RansomCloud: it’s new, it’s here now, and it’s coming to a server near you
Google cloud ransomware attacks are contributing to K-12 schools earning a dubious bit of notoriety. Healthcare entities used to be the single biggest target of ransomware. Late last year, the FBI reported that 57% of the reported ransomware attacks involved K-12 schools. And we all know that there are undoubtedly many more attacks that aren’t reported.
The healthcare industry has been hard at work improving their cybersecurity plans and creating more secure backup locations. Schools don’t have the budget that hospitals do, but they need to find cost-effective ways to protect themselves. Right now, schools are top targets for ransomware attacks. While hackers’ proceeds from school attacks are relatively small, they still target them because their chance of success is high and consequence is low.
Many school leaders mistakenly think that Google Drive is protected from ransomware attacks, either by the school’s network security or by Google themselves. However, that is just one of the cybersecurity myths that are making schools even more vulnerable. For example:
Cybersecurity doesn’t begin and end at the perimeter. Network protection doesn’t stop hackers from reaching past the perimeter into applications such as Google Workspace, Microsoft 365, and a variety of EdTech apps that run in the cloud.
Google licenses operate under a shared responsibility model. In simple terms, that means:
- Google must prevent failed software or hardware, or a natural disaster or power outage, from causing an interruption of their services.
- Schools are responsible for protecting themselves against someone accidentally deleting data, insider DLP risks, and hackers, ransomware attacks, and other malware.
The responsibility for protecting against Google cloud ransomware attacks rests solely with the schools. And, school ransomware attacks are on the rise.
Why Google Cloud is a Popular Ransomware Target
In 2019, experts predicted that ransomware would evolve to create infections that could shut down a school or business by attacking the cloud. And, they were right.
Ransomware infections planted through Microsoft 365 and Google Workspace are rising. These attacks can make your email inbox inaccessible and prevent you from accessing Google Drive and/or OneDrive files and SharePoint sites in the cloud.
A survey of over 2,400 MSPs showed that 28% have seen ransomware attacks in SaaS applications. The attacks are becoming more sophisticated all the time, and current research shows that the majority of all malware now enters via cloud applications. Just one person clicking the wrong link in an email can lock you out of all your cloud files.
3 Google Cloud Ransomware Attack Vectors
An attack vector is the way that a hacker can gain access to your cloud applications. These are three of the most common attack vectors cybercriminals are using for Google cloud ransomware attacks.
Backup & Sync Tool
Google offers the free synchronization tool called Backup and Sync. It’s very handy for users because it syncs their local computer with Google Drive. It also creates a copy of files from Google Drive to your computer. The result is that your local computer and Google Drive always reflect the latest changes on either system.
The tool is also a way for hackers to get into your Google Drive. Let’s assume you click on a link in a spam email. That will encrypt the file on your computer. When the Backup and Sync tool sees the encryption, it interprets it as simply a change and it will sync the files to Google Drive. Now, your Google Drive is automatically infected, and you don’t really have a chance to realize what is happening and turn the tool off.
3rd Party Apps and Extensions
As you know, school districts all over the country are using a wide variety of 3rd party apps. The number of EdTech apps is exploding, and remote learning is encouraging even greater usage. Unfortunately, not all of these apps are safe to use.
For example in 2020, even though Google tries to identify malicious apps in Google Store, they found fraudulent apps that had been installed almost two million times. In addition, district IT teams are more than aware of “shadow” 3rd party apps, meaning those apps that the IT team hasn’t vetted. There was an explosion in the use of that type of app when remote learning started in earnest during the pandemic.
Malicious 3rd party apps and extensions can infect your Google cloud relatively easily. When an app is installed, there’s a pop-up asking the user to allow the app to manage data in a specific folder. If the user allows the app to manage data on your Google Cloud server, the ransomware is on its way to encrypt files, access sensitive data, send messages as if the user had sent them, and more.
Another way that your Google cloud can get infected is when users give permission to 3rd party apps using OAuth. OAuth is another time saver for your users. It allows them to use the credentials they’ve established on one system to login to another. Protecting yourself from OAuth risks is critical to keep Google cloud ransomware off your systems.
RansomCloud is an emerging type of ransomware. The term was coined to describe ransomware infections that hackers have created to start in the cloud. Here’s an example of why RansomCloud attacks are so destructive.
- The hacker sends an email to one of your users. The spam email looks like it’s coming from a trusted source and asks the user to login to your Google account to update something, probably citing a security update.
- When the user follows those instructions, the “application” displays the type of popup your users have seen before asking for access permissions to complete the update.
Once access is given, your emails are encrypted, and the RansomCloud makes its way through your Google domain, encrypting anything it can get its hands on.
Could a Google Cloud Ransomware Attack Hit Your School?
The short answer is yes. Hackers are very creative, and an attack can hit just about anywhere. It’s critical that you do what you need to do to protect your community. Solutions to protect your data—whether it’s in the cloud or on-prem—include security strategies like zero trust cybersecurity, cloud monitoring, and multi-layered cybersecurity.
The hackers aren’t going to abandon ransomware in the cloud as long as it works so well—and victims continue to pay up. Shift the odds into your favor by using the K-12 NIST Cybersecurity Framework to create, strengthen, and maintain your cybersecurity stance.