or illegitimate.
- If they can’t phish you, they get in due to weak password… policies. Don’t blame weak passwords, blame weak password policies.
- Everything you’ve been told about picking a strong password is wrong. Pick a passphrase and use a password manager. Only change your password once a year or if you think you’ve been attacked. But most organizations have yet to adopt that guidance. They do 90-day rotations and capital letters, symbols — all this ridiculousness. It’s not effective. The math doesn’t hold up and it leads to more security breaches.
- This isn’t on users, it’s on the security team (but they’ll blame you). So remember: strong passwords are long passwords.
- Probing APIs, VPCS, etc. — When exploring, criminals are looking at APIs in AWS, they’re looking at VPC configurations, and they’re checking out at security groups — things like that.
- Checking roles and IAM keys — They’re also looking at the roles they can see. Same with the keys. “How far will this one key get me? I stripped this out of your mobile app. Where can I go with this key?”
- Finally, they’re going to encrypt the data and block access to that data.
How do we defend against ransomware?
There are a ton of different ways to defend against ransomware, but none of them are foolproof.
However, there are principles we can adhere to. Together, they sort of work like a security system alarm sign in your front lawn. Your security system may not make your house an impenetrable fortress, but it just might push criminals on to easier victims.
6 ways to reduce your blast radius
With that in mind, here are some principles to help you defend against ransomware. These six bullet points aren’t the end of it, but they're are a good overview to get you thinking in the right direcitons.
The idea of “reducing your blast radius” comes from Dr. Werner Voggels at AWS re:Invent 2020. The idea is to make sure if (or when) something messes up it doesn’t cascade through your system.
- Update instances and container images constantly
Automatic updates do wonders for security. Patch it and fix it after if you have problems. You’ll face fewer issues and far easier issues.
- AWS Security Reference Architecture
AWS’s security reference architecture just dropped last week from AWS. (More here.) This maintained reference architecture includes links to all AWS services around security and how to get the most out of them.
- Iterate using the well-architecture framework
I’m biased because I teach the Mastering the AWS Well-Architected Framework course at ACG. But security isn’t an isolated thing. It’s just one of the things you do when you’re building a good solution. A well-architectured framework builds around five pillars — and security is one of them. It’s all about balance, building well, and reducing that blast radius.
- Principles of least privilege
Make sure users or roles only has access to what they need to do their jobs. And only that! That means...
- No *FullAccess IAM policies
I understand why they’re there to make developing easier, but they should never be used in production. If you’re using them, stop. How do you stop?
- Use IAM Access Analyzer continuously
This maps out what’s in use permission-wise and helps you tighten up those policies.
How do you create a ransomware disaster recovery and incident response plan?
For your disaster recovery and incident response plan, let’s ask ourselves a few questions.
Disaster recovery questions
- How long will it take to restore from backups? (And are you sure?)
You have backups. Right? (Right???) If you don’t already have backups, make sure you have them and then test them. You need to make sure you can restore.
- If you and your team didn’t have your laptops, what would you do?
Can you still recover? Can you still run your build in AWS if you don’t have your laptop? Seems like a weird question, but it’s one worth working through.
- Are you backing up to another, append-only account?
With backups, are you backing up to a separate account — a different AWS account (remember, they’re free) — and is that account append-only? Can you only write to it and not overwrite and delete? That’s a key step in protecting yourself. Because now that you have another account that’s isolated that always has a copy of your data, you can restore and don’t have to pay that ransom.
Incident response plan questions
- How do you know there’s an incident?
- Where is your most important data?
Don’t be embarrassed. No one can answer this question. I’ve worked with thousands of organizations and almost no one can answer this. But still, you should try to figure it out today.
- Without email, how would you contact everyone?
Do you have a written list? If you lose all your IT systems, how will you work together to restore?
Here’s a technical starting point for your incident response plan
We’re going to use a really simple pattern to get notified when there’s something we should look into.
- Tag Amazon CloudWatch events
- Send certain events into AWS Lambda
- Then send them into Slack (or your tool of choice)
- Finally, take action based off of what you send to Slack
What events do you look for? There’s a mountain of them, but here are a few to give you an idea:
Ransomware and AWS FAQs
Before we wrap up, let’s do a quick recap.
- Know the problem. Ransomware is a profit-motivated crime.
- Reduce the blast radius. Make sure that if something fails or we lose access it doesn’t cascade into everything else.
- Practice an IR plan. Build and practice an IR plan. You want to work this out so you’re not scrambling if something does happen.
This is very common in ransomware now. In that “explore” phase, the attackers are mapping out where you’ve backed up to. Because they know if you have backups, you’re not going to pay.
So in using AWS, a whole separate account that is write-only from your main account is key. Again, accounts are free. So you’re not going to be paying more. But as a new account, you get a nice hard boundary where you can lock all the permission down and create one role that allows new backups to be created and nothing else. This way you keep everything completely separate.
Sometimes! It entirely depends on your policy. Cybersecurity insurance has popped up into prominence over the last year with the rise of ransomware.
This is when you need an amazing legal team to go through line by line and you need the security team that’s really on the ball to tell you what your current state is. But if you follow all the requirements in your contract, a lot of the time your cyber insurance will cover the costs of a potential ransom — and it will cover most of the cost of recovery.
What it won’t cover is any lost revenue or opportunity costs. So if you were looking at $1.2 million in recovery and $300,000 in ransom, there’s a good chance your insurance will cover that. But if you lost $10 million in sales over those two weeks, you’re out that money. (And of course, your insurance premiums are going up right after that attack.)
A hobby of mine is to see how security is portrayed in TV and movies. And it’s never real. It’s always super boring. It’s boring, tedious work that ends up being exciting.
But when you talk about ransomware from nation states, it raises the stakes and makes it super exciting, which is why you see it so much in movies and the media.
We have seen a couple of isolated cases where nation states have used ransomware, but it’s more as a distraction. So they get in and take out information, which was the real goal. But they’re basically making you believe it’s ransomware so you respond one way while they’re going out the backdoor with your data. It’s rare, but it does happen. If you’re hit with ransomware, there's probably a 99.99% chance it’s organized crime trying to make money.
Even though there's the AWS Certified Security Specialty Certification — which is well worth taking — I think at the start especially you're going to be a better security person if you learn how to build better.
So looking at the DevOps exams and the AWS architecture exams are going to be a better starting place. Because you’re going to understand the environment. You can't secure it if you don’t understand it. That’s where we run into most of the problems around cloud security: when people take an old approach and try to apply it in the cloud. Start with learning to build well, then once you have that locked in, go for the security specialization certification.
Lock down your security skills.
Want to learn more about ransomware and security in the cloud? Check out our Mastering the AWS Well-Architected Framework course, then dig into our massive library of hands-on cloud learning.