Ransomware in the cloud
<p>Insights from practical experience<br />
<strong>Our cloud incident response trainings are now </strong><a href="https://academy.invictus-ir.com/" rel="noopener ugc nofollow" target="_blank"><strong>available</strong></a>!</p>
<h1>Background</h1>
<p>Recently we were engaged by a company after they were targeted by a ransomware attack in their AWS environment. In this blog we want to show you what happened and how we were able to piece together the picture based on available logging.</p>
<p>Due to confidentiality we will be using censored screenshots to protect our client’s information. They approved the publication of this blog, to prevent other companies from becoming a victim to a similar attack.</p>
<h1>Attack overview</h1>
<p>The overall attack activity is mapped to the MITRE ATT&CK steps as shown in the figure below:</p>
<p><img alt="" src="https://miro.medium.com/v2/resize:fit:700/1*El0SGkLGki-MxFTuAmCmDw.png" style="height:370px; width:700px" /></p>
<p>Incident timeline</p>
<h2>Initial Access</h2>
<p>The threat actor was able to get into the environment due to accidentally exposed long-term credentials. The first malicious activity happened outside of the 90-day retention period of CloudTrail. However, based on analysis of subsequent events and open-source analysis we were able to determine that a specific access key was used which was publicly exposed. Luckily the access key was for an account that only had rights to a specific S3 bucket.</p>
<p><a href="https://invictus-ir.medium.com/ransomware-in-the-cloud-7f14805bbe82"><strong>Website</strong></a></p>