Mitigating ransomware attacks using Google Cloud

Last reviewed 2021-11-15 UTC

Code created by a third party to infiltrate your systems to hijack, encrypt, and steal data is referred to as ransomware. To help you mitigate ransomware attacks, Google Cloud provides you with controls for identifying, protecting, detecting, responding, and recovering from attacks. These controls help you accomplish the following:

  • Assess your risk.
  • Protect your business from threats.
  • Maintain continuous operations.
  • Enable rapid response and recovery.

This document is part of a series that is intended for security architects and administrators. It describes how Google Cloud can help your organization mitigate the effects of ransomware attacks. It also describes the ransomware attack sequence and the built-in security controls in Google products that help you to prevent ransomware attacks.

The series has the following parts:

Ransomware attack sequence

Ransomware attacks can start as mass campaigns looking for potential vulnerabilities or as directed campaigns. A directed campaign starts with identification and reconnaissance, where an attacker determines which organizations are vulnerable and what attack vector to use.

There are many ransomware attack vectors. The most common are phishing emails with malicious URLs or exploiting an exposed software vulnerability. This software vulnerability can be in the software that your organization uses, or a vulnerability that exists in your software supply chain. Ransomware attackers target organizations, their supply chain, and their customers.

When the initial attack is successful, the ransomware installs itself and contacts the command and control server to retrieve the encryption keys. As ransomware spreads throughout the network, it can infect resources, encrypt data using the keys that it retrieved, and exfiltrate data. Attackers demand a ransom, typically in cryptocoins, from the organization so that they can get the decryption key.

The following diagram summarizes the typical ransomware attack sequence explained in the previous paragraphs, from identification and reconnaissance to data exfiltration and ransom demand.

The ransomware attack sequence.

Ransomware is often difficult to detect. According to Sophos, it takes about 11 days for an organization to discover a ransomware attack, while FireEye reports an average time of 24 days. It's critical, therefore, that you put in place prevention, monitoring, and detection capabilities, and that your organization is ready to respond swiftly when someone discovers an attack.

Security and resiliency controls in Google Cloud

Google Cloud includes built-in security and resiliency controls to help protect customers against ransomware attacks. These controls include the following:

  • Global infrastructure designed with security throughout the information-processing lifecycle.
  • Built-in security features for Google Cloud products and services, such as monitoring, threat detection, data loss prevention, and access controls.
  • High availability with regional clusters and global load balancers.
  • Built-in backup, with easily scalable services.
  • Automation capabilities using Infrastructure as Code and configuration guardrails.

Google Cloud Threat Intelligence for Chronicle and VirusTotal track and respond to many types of malware, including ransomware, across Google infrastructure and products. Google Cloud Threat Intelligence for Chronicle is a team of threat researchers that develop threat intelligence for Chronicle. VirusTotal is a malware database and visualization solution that provides you with a better understanding of how malware operates within your enterprise.

For more information about built-in security controls, see the Google security paper and Google Infrastructure Security Design Overview.

Security and resiliency controls in Google Workspace, Chrome browser, and Chromebooks

In addition to the controls within Google Cloud, other Google products like Google Workspace, Google Chrome browser, and Chromebooks include security controls that can help protect your organization against ransomware attacks. For example, Google products provide security controls that allow remote workers to access resources from anywhere, based on their identity and context (such as location or IP address).

As described in the Ransomware attack sequence section, email is a key vector for many ransomware attacks. It can be exploited to phish credentials for fraudulent network access and to distribute ransomware binaries directly. Advanced phishing and malware protection in Gmail provides controls to quarantine emails, defends against dangerous attachment types, and helps protect users from inbound spoofing emails. Security Sandbox is designed to detect the presence of previously unknown malware in attachments.

Chrome browser includes Google Safe Browsing, which is designed to provide warnings to users when they attempt to access an infected or malicious site. Sandboxes and site isolation help protect against the spread of malicious code within different processes on the same tab. Password protection is designed to provide alerts when a corporate password is being used on a personal account, and checks whether any of the user's saved passwords have been compromised in an online breach. In this scenario, the browser prompts the user to change their password.

The following Chromebook features help to protect against phishing and ransomware attacks:

  • Read-only operating system (Chrome OS). This system is designed to update constantly and invisibly. Chrome OS helps protect against the most recent vulnerabilities and includes controls that ensure that applications and extensions can't modify it.
  • Sandboxing. Each application runs in an isolated environment, so one harmful application can't easily infect other applications.
  • Verified boot. While the Chromebook is booting, it is designed to check that the system hasn't been modified.
  • Safe Browsing. Chrome periodically downloads the most recent Safe Browsing list of unsafe sites. It is designed to check the URLs of each site that a user visits and checks each file that a user downloads against this list.
  • Titan C security chips. These chips help protect users from phishing attacks by enabling two-factor authentication and they protect the operating system from malicious tampering.

To help reduce your organization's attack surface, consider Chromebooks for users who work primarily in a browser.

What's next