Ransomware and AWS: 6 ways to reduce your blast radius

In this post, we’ll talk about ransomware and AWS — how it works and how you can reduce your ransomware risk while building in the cloud.

Ransomware is everywhere. Unless you’ve been living under a rock for the past year (which may not have been a terrible place to spend the past 16 months or so) you’ve probably seen headlines about ransomware. It messes with everything from gas to healthcare to meat. (Leave our burgers alone, you monsters!) 

Just earlier this month, it was reported that the U.S. government is now giving ransomware attacks the same level of priority as terrorism. 

The government is fighting it.

People are writing songs about it.

But what can you do about it?

When it comes to ransomware and AWS, how does it work? What are the common attack vectors for ransomware? And how can you reduce your overall risk of ransomware when building in the AWS cloud?

Those are a lot of questions. Fortunately, Mark Nunnikhoven has a lot of answers. 

Mark is a forensic scientist/writer/speaker/teacher/coach/builder who helps organizations navigate their cloud transformations while managing the risks of our digital world. Besides speaking at the ACG Community Summit, Mark has also written and chatted with ACG about everything from re:Invent keynotes to cloud security to 5 surprising things you can do with the AWS Marketplace. 

In his session at the ACG Community Summit, Mark spoke about the importance of reducing your blast radius when it comes to ransomware and AWS. 

This post covers some key takeaways from Mark Nunnikhoven's session at the ACG Community Summit. This is one case where the movie is better than the novel. Trust us — it’s worth a watch. Check out Mark’s full session here.

Note: The content below includes quotes and details from Mark that have been edited for clarity, brevity, and general awesomeness. Any mistakes or misunderstandings are most likely on the part of the editor, not Mark.

Ransomware is a type of malware that encrypts data and holds it for ransom. It’s a problem — a $42 billion problem. That was the estimated cost in US dollars of ransomware attacks globally in 2020. And 2021 shows no indication of that number dropping.

How’s it work?

One day you’re going about your business (maybe you’re in the middle of giving a presentation on ransomware at the ACG Community Summit), and you hastily click a notification that pops up.

Something like this.

Seems harmless enough. Until you see a screen like this.

Yikes. Red screens are rarely a good thing. (Note: The wallet in the image isn’t valid. Please don’t send money there.)

Now you’re locked out of our data by a criminal who holds it for ransom.

It’s the digital equivalent of breaking into the Louvre to steal the Mona Lisa. Of course, in a hypothetical art heist, the theft/ransom works because there’s only one copy of the Mona Lisa. But in the digital world, you should have multiple copies of your data. (You do have multiple copies of your data, right?) So . . . problem solved?

Nope. Today, ransomware has evolved to sniff out, lockdown, and destroy your copies, ensuring you’re like the Louvre without the Mona Lisa. (I don’t know how to say it in French, but in internet acronym-speak: “You’re SOL.”)

Watch: What Leaders Need To Know About Cloud Security
Is your business safe in the cloud? The answer is largely up to you. Watch this free on-demand webinar with Mark Nunnikhoven as he tackles the keys to cloud security that sticks.

Who are these criminals behind ransomware? Forget what you’ve seen on TV. It’s not nation states. This is organized crime — a crime committed for profit. Criminals are trying to make as much money as they can, and they’re very good at it.

Maybe! But it’s complicated. 

Fortunately(?), because it’s organized crime and there’s profit involved, there are some rules in this game.

• The average ransom paid in 2020 was $312,493 USD.

• The largest recorded ransom paid was $4.5 million USD.

• If you pay the ransom, there’s a reported 97% chance that you’ll get an active key that would decrypt your data. 

• However, 46% of the time, companies report there’s some level of corruption. And, of course, restoration isn’t immediate, so there's still a massive impact.

• 80% of paying organizations reportedly get hit again. It makes sense. Once you’ve paid out, you’ve shown that you’re more likely to pay again.

• The average cost of recovering from a ransomware attack is $1.2 million USD. (That’s direct costs — not indirect costs like lost revenue for your business being down.)

• Not only are you forking out $312,000 to criminals, but youi’re also paying for overtime, new systems, consultants — all this extra stuff.

• It takes 16.1 days on average to recover from ransomware

“As a former incident responder, let me tell you, those 16 days suck,” Nunnikhoven says. “You’re working around the clock. You’re stressed out. You’re trying to make sure you got every piece of the attack off of your network — because if you don’t, it’s going to come back.”

From a community perspective, you shouldn’t pay. Because the more criminals get paid, the more they’re going to attack. 

But from a business perspective, you’re probably going to end up paying. Because if the choice is you can’t recover from your own backups and it will take you months to get back online OR you can pay a ransom to possibly get back online now, that’s a pretty straightforward business decision.

The ultimate answer may be, “Ehh, I don’t know!” But don’t just take it from us. What’s the U.S. government’s stance on it? Anne Neuberger, Deputy National Security Advisor, Cyber & Emerging Tech, offers a very politically correct version of “Ehh, I don’t know” — saying: “We recognize that victims of cyberattacks often face a very difficult situation. And they have to have to balance often the cost-benefit when they have no choice with regard to paying a ransom.”

Back when ransomware ransoms were around $300 to $500, it was very simple. Ransomware would land on your system and lock you out. This approach was highly automated and designed to hit as many people as possible. 

Fortunately, we don’t see this as much anymore. 

Unfortunately, attackers have now expanded what they’re doing. 

Attackers are now going toward multi-stage attacks. They’re researching you, figuring out where you’re weak, learning everything about you, and then they’re landing other malware designed to figure out what the best attack is. Then they’re exploring your network, looking for backups, weaknesses, and high-value data. Then, they strike.

Research

• Criminals use social media and corporate websites that list who executives are. This sets up an easy way for attackers to get a foot in the door by name-dropping people.

• They then research mobile apps, websites, and GitHub looking for keys. How many of us have built Android or iOS apps that have AWS keys inside of them? If it’s published, attackers can get those. That’s a key attack vector for people to get into your accounts.

Land

• When they land, it’s almost always phishing. Non-stop phishing. 94% of all malware is delivered through phishing emails. Because it’s easy. As a criminal, I can do enough research to know enough about your company to make my email believable. “The amount of research and A/B testing they do in phishing emails — if it wasn’t so evil, it would be a thing of beauty,” Nunnikhoven says.

• Everything you’ve been taught about phishing is wrong. The number one thing they tell you is don’t click on links. But links were built to be clicked on. So not clicking? Not going to happen. 

• Here’s the key to avoiding phishing. If you click on a link and are asked to take an action — like log into Google, download a file, or run a program — stop. Then question the source of the link. Because if you’ve looked at any marketing link in the past fives years, you know there’s no way you can tell what’s legitimate or illegitimate.

• If they can’t phish you, they get in due to weak password… policies. Don’t blame weak passwords, blame weak password policies.

• Everything you’ve been told about picking a strong password is wrong. Pick a passphrase and use a password manager. Only change your password once a year or if you think you’ve been attacked. But most organizations have yet to adopt that guidance. They do 90-day rotations and capital letters, symbols — all this ridiculousness. It’s not effective. The math doesn’t hold up and it leads to more security breaches. 

• This isn’t on users, it’s on the security team (but they’ll blame you). So remember: strong passwords are long passwords.

Explore

• Probing APIs, VPCS, etc. — When exploring, criminals are looking at APIs in AWS, they’re looking at VPC configurations, and they’re checking out at security groups — things like that. 

• Checking roles and IAM keys — They’re also looking at the roles they can see. Same with the keys. “How far will this one key get me? I stripped this out of your mobile app. Where can I go with this key?”

Lock

• Finally, they’re going to encrypt the data and block access to that data.

There are a ton of different ways to defend against ransomware, but none of them are foolproof. 

However, there are principles we can adhere to. Together, they sort of work like a security system alarm sign in your front lawn. Your security system may not make your house an impenetrable fortress, but it just might push criminals on to easier victims.

With that in mind, here are some principles to help you defend against ransomware. These six bullet points aren’t the end of it, but they're are a good overview to get you thinking in the right direcitons.

The idea of “reducing your blast radius” comes from Dr. Werner Voggels at AWS re:Invent 2020. The idea is to make sure if (or when) something messes up it doesn’t cascade through your system.

1. Update instances and container images constantly
   Automatic updates do wonders for security. Patch it and fix it after if you have problems. You’ll face fewer issues and far easier issues.

1. AWS Security Reference Architecture
   AWS’s security reference architecture just dropped last week from AWS. (More here.) This maintained reference architecture includes links to all AWS services around security and how to get the most out of them.

1. Iterate using the well-architecture framework
   I’m biased because I teach the Mastering the AWS Well-Architected Framework course at ACG. But security isn’t an isolated thing. It’s just one of the things you do when you’re building a good solution. A well-architectured framework builds around five pillars — and security is one of them. It’s all about balance, building well, and reducing that blast radius.

1. Principles of least privilege
   Make sure users or roles only has access to what they need to do their jobs. And only that! That means...

1. No *FullAccess IAM policies
   I understand why they’re there to make developing easier, but they should never be used in production. If you’re using them, stop. How do you stop?

1. Use IAM Access Analyzer continuously
   This maps out what’s in use permission-wise and helps you tighten up those policies.

For your disaster recovery and incident response plan, let’s ask ourselves a few questions.

• How long will it take to restore from backups? (And are you sure?)
  You have backups. Right? (Right???) If you don’t already have backups, make sure you have them and then test them. You need to make sure you can restore.

• If you and your team didn’t have your laptops, what would you do?
  Can you still recover? Can you still run your build in AWS if you don’t have your laptop? Seems like a weird question, but it’s one worth working through.

• Are you backing up to another, append-only account?
  With backups, are you backing up to a separate account — a different AWS account (remember, they’re free) — and is that account append-only? Can you only write to it and not overwrite and delete? That’s a key step in protecting yourself. Because now that you have another account that’s isolated that always has a copy of your data, you can restore and don’t have to pay that ransom.

• How do you know there’s an incident?

• Where is your most important data?
  Don’t be embarrassed. No one can answer this question. I’ve worked with thousands of organizations and almost no one can answer this. But still, you should try to figure it out today.

• Without email, how would you contact everyone?
  Do you have a written list? If you lose all your IT systems, how will you work together to restore?

We’re going to use a really simple pattern to get notified when there’s something we should look into.

1. Tag Amazon CloudWatch events 
2. Send certain events into AWS Lambda 
3. Then send them into Slack (or your tool of choice)
4. Finally, take action based off of what you send to Slack

What events do you look for? There’s a mountain of them, but here are a few to give you an idea:

• AddUserToGroup
• AttachUserPolicy
• CreateAccessKey
• CreateLoginProfile
• DeleteAccessKey
• DeleteUser

Before we wrap up, let’s do a quick recap.

• Know the problem. Ransomware is a profit-motivated crime. 
• Reduce the blast radius. Make sure that if something fails or we lose access it doesn’t cascade into everything else.
• Practice an IR plan. Build and practice an IR plan. You want to work this out so you’re not scrambling if something does happen.

You can find Mark Nunnikhoven online @marknca and https://markn.ca.

Lock down your security skills.
Want to learn more about ransomware and security in the cloud? Check out our Mastering the AWS Well-Architected Framework course, then dig into our massive library of hands-on cloud learning.