Never Pay Ransom: Leveraging Cloud to Make Ransomware Obsolete

Ransomware vulnerability mitigation and prevention is a paramount/critical area of focus for every IT organization.


Ransomware attacks have plagued the IT landscape for some time now for a number of reasons: the general simplicity of the attack vector making it approachable for even casual hackers; the scalability to be able to impact a wide range of targets from individuals to enterprise; and most notably, the monetary dimension of holding hostage an enterprise’s most prized asset, its data. If you consider the evolution of an attack like data kidnapping (essentially data exfiltration coupled with cryptographic lockout with or without intention to ransom back to an organization), ransomware vulnerability mitigation and prevention is a paramount/critical area of focus for every IT organization.

Anatomy of a Ransomware Attack

So how do ransomware attacks happen? Like most attack vectors, they start with a malicious payload getting inside the boundary protection of the enterprise. Once inside, the payload phones home to the attacker’s command and control server for two purposes: one, to get an encryption key unique to the attack so that the data can be encrypted locally where the malicious payload lives; and two, to receive instructions of how to move laterally in the enterprise and repeat step one. Once impacted, and due to the cryptographic strength of modern encryption algorithms, the only recourse to get your impacted data back is to pay the ransom and receive the keys to decrypt.

Zero Trust and DevSecOps

As a first line of defense, organizations that embrace and adopt a culture and architecture of zero trust and practice DevSecOps are less vulnerable to these types of attacks. While certainly not exclusive to the cloud, the software-defined nature of cloud computing makes the pillars easier to implement and operate successfully. Whether it be rigorous software supply chain control, egress firewall policy or deny-by-default lateral movement between resources on an organizations network, the cloud helps organizations mitigate the risks and impacts of ransomware attacks.

Cloud Paradigm Shift: Immutable Data and Cattle vs. Pets

However, even with the protections and impact mitigations that come from zero trust and DevSecOps, there is always a human element of the IT enterprise that, like all humans, is not infallible. This is where the cloud really shines when it comes to data integrity, security and resiliency.

First, cloud data storage solutions not only provide cost-effective data backup and recovery options, they also are built in such a way that the data stored is immutable, meaning it cannot be modified, only copied or deleted. This means that a ransomware attack against an organization’s cloud data storage solution would be reduced to either creating new ransom-encrypted versions of the data, after which an organization could just revert to the prior versions to recover, or deleting the data, which an organization can mitigate by establishing a bucket policy prohibiting deletes. In all circumstances, establishing an access policy of least privilege on the data stored in the cloud further mitigates the impact surface of ransomware attacks.

Second, one of the most important paradigms of cloud computing is that of immutable and ephemeral infrastructure and resources. Organizations that embrace this across their entire IT enterprise and treat even their end user devices as cattle, not pets, are able to pair the data resiliency and recovery features of cloud and transform a ransomware attack to nothing more than a routine hardware failure: simply spin up a new device, server, etc. from the cloud data restore point, submit your impacted/infected device to your IT office, and go about your day as if the ransom attack never happened.

Holding the Attacker for Ransom: Cloud-enabled Quarantine, Forensics, and Honey Pots

A third and rather interesting feature of cloud computing in defense of ransomware or any other cyber-attack is the powerful forensic capabilities that the cloud empowers. The ability to spin up an enterprise production facsimile that is completely quarantined off or disconnected from the enterprise allows cybersecurity experts to study and exploit the tools of the attackers unbeknownst to them. In many cases, this helps track down the origins of the attack, allowing the attackers to be brought to justice and deterring others from following in their footsteps. It also helps us to further understand the anatomy and attack vectors as they mature and innovate over time. Leveraging the insight gained, organizations can spin up honey pots in the cloud, assets and environments that are intended to attract attackers but are specially designed to observe, frustrate and entrap said attackers.


While there is no silver bullet to prevent all forms of ransomware attack, organizations that embrace the full power of the cloud and leverage it to establish an architecture and culture of zero trust, DevSecOps and ephemeral infrastructure/resources can certainly be assured they never need to pay a ransom again.


Bob D. Ritchie is vice president of the software practice with responsibility for leading over 4,000 software engineers in support of executive-level project teams, providing technical direction and expertise for SAIC enterprise modernization initiatives. In addition, he established the Cloud One Community of Practice and holds workshops and information sharing sessions to foster deeper understanding in the broader community.

Ritchie joined SAIC in 2006 as a senior principal software engineer. He has led several Agile teams in developing, modernizing, migrating, and operating resilient, highly available, enterprise-scale software systems across the Navy, Marine Corps, Defense Logistics Agency, and Air Force.