Ransomware in the cloud

<p>Insights from practical experience<br /> <strong>Our cloud incident response trainings are now&nbsp;</strong><a href="https://academy.invictus-ir.com/" rel="noopener ugc nofollow" target="_blank"><strong>available</strong></a>!</p> <h1>Background</h1> <p>Recently we were engaged by a company after they were targeted by a ransomware attack in their AWS environment. In this blog we want to show you what happened and how we were able to piece together the picture based on available logging.</p> <p>Due to confidentiality we will be using censored screenshots to protect our client&rsquo;s information. They approved the publication of this blog, to prevent other companies from becoming a victim to a similar attack.</p> <h1>Attack overview</h1> <p>The overall attack activity is mapped to the MITRE ATT&amp;CK steps as shown in the figure below:</p> <p><img alt="" src="https://miro.medium.com/v2/resize:fit:700/1*El0SGkLGki-MxFTuAmCmDw.png" style="height:370px; width:700px" /></p> <p>Incident timeline</p> <h2>Initial Access</h2> <p>The threat actor was able to get into the environment due to accidentally exposed long-term credentials. The first malicious activity happened outside of the 90-day retention period of CloudTrail. However, based on analysis of subsequent events and open-source analysis we were able to determine that a specific access key was used which was publicly exposed. Luckily the access key was for an account that only had rights to a specific S3 bucket.</p> <p><a href="https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82"><strong>Website</strong></a></p>