Majority of AWS accounts are vulnerable to ransomware
As more data moves to the cloud, platforms like AWS are becoming an increasingly attractive target for ransomware operators.
A new study by cloud infrastructure company Ermetic finds that 70 percent of environments studied had machines that were publicly exposed to the internet and were linked to identities whose permissions could be exploited to allow the machines to perform ransomware.
"Very few companies are aware that data stored in cloud infrastructures like AWS is at risk from ransomware attacks, so we conducted this research to investigate how often the right conditions exist for Amazon S3 buckets to be compromised," says Shai Morag, CEO of Ermetic. "We found that in every single account we tested, nearly all of an organization's S3 buckets were vulnerable to ransomware. Therefore, we can conclude that it's not a matter of if, but when, a major ransomware attack on AWS will occur."
Every enterprise environment studied had identities at risk of being compromised and that could execute ransomware on at least 90 percent of the buckets in an AWS account. In addition over 45 percent of the environments had third party identities with the ability to run ransomware by elevating their privileges to admin level (a finding with far-reaching implications beyond the ransomware focus of the research). Almost 80 percent of the environments contained IAM Users with enabled access keys that had not been used for 180 days or more, and had the ability to run ransomware.
These findings focus on single, compromised identities, but in many ransomware campaigns bad actors move laterally to compromise multiple identities and use their combined permissions, greatly increasing their ability to access resources.
The full report is available from the Ermetic site.