Sans Institute warns about the novel Native native ransomware attacks

17 Mar 2025The Hacker NewsInformation about security / threat in the cloud

The latest Palo Alto Networks Unit 42 Cloud Threat report found that sensitive data can be found in 66% of cloud storage buckets. This data is vulnerable to ransomware attacks. Sans Institute recently reported that these attacks can be performed by abusing the storage controls of the cloud supplier and the default settings.

“In the last few months, I have witnessed two different methods for performing a ransomware attack, using nothing but a legitimate cloud security features,” warns Brandon Evans, security consultant and Sans certified instructor. Halcyon revealed an attack campaign that took advantage of one of the local encryption mechanisms of Amazon S3, SSE-C, to encrypt each of the target buckets. A few months earlier, Security consultant Chris Farris has shown how attackers could make a similar attack using a different AWS security feature, KMS keys with external key materials, using simple scripts generated by chatgpt. “Clearly, this topic is top of both for threat and researchers alike,” notes Brandon.

To approach the cloud ransomware, Sans recommend organizations:

1. Understand the power and limitations of security control controls in the cloud: Using Cloud does not automatically make your data safe. “The first cloud services that most people use are backup solutions such as OneDrive, Dropbox, Iloud and others,” explains Brandon. “While these services usually have capacities to recover the files activated by default, this is not the case for Amazon S3, Azure Storage or Google Cloud Storage. It is essential for security professionals to understand how these services work and not to assume that cloud will save them.”
2. Block the encryption methods in the unaccepted cloud: The external key material AWS S3 SSE-C, AWS KMS and similar encryption techniques can be abused, as the attacker has complete control over the keys. Organizations can use access and access management policies (IAM) to impose the encryption method used by S3, such as SSE-KMS using key materials hosted in AWS.
3. Enable backup, version of objects and blocking objects: These are some of the integrity and availability controls for cloud storage. None of them are activated by default for any of the 3 BIG cloud providers.
4. Balance security and costs with data cycle policies: These security features cost money. “Cloud suppliers will not host free data versions or children. At the same time, your organization will not give you an empty check for data security,” says Brandon. Each of the 3 large cloud providers allows customers to define a life cycle policy. These policies allow organizations to automatically delete objects, versions and spare when they are no longer considered necessary. Be aware, however, that attackers can also use life cycle policies. Were used in the previously mentioned attack campaign to urge the target to pay the redemption quickly.

To find out more, follow Brandon’s web, “Cloud will not save you from Ransomware: Here’s what it will”, visiting

Are you interested in additional tactics for mitigating attacks at Big 3 cloud providers? See Brandon’s course, SEC510: CONTRIVELATIONS AND SECURITY ATTENTIONS IN THE CLOUD TO Sans 2025 in Orlando or live online in April. This course is also available with Brandon later in the year Baltimore, MD in June or Washington, DC in July.