AWS ransomware attacks: Not a question of if, but when


Ermetic announced the results of a study about the security posture of AWS environments and their vulnerability to ransomware attacks. In virtually all of the participating organizations, identities were found that, if compromised, would place at least 90% of the S3 buckets in an AWS account at risk.

AWS ransomware attacks

As more and more data moves to the cloud, platforms like AWS are becoming an attractive target for ransomware operators. While Amazon S3 is considered extremely reliable, a compromised identity with the right combination of entitlements can expose data objects to ransomware.

Researchers found that such ransomware-vulnerable combinations are extremely common. In fact, over 70% of the environments in the study had machines that were publicly exposed to the internet and were linked to identities whose permissions could be exploited to allow the machines to perform ransomware.

“Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised,” said Shai Morag, CEO of Ermetic.

“We found that in every single account we tested, nearly all of an organization’s S3 buckets were vulnerable to ransomware. Therefore, we can conclude that it’s not a matter of if, but when, a major ransomware attack on AWS will occur.”

Majority of AWS accounts vulnerable to ransomware attacks

Researchers identified the following findings in the organizations they evaluated which would allow ransomware to reach and execute on Amazon S3 buckets:

  • Overall, every enterprise environment studied had identities at risk of being compromised and that could perform ransomware on at least 90% of the buckets in an AWS account
  • Over 70% of the environments had machines that were publicly exposed to the internet and identities whose permissions allowed the exposed machines to perform ransomware
  • Over 45% of the environments had third party identities with the ability to perform ransomware by elevating their privileges to admin level (an astounding finding with far-reaching implications beyond the ransomware focus of this research)
  • Almost…

Source…