Simulating a Ransomware Attack on a Cloud-Native Environment

Date: 27 March 2024

Anyone invested in cybersecurity and business continuity for their organisations can clearly see the importance of Cyber Attack Tabletop Exercises

Rehearsing the right Cyber Incident Response Tabletop Scenarios, however, is as critical as the exercise itself. The cyber tabletop exercise scenario should be relevant to the business and reflect the emerging threats in cybersecurity. The risks are always changing.  

Simulating a Ransomware Attack on a Cloud Native Environment is one such cyber tabletop exercise example that we’ll be discussing today. 

Topics covered in the blog: 

1. Types of Ransomware Attacks on the Cloud
2. Why Rehearse Ransomware Attack Scenarios 
3. What makes Ransomware Attacks on Cloud Environments significant? 
4. How to Simulate a Ransomware Attack on a Cloud Native Environment?

But before we jump in, let's quickly go over the benefits of cybersecurity incident simulation drills:

  • They build muscle-memory that ultimately leads to lower panic and a more structured response during an actual crisis.
  • They help Information Security and other teams get familiar with Incident Response Plans.
  • Incident Response teams, crisis management teams become better aware of their roles and responsibilities during real life security events.
  • The attack scenarios help key stakeholders practise decision-making for future incidents and effective incident response.
  • The lessons learned through cyber attack simulation drills can help enhance the incident response process significantly over the long term.

cyber tabletop scenarios

Types of Ransomware Attacks on the Cloud

Availability: Traditionally ransomware attackers have made data unavailable by 'locking' or encrypting data with a special key. They would not share the 'unlock' or decryption key until the victim agrees to pay the ransom.

Confidentiality:  This is where criminals copy digital data and then extort a ransom in exchange for not 'dumping' or exposing the data on the Internet.  In an availability attack one can always restore their data from a clean backup and avoid paying a ransom. However, a confidentiality attack is probably more painful and impactful as one can never be certain if the attacker has deleted all digital copies on receipt of a ransomware payment. 

Why Rehearse for Ransomware Attacks? 

Ransomware attacks are the #1 problem that the cybersecurity community faces today. This problem can become  more pronounced when the attack happens on a cloud-native environment. Practising Ransomware response drills are useful in the followings ways:

  • Prepares all stakeholders for the 'oh no!' moment. 
  • Better prepares IT to review and improve their data validation processes and technologies. 
  • Demonstrates and reinforces the insurmountable challenges, including regulatory quagmires, during a confidentiality attack.
  • Helps prepare communication responses to various stakeholders.


Back to Top

Ransomware Attacks on Cloud Native Environments 

So what exactly is a Ransomware Attack on a Cloud Native Environment and what makes this type of attack such a compelling cyber tabletop exercise scenario?

Important Note: There are three types of Cloud services. Infrastructure, Platform and Software as a Service (IaaS, PaaS and SaaS). Our focus here is on SaaS. However, you can apply most of the logic and attacks for the other two types of Cloud Services.

Most often, businesses use cloud infrastructure of third-party service providers. This eliminates the need for them to buy and maintain high-level computing resources and hardware. This means that a single cloud service provider could store vast volumes of data for hundreds of organisations. 

There are several ways in which your data on Cloud could be attacked: 

  1. Malicious Intent: A staff member at a service provider's end (such as a CRM software or HR management software provider) may steal data and hold your organisation to ransom.

  2. Misconfiguration: This can apply to all three types of cloud services we mentioned earlier - Infrastructure as a Service, Platform as a Service, Software as a Service. Let's say your organisation uses Infrastructure as a Service but your staff isn't properly trained on how to use the service (Amazon AWS, Microsoft Azure, Google Cloud). Now, one staff member deposits a significant amount of data on the cloud storage platform. As they're not trained enough, they expose the data because they simply don't know how to configure it securely. A cyber criminal actively searching for such misconfigured storage solutions, finds and copies this data and uses it to extort your organisation.

  3. Insider Attack - An insider who has all the access, copies the data from the SaaS provider and holds the organisation to ransom. 

An attack on a cloud environment, in such cases, can be huge, complicated and very often executed by highly sophisticated threat actors. Cloud service providers assure their clients of iron-clad security. This is why breaching them isn’t something a rookie will easily be able to pull off. 

The data stored on the cloud could be vital to day-to-day operations of many businesses. This makes a ransomware attack all the more damaging and disruptive. 

Let’s say, you have sufficient backups and are able to restore the business critical data, there is always the threat of serious data breaches in which the cyber criminal could leak or even sell your stolen data on the dark web. 

This is always followed by a Public Relations crisis for the business. Regulatory fines and customer lawsuits follow closely when sensitive information of individuals is compromised. 

Spread of Infection is another major concern with ransomware attacks on cloud infrastructure. Due to the interconnected nature of cloud environments, an attack on your third-party service provider could quickly trickle into your systems. 

The ransomware infection can thus propagate with agility, making response and recovery efforts twice as complicated.

Back to Top

Ransomware Incident Response Playbook

How to Simulate a Ransomware Attack on a Cloud-Native Environment     

Let’s now build on the Cyber Tabletop Exercise Example that centres on a ransomware attack on a cloud environment. We will focus on important elements to make this Incident Response Tabletop Scenario as relevant and compelling for participants as possible. 

Which brings us to the question - who should participate in an exercise centred on such cyber tabletop exercise scenarios. The answer includes IT, legal teams, Human Resources, Public Relations and Communications. Of course, senior management participation is important. They’ll be the ones answerable to customers, investors and external stakeholders. 

Scenario Preparation: In this phase, the first step obviously is to determine what kind of cloud environment your organisation operates in - public, private or hybrid. Next, keep in mind an attacker’s information-gathering tactics. Define the most critical vulnerabilities or assets on the cloud that are likely on top of the attacker’s radar. Identify the information they’re seeking and/or the assets they are after. 

The Scenario: The ransomware attack scenario can be based on any of the three attack methods we discussed earlier - Malicious Intent, Insider Threat and/or Misconfiguration. While building the cyber tabletop exercise scenario, focus on what files and/or systems the attacker is most likely to encrypt. The crux of this incident response tabletop scenario is usually exfiltration of data leading to a damaging breach of sensitive information. 

Injects: A ransomware tabletop exercise scenario is always made more realistic through the use of injects. Cyber crime is never a one-time event and it’s usually dynamic and evolving.  

Make sure your attack simulation exercise reflects this. In this case it could mean, introducing elements such as lateral movements after the initial detection of a compromise. You could then move on to privilege escalation with the criminal gaining access to more sensitive information and assets.     

To make the cyber tabletop exercise example more comprehensive, you can also offer details to participants on who the threat actor might be. In this case, it could be a Nation State actor attacking a public cloud service. It might also be a sophisticated ransomware gang out to extort large sums of money by compromising your organisation’s hybrid cloud environment. 

Back to Top

New call-to-action

Final Word

With the rise in ransomware attacks, especially supply chain attacks, this cyber crisis tabletop exercise scenario should be high on your priority list. 

Simulating a ransomware attack on a cloud environment is not straightforward. It has to include diverse aspects like your network security, application security, endpoint security. 

It also evaluates your Identity and Access Management systems and policies and takes a critical view of your Data Encryption and Backup capabilities. This is why it is strongly recommended to bring onboard a deeply experienced ransomware tabletop exercise facilitator to conduct the simulation drill for you. 

Not only does an external facilitator bring unparalleled expertise to the table. They also give you objective and completely unbiased feedback on your organisation's cloud security and ransomware response protocols. They work with your team to build a ransomware tabletop scenario that will hit home with your participants and senior management. 

If, however, hiring an external facilitator isn’t on your radar at the moment, our experts have created some really useful tools that you can use. These resources are easily customisable to your organisation’s threat context and its cloud environment. They’re crisp, brief and focus on helping you simulate a highly effective ransomware attack on a cloud-native environment: 

  1. Cyber Tabletop Exercise Scenarios You Must Rehearse in 2024
  2. Cyber Tabletop Exercise PowerPoint 
  3. Cyber Tabletop Exercise Template  

Back to Top

New call-to-action

New call-to-action

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422