Ransomware goes cloud native to target your backup infrastructure – Source: www.csoonline.com

Ransomware groups and other cybercriminals are increasingly targeting cloud-based backup systems, challenging long-established approaches to disaster recovery.

Attacks on cloud-based backups are becoming increasingly commonplace as ever more sophisticated attackers hone their techniques for data exfiltration, identity compromise, and supply chain attacks, security researchers from Google warn in a report on the evolution of cloud security threats.

The latest Google Cloud Threat Horizons Report, which covers the first half of 2025, also found that credential compromise and misconfiguration remain the primary entry points for threat actors into cloud environments.

‘Cloud-native extortion’

Various Google Cloud intelligence, security, and product teams contributed to the report, which covers not only threats to Google Cloud but those faced by multiple if not all cloud service providers and their customers.

Independent security experts quizzed by CSO backed up Google’s findings that ransomware groups are increasingly targeting backup infrastructure in the cloud.

“Attacks are no longer limited to endpoints; they follow the data, and that includes snapshots, S3 buckets, and cloud object storage,” said Dave Manning, SVP and global CISO at Lemongrass, a specialist in delivering cloud-based SAP systems. “Native cloud features like SSE-C encryption are even being hijacked to re-encrypt data and hold it for ransom, as we saw in the Codefinger campaign.”

Manning added: “Modern ransomware isn’t just encryption; it’s cloud-native extortion.”

Google’s researchers also note in their report that attackers are disabling or deleting cloud-hosted backups early in the kill chain to maximize leverage.

“That same pattern was observed in recent HellCat, Akira, and ALPHV/BlackCat intrusions, where immutable copies were located and wiped before the extortion notice dropped,” said David Kasabji, principal threat intelligence analyst for ITGL, the security division of digital transformation provider Conscia. “In practice, if an organization’s backups live on the same control plane as production, adversaries assume they are fair game.”

Kasabji added: “Isolated, versioned, and access-controlled recovery tiers are becoming non-negotiable.”

Ransomware gangs have turned the victim’s own cloud-based tools against them. For example, notorious groups such as BlackCat (ALPHV) and Rhysida have actively exploited access to Azure Blob Storage, Amazon S3 Transfer Acceleration, and backup services such as Azure Storage Explorer to exfiltrate and encrypt sensitive files.

“The threat goes beyond encryption — adversaries are modifying lifecycle policies to auto-delete files within days, as seen in Codefinger’s attacks, creating a manufactured sense of urgency,” said Cameron Sipes, director of cloud security at SentinelOne. “These tactics bypass traditional endpoint security and leverage the elasticity of cloud resources for fast, difficult-to-reverse impact.”

Sipes added: “In another campaign attributed to a LockBit impersonator, ransomware was delivered via Amazon S3 Transfer Acceleration, again abusing native cloud infrastructure to siphon off data before encryption.”

Credential compromise and misconfiguration woes

More sophisticated threat groups have developed social engineering techniques to the point where they reliably trick targets into helping them to bypass multi-factor authentication (MFA) controls before ransacking compromised cloud-hosted environments.

For example, threat actors are using compromised OAuth tokens to bypass MFA and inject malicious code into developer ecosystems via automated CI/CD pipelines, Google’s researchers warn.

Google has introduced Verified CRX Upload controls to secure the non-human identities used in these cloud-based build processes as a countermeasure against this vector of attack.

Bernard Montel, EMEA technical director and security strategist at Tenable, told CSO that credential compromise and misconfiguration continue to be the “Achilles’ heel of cloud security,” echoing a key finding from Google Cloud’s researchers.

Secrets and credentials are routinely mishandled across cloud environments, according to research from Tenable.

More than half (54%) of organizations using AWS ECS task definitions and 52% using GCP CloudRun have secrets embedded in configurations. Around 3.5% of AWS EC2 instances contain secrets in user data.

“These secrets, often in the form of API keys or tokens, are prime targets for attackers and can lead to full compromise of the environment,” Montel explained.

The threat extends beyond ransomware. For example, the Kinsing malware campaign targets Linux-based cloud infrastructure by exploiting misconfigured containers and servers to deploy cryptominers.

In some cases, attackers have hidden malware in obscure filesystem locations such as manual page directories in order to evade detection.

“These credentials, once compromised, can enable lateral movement and privilege escalation, bypassing traditional perimeter defenses and exposing sensitive data,” Montel added.

The North-Korean UNC4899 cluster offers a textbook example of exploitation of the tactic in pursuit of cybercrime, according to ITGL’s Kasabji. “Engineers are wooed over LinkedIn or Telegram, tricked into running malicious containers, and the attackers walk away with long-lived cloud tokens that sidestep MFA entirely,” Kasabji said.

Countermeasures

Identity hygiene and configuration management remain the cloud defender’s first line of defense.

Google Cloud’s report advocates robust identity and access management and proactive vulnerability management alongside “robust recovery mechanisms,” checks on “supply chain integrity,” and “continuous vigilance against sophisticated social engineering” attacks.

Tenable’s Montel advised: “To counter these threats, organizations must adopt a layered defence strategy: enforce least privilege, secure identities with multi-factor authentication  and just-in-time access and continuously monitor for misconfigurations and public exposures.”