Protecting Against Kubernetes-Borne Ransomware

Kubernetes and container technology in general had a good run as seemingly immune to malware, but that ended when Siloscape burst onto the scene in March 2021. It was the first known threat targeting Kubernetes environments to potentially do all kinds of nefarious things, including spread ransomware. In the ensuing 16 months, Siloscape has undoubtedly provided other cybercriminals with a blueprint for attacking container environments.

It’s worth reviewing the details of Siloscape. Threat researcher Daniel Prizmant, who discovered the malware, put it this way: “Siloscape is heavily obfuscated malware targeting Kubernetes clusters through Windows containers. Its main purpose is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.

“Compromising an entire cluster is much more severe than compromising an individual container, as a cluster could run multiple cloud applications whereas an individual container usually runs a single cloud application,” he continued. “For example, the attacker might be able to steal critical information such as usernames and passwords, an organization’s confidential and internal files or even entire databases hosted in the cluster. Such an attack could even be leveraged as a ransomware attack by taking the organization’s files hostage.”

A Distant Threat? No! 

It’s easy to fall into the trap of thinking this is some distant threat affecting an obscure technology few companies are deploying.

Au contraire. Prizmant himself pointed out that “with organizations moving to the cloud, many use Kubernetes clusters as their development and testing environments, and a breach of such an environment can lead to devastating software supply chain attacks.”

And recent research revealed one-third of organizations already rely on Kubernetes. Of the remaining two-thirds that do not yet use it, 86% expect to deploy the technology in the next two to three years.

Alarmingly, though, just 33% of organizations that have deployed Kubernetes so far have tools in place to protect their container environments against data loss incidents such as ransomware. That may be why it didn’t take long for Prizmant’s ransomware prediction to…