Yes, Ransomware Can Encrypt Your Cloud Storage

Gavin Phillips 29-03-2017

Ransomware is a bit like sand. It gets everywhere, and makes your sandwiches crunchy. Okay, perhaps not the latter. But ransomware is invasive, and can encrypt more than you think. Having your personal files destroyed is painful enough without ransomware attacking your backups, too.


There are several ransomware variants that not only attack your main hard drive, but any other system drive. Cloud drives aren’t removed from the firing line, either. The time has come — you need to consider exactly how you backup your files, as well as where those backups are kept.

Ransomware Hits Everywhere

We know a ransomware attack can be devastating. Ransomware is a particular nuisance because of the files it targets: photos, music, films, and documents of all types, just to name a few. Your hard drive filled with personal, work, and business files is a primary target for encryption. Once encrypted, you’ll encounter a ransom note demanding payment — usually in almost untraceable Bitcoin — for the safe release of your files.

And even then, there is no guarantee you will receive the encryption key or a decrypt tool.


The CryptoLocker ransomware is one such variant CryptoLocker Is The Nastiest Malware Ever & Here's What You Can Do CryptoLocker is a type of malicious software that renders your computer entirely unusable by encrypting all of your files. It then demands monetary payment before access to your computer is returned. Read More that encrypts more than just your local hard drive. It first appeared in 2013, propagating via infected email attachments. Once CryptoLocker is installed on a system, it scans the local hard drive for a specific list of file extensions. Furthermore, it scans for any connected drives, be that a USB or network drive.

A network drive with read/write access will be encrypted in the same way as a local hard drive. It presents a challenge for businesses where employees access shared network folders.


Luckily, security researchers liberated a copy CryptoLocker Is Dead: Here's How You Can Get Your Files Back! Read More of the CryptLocker victim database, complete with every single encryption key. They created the Decrypt CryptoLocker portal to help victims decrypt their files Beat Scammers With These Ransomware Decryption Tools If you've been infected by ransomware, these free decrypting tools will help you unlock and recover your lost files. Don't wait another minute! Read More .

But by their own admission, they “basically got lucky,” swiping the victim database during the global take-down of the enormous Gameover Zeus botnet 3 Essential Security Terms You Need to Understand Confused by encryption? Baffled by OAuth, or petrified by Ransomware? Let's brush up on some of the most commonly used security terms, and exactly what they mean. Read More .

Evolution: CryptoFortress

CryptoLocker emerged and claimed over 500,000 victims. According to Dell SecureWorks’ Keith Jarvis, CryptoLocker may have extorted as much as $30 million in its first 100 days of operation ($150 million if all 500,000 victims paid their $300 ransom). However, the CryptoLocker takedown wasn’t the beginning of the end for network driver mapping ransomware.


CryptoFortress was discovered in 2015 by respected security researcher Kafeine. It has the appearance and approach of TorrentLocker TorrentLocker Is A New Ransomware Down Under. And It's Evil. Read More , but one crucial advancement: it can encrypt unmapped network drives.

Normally, ransomware retrieves a list of mapped network drives e.g. C:, D:, E:, and so on. It then scans the drives, comparing file extensions, then encrypts those that match. In addition, CryptoFortress enumerates all open network Server Message Block (SMB) shares — and encrypts any that are found.

And Then Came Locky

Locky is another ransomware variant Your New Security Threat for 2016: JavaScript Ransomware Locky ransomware has been worrying security researchers, but since its brief disappearance and return as a cross-platform JavaScript ransomware threat, things have changed. But what can you do to defeat the Locky ransomware? Read More , infamous for changing each file extension to .locky, as well as targeting wallet.dat — Bitcoin wallets. Locky also targets local files and files on unmapped network shares, completely scrambling files names in the process. This scrambling makes the recovery process a more difficult proposition.

As of yet, Locky has no decryptor available.


Ransomware in the Cloud

Ransomware has surpassed our local and network physical storage, transcending into the cloud. This presents a significant issue. Cloud storage is regularly touted as one of the safest backup options. Keeping your data backed up, away from your local and immediate network shares should provide isolation. Unfortunately, certain ransomware variants have removed that security.

The RightScale State of the Cloud report found 82 percent of enterprises were using multi-cloud strategies. A further study (Slideshare ebook) by Intuit found 78 percent of small businesses will be fully in the cloud by 2020. The drastic migration of businesses big and small makes cloud service creates a well-defined target for ransomware purveyors.


Malicious actors will find a way in. Social engineering and phishing emails are the primary tools, and they can be used to evade solid security controls. Trend Micro security researchers found a specific ransomware variant named RANSOM_CERBER.CAD. It is used to target home and business users of Microsoft 365, the cloud and productivity platform.

The Cerber variant is able to “encrypt 442 file types using a combination of AES-265 and RSA, modify the machine’s internet Explorer Zone Settings, delete shadow copies, disable Windows Startup Repair and terminate processes” including Outlook, The Bat!, Thunderbird, and Microsoft Word.


Furthermore, and this is behavior exhibited by other ransomware variants, Cerber queries the affected system’s geolocation. If the host system is a member of the Commonwealth of Independent States (former Soviet Union countries such as Russia, Moldova, and Belarus), the ransomware will terminate itself.

The Cloud as an Infection Tool

The Petya ransomware first emerged in 2016. It was notable for several things. First, Petya can encrypt a PC’s entire Master Boot Record (MBR), causing the system to crash to a blue screen. This renders the entire system essentially unusable. On reboot, the Petya ransom note is displayed instead, showing a skull and demanding payment in Bitcoin.

petya ransomware lock screen

Second, Petya was spread to some systems through an infected file hosted on Dropbox, posing as resume. The link is disguised as the applicant’s details, whereas it actually links to a self-extracting executable that installs the ransomware.

In a turn of luck, an unidentified programmer managed to crack the Petya ransomware Will The Petya Ransomware Crack Bring Back Your Files? A new ransomware variant, Petya, has been cracked by an irate victim. This is a chance to get one over on the cybercriminals, as we show you how to unlock your ransomed data. Read More encryption. The crack is capable of revealing the encryption key needed to unlock the MBR and release the captive files.

Using a cloud service to spread ransomware is understandable. Users have been encouraged to use cloud storage solutions to backup data because it offers an additional layer of security. Safety is central to cloud service success. This faith can now be cruelly exploited, with peoples belief in the security of the cloud turned against them.

Ransomware Gets Everywhere

Cloud storage, mapped and unmapped network drives, and local files remain vulnerable to ransomware. This isn’t new. However, malicious actors actively targeting backed-up files does increase the level of worry. In turn, it means additional precautions must be taken.

Keeping a separate, offline backup Protect Your Data From Ransomware With These 5 Steps Ransomware is scary, and if it happens to you, it can make you feel helpless and defeated. That's why you need to take these preemptive steps so you don't get caught off guard. Read More of important files is now vital to both home and business users. Do it now — it might be the action that helps you restore your vitals following an unexpected ransomware infection, from an equally unexpected source.

Have you had cloud storage infiltrated by ransomware? What did you do? What is your favored backup solution? Share your cloud storage security tips with our readers below!

Image Credits: iJeab/Shutterstock

Related topics: Cloud Storage, Ransomware.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Craig
    March 30, 2017 at 5:27 am

    Also perhaps the key to beating ransomware is to encrypt the data yourself?
    I know it's a pain but beat them to it and bitlock your data yourself......

    • Gavin Phillips
      March 31, 2017 at 10:23 am

      Interestingly enough, Craig, some ransomware variants will just encrypt your encrypted files. They might even seek out encrypted files because they would be deemed to be "high-value targets."

  2. Craig
    March 30, 2017 at 5:25 am

    Well...... Not too long ago a person contacted me via the grapevine and had been a victim of ransomware.
    I gave them the usual there's nothing you can do speech and they mentioned that it affected even their cloud services.
    I asked them to contact the company doing their hosting and asked if they kept backups of the accounts and to roll the account back to a date before the attack.
    The answer was yes and yes.
    Data retrieved client happy.

    • Gavin Phillips
      March 31, 2017 at 10:25 am

      Yup. You would hope your hosting was following proper backup procedures and could restore everything within a decent time frame. Definitely worth spending the time to investigate hosting providers before letting your data loose.

      Thanks for reading and commenting.

  3. David Lemler
    March 29, 2017 at 9:49 pm

    Generally, I like using cloud services like Dropbox to save my data online so I can get to it anywhere. I'm pretty careful about what I run, but if I ever were to get infected with ransomware, I could just restore all my files to the way they were before they were encrypted (via the previous versions function of the cloud provider).

    • Gene Baker
      March 30, 2017 at 2:49 pm

      Yes dropbox was great when I got infected and they helped right around Christmas. I didn't expect such fast service. Still I've been thinking of just using an old computer for email disconnected from dropbox or any others.

      • Gavin Phillips
        March 31, 2017 at 10:29 am

        You'd use a separate email address for email to protect from potential phishing emails, presumably? I don't know if you have to go that far. Keeping an up-to-date offline backup is probably easier, but then again I don't know your setup. I receive quite a lot of phishing mail, and it usually pretty damn obvious.

    • Gavin Phillips
      March 31, 2017 at 10:27 am

      Yes, good idea. Most cloud service providers have stringent backup and previous version policies. As I've said above, spending the time to investigate a good provider will eventually be worth its weight in retrieved, unencrypted files.

  4. Shannon O
    March 29, 2017 at 7:37 pm

    I use a service called Back Blaze, it is a cloud based backup service and they keep 30 days of version history to make it possible to restore unencrypted versions of my file so long as I begin the retrieval within the month. I have to trust their security practices will keep my and the petabytes of other folks backups safe in this environment of criminal extirtion by computer.