Skip to content

Latest commit

 

History

History
755 lines (674 loc) · 66.3 KB

Responding_to_Ransom_in_AWS.md

File metadata and controls

755 lines (674 loc) · 66.3 KB
Raw

Responding to Ransom Attacks within AWS

Notices

This document is provided for informational purposes only. It represents the current product offerings and practices from Amazon Web Services (AWS) as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS products or services, each of which is provided "as is" without warranty of any kind, whether express or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

© 2024, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Ransomware

Since the first recorded ransomware attack in 1989 called PC Cyborg, ransomware has become a prominent monetization strategy used by criminal organizations and threat actors across the internet. Other examples of ransomware include:

  • CryptoLocker [2014]
  • Petya [2016]
  • WannaCry [2017]
  • NotPetya [2017]
  • Ryuk [2019])

Threat actors leverage issues and weaknesses across the customer's infrastructure, exploiting vulnerable endpoints, insecure services, and socially engineering employees.

Ransomware attacks are costing governments, nonprofits, and businesses billions of dollars and interrupting operations. NotPetya forced shipping giant Maersk to reinstall 4,000 servers and 45,000 PCs for $300M due to "serious business interruption." The ransomware attack on the City of Baltimore cost over $18M, and local governments from Riviera Beach and Lake City, Florida will pay hackers $1M combined to get its systems and data back. The U.S. Federal Bureau of Investigation (FBI) anticipates the threat of ransomware to become "more targeted, sophisticated, and costly" in the near future. These warnings reach beyond U.S. borders, with Europol also calling ransomware the "most widespread and financially damaging form of cyberattack."

What are ransom attacks?

Ransom attacks are a monetization strategy, not a specific technology. Attacks often leverage specific malicious software, or ransomware, which threatens to publish victim information or block access until the ransom is paid.

In theory, if the ransom is paid within the allotted time, systems and data are decrypted and made available once again and normal operations continue. However, if the ransom is not satisfied, organizations risk permanent destruction or public-facing data leaks controlled by the attacker. Attackers can also extort the customer further for release of customer sensitive data and systems to third-parties or to the public.

Ransomware does not care

Many ransom attacks are opportunistic in nature, meaning that ransomware indiscriminately infects any accessible networks through human and/or machine vectors. Security teams for education institutions, state and local governments, and healthcare organizations are ramping up measures to keep their data safe from an increase in ransomware attacks. Threat actors understand how to identify weak spots in industry verticals. Many education and government organizations are more prone to ransomware due to a combination of shrinking budgets, gaps in security resources, and legacy IT systems with known unpatched vulnerabilities. Similarly, ransom attacks may target industries with intolerance for downtime, like hospitals, in hopes of increasing the probability of payout.

Why are ransom attacks effective?

  • Security awareness among employees is low
  • Organizations are not backing up data, or fail to test existing backups
  • Attacks require little skill and result in significant payouts
  • Organizations are slow to patch critical common vulnerabilities and exposures (CVE)
  • Overburdened technical staff cannot address or anticipate all security gaps
  • Multiple vectors or channels are being used in a single attack
  • Stealing the data (data exfiltration, unauthorized copying) may not stop a business process, and customers may not react until something does such as encrypting or deleting the information

To pay or not pay?

Active debates exist among cyber security professionals regarding the decision to pay ransoms. Many experts, including the FBI, advise organizations not to pay the ransom, arguing that paying does not guarantee that locked systems or encrypted data will be made available and will only continue to motivate nefarious behaviors. Even though system and data access are not guaranteed after paying the ransom, some organizations take a calculated risk to pay in hopes of resuming normal operations. By doing so, they hope to reduce potential ancillary costs of attacks, including lost productivity, decreased revenue over time, exposure of sensitive data, and reputational damage. The ransomware threat is serious but smart preparation and ongoing vigilance are effective counters against it. The full armor of data security includes both human and technical controls but there are features of the AWS Cloud that help to mitigate ransomware attacks. AWS is committed to providing you with tools, best practices, and services to help with high availability, security, and resiliency to address bad actors on the internet.

Securing systems and data on AWS is a shared responsibility

When you deploy applications and infrastructure in the AWS Cloud, AWS helps by sharing the security responsibilities with you. AWS engineers the underlying cloud infrastructure using secure design principles and customers must implement their own security architecture for workloads deployed on AWS. AWS is responsible for protecting the infrastructure that runs all the services offered on the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services. The AWS Cloud services that a customer selects determine the amount of configuration work the customer must perform as part of their security responsibilities. Customers are always responsible for managing and securing their data, classifying their assets, and using AWS Identity Access Management (IAM) to apply the appropriate permissions.

AWS Support

If you or your customer(s) believe an account is under an active ransom attack, the impacted customer should create a case from the AWS Support Center from within the impacted account. If the root user cannot be accessed or is compromised, then the customer should open a new AWS account and open a support ticket from there. This process allows AWS to perform identity verification with the customer and begin engaging internal resources to best help with remediating the event.

AWS Security Reference Architecture (AWS SRA)

The Amazon Web Services (AWS) Security Reference Architecture (AWS SRA) is a holistic set of guidelines for deploying the full complement of AWS security services in a multi-account environment. It can be used to help design, implement, and manage AWS security services so that they align with AWS best practices.

U.S. Cybersecurity & Infrastructure Security Agency

The Ransomware Guide (Sept. 2020) provides best practices and references to help manage the risk posed by ransomware and support an organization's coordinated and efficient response to a ransomware incident.

The European Union Agency for Cybersecurity (ENISA)

The ENISA Threat Landscape 2020 - Ransomware outlines the findings on ransomware, provides a description and analysis of the domain, and lists relevant recent incidents. A series of proposed actions for mitigation is provided.

Australian Cyber Security Centre (ACSC)

The ACSC provides several guides including response to Ransomware in AustraliaRANSOMWARE ATTACKS EMERGENCY RESPONSE GUIDE, and RANSOMWARE ATTACKS PREVENTION AND PROTECTION GUIDE.

NIST Cybersecurity Framework

The guide, NIST Cybersecurity Framework (CSF): Aligning to the NIST CSF in the AWS Cloud, is designed to help commercial and public sector entities of any size and in any part of the world align with the CSF by using AWS services and resources.

Ransomware mitigation: Top 5 protections and recovery preparation actions

AWS has provided a public Security Blog covering Ransomware mitigation: Top 5 protections and recovery preparation actions. These include:

  • Set up the ability to recover your apps and data
  • Encrypt your data
  • Apply critical patches
  • Follow a security standard
  • Make sure you are monitoring and automating responses

You should also use strong authentication for exposed remote access services, notably remote desktop protocol and secure shell. Multifactor authentication combined with single sign-on is a technical mechanism that enables protection of remote connections and resource requests.

Development, Security & Operations (DevSecOps)

Background: The purpose of DevSecOps is to help customers safely accelerate feedback loops with their customers (i.e., end users). By accelerating these feedback loops, customers can ship more software changes to production with higher quality, security, and stability. By building security into the development process, customers can prevent deploying vulnerabilities to end users in production environments. According to the NIST, the cost of fixing a security defect once it's made it to production can be up to 60 times more expensive than during the development cycle [Source].

Based on data from the AWS Customer Incident Response Team, most customer ransom attacks fall into one of three categories: 1/ A bad actor scans source code repositories (e.g., GitHub) for AWS access keys. Using these long-term access keys, they gain access to AWS resources in customers' accounts. Risks increase based on the level of access permitted by the access keys. 2/ By scanning public S3 buckets and objects, a bad actor can block access and encrypt S3 buckets preventing owners from accessing the data. 3/ A bad actor scans and leverages web application vulnerabilities (e.g., code injection and cross-site scripting) on public ports to obtain access to customer data.

Customers mistakenly believe that AWS provides many of these safeguards automatically as part of having an AWS account. While AWS provides thousands of security features including private by default capabilities (e.g., EC2 Security Groups and S3 buckets), as part of the shared responsibility model, customers must detect and remediate security vulnerabilities in their code and/or in their AWS environments. There are AWS services and tools for detecting and remediating these non-compliant resources but customers must have knowledge in applying the practices in an automatic way across their AWS resources.

A deployment pipeline breaks up build, test, deploy, and release actions into a series of stages. Each stage provides increasing confidence, usually at the cost of extra time. Early stages can find most problems yielding faster feedback, while later stages provide slower and more thorough probing. Builders automate many of the actions in these deployment pipelines; Deployment pipelines are a key architectural construct of Continuous Delivery. The deployment pipeline's job is to detect any changes that will lead to problems in production. These can include performance, security, or usability issues [Source]. For the purposes of this document, we refer to the practice of building security tests and checks into deployment pipelines so they can prevent and mitigate ransom attacks as Continuous Security.

The principles of using Continuous Security for preventing and mitigating ransom attacks are: 1/ Prevent committing secrets to source code repositories so that bad actors do not have keys to access AWS resources. 2/ Prevent common developer mistakes that make web applications vulnerable (static and runtime). 3/ Ensure there are backups for compromised AWS resources so that bad actors do not have as much to gain from blocking access to the resources. 4/ Encrypt all relevant data so that if a bad actor gains access to data, they have much less to gain through extortion. 5/ Detect when unauthorized users access AWS resources so that mitigations can take place. 6/ Ensure IAM access keys are short lived using IAM roles so there is limited access duration to compromised resources. 7/ Ensure IAM permissions use least privilege to prevent really bad things from happening if a bad actor gains access to the keys. 8/ Prevent or detect misconfiguration that make AWS resources vulnerable.

Prevent and detect when committing secrets to source code repos**:** From their developer environments (e.g., their IDEs), customers should run secrets detection Static Application Security Testing (SAST) tools prior to committing code to a source code repo. In addition, the first stage of an automated deployment pipeline runs a secrets detection SAST tool to detect when secrets have been committed to the source code repo. When discovering secrets, configure the pipeline to fail, notify developers, and stop future commits until applying a fix. Furthermore, run automation to cleanse git history of the secrets and disable the AWS access keys. Example tools for this solution are AWS CodePipeline, AWS CodeBuild, git-secrets, and custom code for remediation of secrets.

Prevent and detect common developer mistakes that make applications vulnerable**:** From their developer environments (e.g., their IDEs), customers should run SAST and code review tools that detect web vulnerabilities such as code injection, cross-site scripting, and other insecure coding practices. In addition, the first stage of an automated deployment pipeline runs these tools to detect when web vulnerabilities are committed to the source code repo. When discovering these web vulnerabilities, configure the pipeline to fail, notify developers, and stop future commits until applying a fix. What is more, customers can configure runtime detection and remediation of these web vulnerabilities as part of a shared services deployment pipeline that provisions and configures these services as code. Example tools for this solution are Amazon CodeGuru, AWS CloudFormation, AWS CodePipeline, AWS CodeBuild, SonarQube/CheckMarx, and AWS WAF and WAF Security Automations.

Backups for compromised AWS resources: At runtime, detect untagged and/or relevant AWS resources that do not have backups. In addition, customers can configure the provisioning of AWS resources that provide runtime detection as part of a shared services deployment pipeline that provisions and configure these services as code. Example tools for this solution are AWS Backup, AWS CloudFormation, AWS CodePipeline, AWS CodeBuild, Amazon EventBridge, AWS Config Rules (e.g., required-tags, redshift-backup-enabled, aurora-resources-protected-by-backup-plan, backup-plan-min-frequency-and-min-retention-check, backup-recovery-point-manual-deletion-disabled, db-instance-backup-enabled, dynamodb-in-backup-plan, ebs-in-backup-plan), Amazon SNS, and AWS Lambda.

Encrypting data in transit and at rest**:** From their developer environments (e.g., their IDEs), customers should run SAST tools that detect web vulnerabilities such as code injection and cross-site scripting. In addition, the first stage of an automated deployment pipeline runs an IaC linting tool to detect when developers defined unencrypted AWS resources as code and commit the configuration code to the source code repo. When discovering these unencrypted resources, configure the pipeline to fail, notify developers, and stop future commits until applying a fix. Furthermore, customers can configure the provisioning of AWS resources that provide runtime detection and remediation of these unencrypted AWS resources as part of a shared services deployment pipeline that provisions and configure these services as code. Example tools for this solution are AWS CloudFormation, AWS CodePipeline, AWS CloudFormation Guard, AWS CodeBuild, Amazon EventBridge, AWS Config Rules (e.g., ec2-ebs-encryption-by-default, dynamodb-table-encrypted-kms, rds-snapshot-encrypted, cloudwatch-log-group-encrypted, cloud-trail-encryption-enabled, s3-bucket-server-side-encryption-enabled, api-gw-ssl-enabled, cloudfront-custom-ssl-certificate), Amazon SNS, AWS KMS, and AWS Lambda.

Detect when unauthorized users access AWS resources: At runtime, detect data exfiltration "spikes" (e.g., using CloudWatch metrics specifically NetworkOut). For example, it is possible an attacker performed data destruction and left a ransom note, and in these cases, there is no opportunity for data recovery by working with the malicious actor. What is more, customers can configure the provisioning of AWS resources that provide runtime detection as part of a shared services deployment pipeline that provisions and configure these services as code. Example tools for this solution are AWS CloudFormation, AWS CodePipeline, AWS CodeBuild, Amazon EventBridge, Amazon GuardDuty, Amazon SNS, and Amazon CloudWatch metrics.

Ensure IAM access keys are short lived**:** At runtime, run tools that detect various states of IAM access keys and policies including rotating long-lived access keys. Customers can configure the provisioning of AWS resources that provide runtime detection as part of a shared services deployment pipeline that provisions and configure these services as code. Example tools for this solution are AWS CloudFormation, AWS CodePipeline, AWS CodeBuild, Amazon EventBridge, AWS Config Rules (e.g., iam-policy-no-statements-with-admin-access, iam-policy-no-statements-with-full-access, iam-root-access-key-check, iam-user-no-policies-check, iam-user-unused-credentials-check, access-keys-rotated), and AWS Lambda.

Ensure IAM permissions use least privilege**:** From developers' environments (e.g., their IDEs), customers should run SAST tools that detect overly permissive permissions definitions prior to committing code to a source code repo. In addition, the first stage of an automated deployment pipeline runs the SAST tool to detect overly permissive policy definitions after the code has been committed to a source code repo. When discovering overly permissive policy definitions, configure the pipeline to fail, notify developers, and stop future commits until applying a fix. Moreover, detect overly permissive policies across the AWS account or accounts (i.e., outside of source code repos). In turn, customers can configure the provisioning of AWS resources that provide runtime detection as part of a shared services deployment pipeline that provisions and configure these services as code. Example tools for this solution are AWS CloudFormation, AWS CodePipeline, AWS CodeBuild, PMapper/AWSPX, AWS IAM Access Analyzer, Amazon EventBridge, AWS Config Rules, and AWS Lambda.

Prevent misconfiguration that make AWS resources vulnerable: The misconfiguration of or not enabling certain AWS resources can make customers vulnerable to a ransom attack. The most notable resources are those related to networking, compute, storage, and databases. What is more, customers can configure the provisioning of AWS resources that provide runtime detection as part of a shared services deployment pipeline that provisions and configure these services as code. Example tools for this solution are AWS CloudFormation, AWS CodePipeline, AWS CodeBuild, Amazon EventBridge, AWS Config Rules (e.g., s3-account-level-public-access-blocks, s3-bucket-default-lock-enabled, s3-bucket-level-public-access-prohibited, s3-bucket-logging-enabled, s3-bucket-policy-not-more-permissive, s3-bucket-public-read-prohibited, s3-bucket-public-write-prohibited, s3-bucket-replication-enabled, cloud-trail-log-file-validation-enabled, ec2-security-group-attached-to-eni, vpc-default-security-group-closed, and vpc-flow-logs-enabled, guardduty-enabled-centralized), Amazon Inspector Network Reachability, Amazon VPC Reachability Analyzer, Amazon S3, and AWS Lambda.

Amazon Elastic Compute Cloud (Amazon EC2) - Microsoft Windows

Identify

  • Assess the security posture of the account to identify and remediate security gaps
    • AWS developed a new open source Self-Service Security Assessment tool that provides customers with a point-in-time assessment to gain valuable insights into the security posture of their AWS account.
  • Maintain a complete asset inventory of all resources including domain controllers, Microsoft Windows EC2 instances, Microsoft Windows Servers and Databases, and any integration with external identity providers.
  • Perform recurring vulnerability analysis of your hosts using utilities such as Amazon Inspector
  • To protect your organization, Microsoft recommends that you use the information in the Human-Operated Ransomware Mitigation Project Plan PowerPoint presentation, which includes securing privileged access.
  • Use CloudWatch metrics, specifically NetworkPacketsOut, to look for data exfiltration "spikes." It is possible an attacker performed data destruction and left a ransom note, and in these cases, there is no opportunity for data recovery by working with the malicious actor

Protect

  • Apply the latest updates to your operating systems and apps
  • Back up your files with File History if your PC's manufacturer has not already turned it on. Learn more about File History
  • Back up important files regularly. Use the 3-2-1 rule. Keep three backups of your data, on two different storage types, and at least one backup offsite
  • Block Known Ransomware File Types
  • Block Macros in Office Documents
  • Educate your employees so they can identify social engineering and spear-phishing attacks
  • Follow Best Practices for securing your Active Directory Services
  • Follow Top 10 Most Important Group Policy Settings for Preventing Security Breaches
  • Implement controlled folder access. It can stop ransomware from encrypting files and holding the files for ransom
  • Perform backups of EC2 instances
  • The Microsoft 365 Defender Threat Intelligence Team has provided comprehensive report identifying actions to secure your Microsoft resources prior to a ransomware event
    • Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activities.
    • Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625)
    • Monitor for clearing of Event Logs, especially the Security Event log and PowerShell Operational logs. Microsoft Defender ATP raises the alert "Event log was cleared" and Windows generates an Event ID 1102 when this occurs
    • Practice the principle of least-privilege and maintain credential hygiene. Avoid the use of domain-wide, admin-level service accounts. Enforce strong randomized, just-in-time local administrator passwords. Use tools like LAPS
    • Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you do not have an MFA gateway, enable network-level authentication (NLA)
    • Turn on AMSI for Office VBA if you have Office 365
    • Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode
    • Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats
    • Turn on tamper protection features to prevent attackers from stopping security services
    • Utilize the Windows Defender Firewall and your network security system to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities
  • Turn on and update Windows Defender Antivirus - commercial, subscription paid Endpoint Detection and Response (EDR) solutions are preferred
  • Turn on Controlled Folder Access in Windows 10 to protect your important local folders from unauthorized programs like ransomware or other malware
  • Use Systems Manager and Amazon Inspector to check if EC2 instances running Microsoft Windows contain any common vulnerabilities and exposures (CVEs)
  • Verify your backups and ensure the infection has not spread into them

Detect

Respond

  • Enforce NACLs based on network IoCs to prevent further traffic
  • Isolate the infected systems
  • Inspect backups for potential infection
  • Remove any compromised systems from the network.
    • Follow regulatory requirements or internal company policy to determine if forensics of the EC2 instance is required
    • If forensics of the instances are required OR data needs to be recovered, then quarantine the EC2 instance
  • Remove compromised Domain Controller metadata from the domain
  • Use flow logs to determine the exfiltration IP, look for any other instances communicating with the IPs that data was exfiltrated to/access from CloudTrail

Recover

  • It is recommended not to pay the ransom
    • Paying the ransom is a gamble as to whether the criminal will honor the transaction after receiving payment
    • If no data backups exist, then you should do a cost benefit analysis and weigh the value of the data/reputational compromise against the payment to the attacker
    • You directly enable the attacker to continue their operations against your company or others if you choose to pay the ransom
  • Create new EC2 instances from a trusted AMI
  • Use CloudEndure Disaster Recovery to select the latest recovery point before the ransomware attack or data corruption to restore your workloads on AWS
    • If using an alternate data backup strategy, validate the backups have not been infected and restore from the last scheduled event prior to the ransomware event
  • Visit https://www.nomoreransom.org/ to identify if a decryptor is available for the malware variant the infected your data

Amazon Elastic Compute Cloud (Amazon EC2) - Unix/Linux

Identify

  • Assess your security posture to identify and remediate security gaps
    • AWS developed a new open source Self-Service Security Assessment tool that provides customers with a point-in-time assessment to quickly gain valuable insights into the security posture of their AWS account.
  • Maintain a complete asset inventory of all resources including servers, networking devices, network/file shares and developer machines
  • Perform recurring vulnerability analysis of your hosts using utilities such as Amazon Inspector
  • Use CloudWatch metrics, specifically NetworkOut, to look for data exfiltration "spikes." It is possible an attacker performed data destruction and left a ransom note, and in these cases, there is no opportunity for data recovery by working with the malicious actor

Protect

Detect

  • Table 1 from No Strings on Me: Linux and Ransomware, by Richard Horne, identifies multiple indicators to monitor for including:
    • A new process that has never been seen on the endpoint prior that has external network connectivity requests
    • Attempted communications with DNS names where entropy is found or directly with bare IPs
    • Change in distribution Yum or Apt repositories
    • Creation of .sh files inside of non-user-based home directories
    • Enumeration of shared web, database, or file storage directory trees
    • Escalation of privileges or attempts to gain sudo access
    • External as well as internal network communications
    • File names generated with entropy or that are in a quick succession
    • Files being renamed multiple times in the same directory tree
    • Files created with odd file extensions
    • Focus being given to outliers and events that fall outside of the typical day to day operations
    • High memory usage for short or sustained periods of time
    • Large process tress where the Parent Process is terminated prior to the child processes
    • Modification of boot options
    • Multiple copies of the same file in multiple directories
    • Multiple modifications within a single directory
    • Possible calls for encryption libraries
    • Possible creation and running of processes inside of the/tmp directory
    • Quick and successive directory enumeration
    • Removal of files from directories using wildcards or without confirmation
    • The use of chmod with wildcards (or chmod 777)
    • The use of wget or curl cmds
    • Use of the chmod cmd to change executable files to overly permissive rights
    • Use of the strings cmd to attempt to encode communications prior to or during infection
  • Use VPCFlowLogs to identify inappropriate database access from external IP addresses

Respond

  • Inspect backups for potential infection
  • Isolate the infected systems
  • Remove any compromised systems from the network.
    • Follow regulatory requirements or internal company policy to determine is forensics of the EC2 instance is required
    • If forensics of the instances are required OR data needs to be recovered, then quarantine the EC2 instance

Recover

  • It is recommended not to pay the ransom
    • Paying the ransom is a gamble as to whether the criminal will honor the transaction after receiving payment
    • If no data backups exist, then you should do a cost benefit analysis and weigh the value of the data/reputational compromise against the payment to the attacker
    • You directly enable the attacker to continue their operations against your company or others if you choose to pay the ransom
  • Create new EC2 instances from a trusted AMI
  • Follow regulatory requirements or internal company policy to determine if forensics of the EC2 instance is required
  • Use CloudEndure Disaster Recovery to select the latest recovery point before the ransomware attack or data corruption to restore your workloads on AWS
    • If using an alternate data backup strategy, validate the backups have not been infected and restore from the last scheduled event prior to the ransomware event
  • Visit https://www.nomoreransom.org/ to identify if a decryptor is available for the malware variant the infected your data

Amazon Simple Storage Service (S3)

Identify

  • Assess your security posture to identify and remediate security gaps
    • AWS developed a new open source Self-Service Security Assessment tool that provides customers with a point-in-time assessment to gain valuable insights into the security posture of their AWS account.
  • Consider implementing AWS GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3
  • Consider using AWS Config, which is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources
  • Darkbit provides an example of AWS S3 Data Loss Prevention that can be used to identify unauthorized copying of objects. Other specific operations could be added in the pattern as well based upon your business use case(s)
  • Maintain a complete asset inventory of all resources including servers, networking devices, network/file shares and developer machines

Protect

Detect

  • Check your CloudTrail log for unsanctioned activity such as creation of unauthorized IAM users, policies, roles or temporary security credentials
  • Check your CloudTrail log to review your AWS account for any unauthorized AWS usage, such as unauthorized EC2 instances, Lambda functions, or EC2 Spot bids. You can also check usage by logging into your AWS Management Console and reviewing each service page. The "Bills" page in the Billing console can also be checked for unexpected usage
    • Please keep in mind that unauthorized usage can occur in any region and that your console may show you only one region at a time. To switch between regions, you can use the dropdown in the top-right corner of the console screen
  • Ransom note provided either as an object within the bucket or via e-mail to the customer
  • S3 Objects are deleted or entire S3 buckets are deleted
    • Note: With data destruction events, a ransom note may or may not be provided. Also ensure you check CloudWatch metrics and CloudTrail S3 events to verify if data exfiltration occurred or not to delineate between a ransom or data destruction attack
  • S3 Objects are encrypted using a key from an account not owned by the customer

Respond

  • Delete or rotate IAM User Keys and Root User Keys; you may wish to rotate all keys in your account if you cannot identify a specific key or keys that has been exposed
  • Delete unauthorized IAM Users
  • Delete unauthorized policies
  • Delete unauthorized roles
  • If your application uses exposed Access Keys, you need to replace the Key. To replace the Key, first create a second Key (at that point, both Keys will be active) and then modify your application to use the new Key. Then disable (but do not delete) exposed Keys by clicking on the "Make inactive" option in the console. If there are any problems with your application, you can reactivate exposed Keys. When your application is fully functional using the new Key, please delete exposed Keys
  • Revoke temporary credentials. Temporary credentials can also be revoked by deleting the IAM User. NOTE: Deleting IAM Users may impact production workloads and should be done with care

Recover

  • It is recommended not to pay the ransom
    • Paying the ransom is a gamble as to whether the criminal will honor the transaction after receiving payment
    • If no data backups exist, then you should do a cost benefit analysis and weigh the value of the data/reputational compromise against the payment to the attacker
    • You directly enable the attacker to continue their operations against your company or others if you choose to pay the ransom
  • Implement procedures under Protect before attempting to restore data or objects
  • Remove delete markers for versioned objects
  • Re-create deleted buckets
  • Restore objects from using S3 Intelligent Tiering object backups or replicated region bucket
  • Note: There is currently no "undelete" capability for S3, and AWS does not have the ability to recover data that has been deleted. In the current era of data storage compliance and regulations such as GDPR and CCPA, Amazon S3 cannot continue to store customer data  explicitly deleted from the customer's account. Once an object is deleted, it can no longer be recovered by AWS regardless of how quickly the unintended deletion is reported to AWS

Relational Database Service (RDS)

Identify

  • Assess your security posture to identify and remediate security gaps
    • AWS developed a new open source Self-Service Security Assessment tool that provides customers with a point-in-time assessment to gain valuable insights into the security posture of their AWS account.
  • Consider using AWS Config, which is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources
  • Consider implementing AWS GuardDuty to continuously monitor for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon RDS
  • Maintain a complete asset inventory of all resources including servers, networking devices, network/file shares and developer machines

Protect

Detect

Respond

  • Delete or rotate IAM User Keys and Root User Keys; you may wish to rotate all keys in your account if you cannot identify a specific key or keys that has been exposed
  • Delete unauthorized IAM Users
  • Delete unauthorized policies
  • Delete unauthorized roles
  • Delete unrecognized or unauthorized public snapshots or databases 
  • Identify an EC2 instances that had permissive access to the database(s) and investigate those as well
  • If your application uses exposed Access Keys, you need to replace the Key. To replace the Key, first create a second Key (at that point, both Keys will be active) and then modify your application to use the new Key. Then disable (but do not delete) exposed Keys by clicking on the "Make inactive" option in the console. If there are any problems with your application, you can reactivate exposed Keys. When your application is fully functional using the new Key, please delete exposed Keys
  • Revoke temporary credentials. Temporary credentials can also be revoked by deleting the IAM User. NOTE: Deleting IAM Users may impact production workloads and should be done with care

Recover

  • It is recommended not to pay the ransom
    • Paying the ransom is a gamble as to whether the criminal will honor the transaction after receiving payment
    • If no data backups exist, then you should do a cost benefit analysis and weigh the value of the data/reputational compromise against the payment to the attacker
    • You directly enable the attacker to continue their operations against your company or others if you choose to pay the ransom
  • Delete the compromised database and create new RDS databases
  • Follow regulatory requirements or internal company policy to determine if forensics of the RDS database is required
  • Visit https://www.nomoreransom.org/ to identify if a decryptor is available for the malware variant the infected your data
  • Use CloudEndure Disaster Recovery to select the latest recovery point before the ransomware attack or data corruption to restore your workloads on AWS
    • If using an alternate data backup strategy, validate the backups have not been infected and restore from the last scheduled event prior to the ransomware event

Following an Incident

Report Ransom Attacks to Authorities

The FBI encourages organizations to report ransom incidents to law enforcement. The Internet Crime Complaint Center (IC3) accepts online internet crime complaints either from the actual victim or from a third party to the complainant and will work with them to determine the best course of action going forward. Be prepared to share:

  • Any relevant information you believe is necessary to support your complaint
  • Email header(s)
  • Financial transaction information (account information, transaction date and amount, recipient details)
  • Subject's name, address, telephone, email, website, and IP address
  • Specific details on how you were victimized
  • Victim's name, address, telephone, and email

Perform root cause analysis

In most cases, your existing forensics tools will work in the AWS environment. Forensic teams benefit from the automated deployment of tools across AWS Regions and the ability to collect large volumes of data quickly with low friction using the same robust, scalable services their business-critical applications are built on.

Amazon Detective makes it easy to analyze, investigate, and quickly identify the root cause of potential security issues or suspicious activities. Amazon Detective automatically collects AWS service log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to conduct faster and more efficient security investigations.

Update security program with lessons learned

Documenting and cycling lessons learned during simulations and live incidents back into "new normal" processes and procedures allows organizations to better understand how they were breached -- such as where they were vulnerable, where automation may have failed, or where visibility was lacking -- and the opportunity to strengthen their overall security posture.

Train your employees

Train your employees through an effective security awareness program. This needs to be made entertaining and engaging. Focusing on reporting phishing, notification procedures, and how to report "bad" things then awarding that behavior can be very effective.

Conclusion

Ransom attacks are evolving, but so can your security awareness and preparedness. Government agencies, nonprofits, and businesses around the world trust AWS to power their infrastructure and keep their systems and data secure. Using the AWS services and best practices shared in this playbook, you can take proactive measures to reduce the likelihood and impact of ransom in your AWS environments.

Appendix A: Services and Tools to Prevent or Detect Ransom Attacks

Amazon CloudWatch Synthetics
Amazon CloudWatch
Amazon CodeGuru
Amazon EventBridge
Amazon GuardDuty
Amazon Inspector Network Reachability
Amazon Inspector
Amazon Macie
Amazon VPC Reachability Analyzer
AWS CDK
AWS Cloud9
AWS CloudFormation Guard
AWS CloudFormation
AWS CodeArtifact
AWS CodeBuild
AWS CodeCommit
AWS CodeDeploy
AWS CodePipeline
AWS Config Rules
AWS Control Tower
AWS IAM Access Analyzer
AWS IAM
AWS KMS
AWS Lambda
AWS Organizations
AWS Secrets Manager
AWS Security Hub
AWS Step Functions
AWS Systems Manager
AWS WAF
AWSPX
CheckMarx
EC2 Image Builder
ECR Native Container Image Scanning
git-secrets
PMapper
Prowler
SonarQube