Mitigate ransomware attacks using Google Cloud

Code created by a third party to infiltrate your systems to hijack, encrypt, and steal data is referred to as ransomware. To help you mitigate ransomware attacks, Google Cloud provides you with controls for identifying, protecting, detecting, responding, and recovering from attacks. These controls help you accomplish the following:

• Assess your risk.
• Protect your business from threats.
• Maintain continuous operations.
• Enable rapid response and recovery.

This document is intended for security architects and administrators. It describes the ransomware attack sequence and how Google Cloud can help your organization mitigate the effects of ransomware attacks.

Ransomware attack sequence

Ransomware attacks can start as mass campaigns looking for potential vulnerabilities or as directed campaigns. A directed campaign starts with identification and reconnaissance, where an attacker determines which organizations are vulnerable and what attack vector to use.

There are many ransomware attack vectors. The most common vectors are phishing emails with malicious URLs or exploiting an exposed software vulnerability. This software vulnerability can be in the software that your organization uses, or a vulnerability that exists in your software supply chain. Ransomware attackers target organizations, their supply chain, and their customers.

When the initial attack is successful, the ransomware installs itself and contacts the command and control server to retrieve the encryption keys. As ransomware spreads throughout the network, it can infect resources, encrypt data using the keys that it retrieved, and exfiltrate data. Attackers demand a ransom, typically in cryptocoins, from the organization so that they can get the decryption key.

The following diagram summarizes the typical ransomware attack sequence explained in the previous paragraphs, from identification and reconnaissance to data exfiltration and ransom demand.

Ransomware is often difficult to detect. It's critical, therefore, that you put in place prevention, monitoring, and detection capabilities, and that your organization is ready to respond swiftly when someone discovers an attack.

Security and resiliency controls in Google Cloud

Google Cloud includes built-in security and resiliency controls to help protect customers against ransomware attacks. These controls include the following:

• Global infrastructure designed with security throughout the information-processing lifecycle.
• Built-in detective features for Google Cloud products and services, such as monitoring, threat detection, data loss prevention, and access controls.
• Built-in preventive controls, such as Assured Workloads
• High availability with regional clusters and global load balancers.
• Built-in backup, with scalable services.
• Automation capabilities using Infrastructure as Code and configuration guardrails.

Google Threat Intelligence, VirusTotal, and Mandiant Digital Threat Monitoring track and respond to many types of malware, including ransomware, across Google infrastructure and products. Google Threat Intelligence is a team of threat researchers that develop threat intelligence for Google Cloud products. VirusTotal is a malware database and visualization solution that provides you with a better understanding of how malware operates within your enterprise. Mandiant Digital Threat Monitoring and other Mandiant services provide threat research, consultation, and incident response support.

For more information about built-in security controls, see the Google security overview and Google infrastructure security design overview.

Security and resiliency controls in Google Workspace, Chrome browser, and Chromebooks

In addition to the controls within Google Cloud, other Google products like Google Workspace, Google Chrome browser, and Chromebooks include security controls that can help protect your organization against ransomware attacks. For example, Google products provide security controls that allow remote workers to access resources from anywhere, based on their identity and context (such as location or IP address).

As described in the Ransomware attack sequence section, email is a key vector for many ransomware attacks. It can be exploited to phish credentials for fraudulent network access and to distribute ransomware binaries directly. Advanced phishing and malware protection in Gmail provides controls to quarantine emails, defends against dangerous attachment types, and helps protect users from inbound spoofing emails. Security Sandbox is designed to detect the presence of previously unknown malware in attachments.

Chrome browser includes Google Safe Browsing, which is designed to provide warnings to users when they attempt to access an infected or malicious site. Sandboxes and site isolation help protect against the spread of malicious code within different processes on the same tab. Password protection is designed to provide alerts when a corporate password is being used on a personal account, and checks whether any of the user's saved passwords have been compromised in an online breach. In this scenario, the browser prompts the user to change their password.

The following Chromebook features help to protect against phishing and ransomware attacks:

• Read-only operating system (Chrome OS). This system is designed to update constantly and invisibly. Chrome OS helps protect against the most recent vulnerabilities and includes controls that ensure that applications and extensions can't modify it.
• Sandboxing. Each application runs in an isolated environment, so one harmful application can't easily infect other applications.
• Verified boot. While the Chromebook is booting, it is designed to check that the system hasn't been modified.
• Safe Browsing. Chrome periodically downloads the most recent Safe Browsing list of unsafe sites. It is designed to check the URLs of each site that a user visits and checks each file that a user downloads against this list.
• Google security chips. These chips help protect the operating system from malicious tampering.

To help reduce your organization's attack surface, consider Chromebooks for users who work primarily in a browser.

Best practices for mitigating ransomware attacks on Google Cloud

To protect your enterprise resources and data from ransomware attacks, you must put multi-layered controls in place across your on-premises and cloud environments.

The following sections describe best practices to help your organization identify, prevent, detect, and respond to ransomware attacks on Google Cloud.

Identify your risks and assets

Consider the following best practices to identify your risks and assets in Google Cloud:

• Use Cloud Asset Inventory to maintain a five-week inventory of your resources in Google Cloud. To analyze changes, export your asset metadata to BigQuery.
• Use Audit Manager and attack path simulations in Security Command Center to and risk assessment to assess your current risk profile. Consider cyber insurance options available through the Risk Protection Program.
• Use Sensitive Data Protection to discover and classify your sensitive data.

Control access to your resources and data

Consider the following best practices to limit access to Google Cloud resources and data:

• Use Identity and Access Management (IAM) to set up fine-grained access. You can analyze your permissions regularly using role recommender, Policy Analyzer, and Cloud Infrastructure Entitlement Management (CIEM).
• Treat service accounts as highly privileged identities. Consider keyless authentication using Workload Identity Federation and scope your permissions appropriately. For best practices on protecting service accounts, see Best practices for using service accounts.
• Mandate multi-factor authentication for all users through Cloud Identity and use phishing-resistant Titan Security Key.

Protect critical data

Consider the following best practices to help protect your sensitive data:

• Configure redundancy (N+2) on the cloud storage option that you use to store your data. If you use Cloud Storage, you can enable Object Versioning or the Bucket Lock feature.
• Implement and regularly test backups for databases (for example, Cloud SQL) and filestores (for example, Filestore), storing copies in isolated locations. Consider Backup and DR Service for comprehensive workload backup. Verify recovery capabilities frequently.
• Rotate your keys regularly and monitor key-related activities. If using customer-supplied keys (CSEK) or Cloud External Key Manager (Cloud EKM), ensure robust external backup and rotation processes.

Secure network and infrastructure

Consider the following best practices to secure your network and infrastructure:

• Use Infrastructure as Code (such as Terraform) with the enterprise foundations blueprint as a secure baseline to ensure known-good states and enable rapid, consistent deployments.
• Enable VPC Service Controls to create a perimeter isolating your resources and data. Use Cloud Load Balancing with firewall rules, and secure connectivity (using Cloud VPN or Cloud Interconnect) for hybrid environments.

• Implement restrictive organization policies such as the following:

  • Restrict public IP access on new Vertex AI Workbench notebooks and instances
  • Restrict Public IP access on Cloud SQL instances
  • Disable VM serial port access
  • Shielded VMs

Protect your workloads

Consider the following best practices to help protect your workloads:

• Integrate security into every phase of your software development lifecycle. For GKE workloads, implement software supply chain security, including trusted builds, application isolation, and pod isolation.
• Use Cloud Build to track your build steps and Artifact Registry to complete vulnerability scanning on your container images. Use Binary Authorization to verify that your images meet your standards.
• Use Google Cloud Armor for Layer 7 filtering and protection against common web attacks.
• Use GKE auto-upgrades and maintenance windows. Automate builds in Cloud Build to include vulnerability scanning upon code commits.

Detect attacks

Consider the following best practices to help you detect attacks:

• Use Cloud Logging to manage and analyze the logs from your services in Google Cloud and Cloud Monitoring to measure the performance of your service and resources.
• Use Security Command Center to detect potential attacks and analyze alerts.
• For deep security analysis and threat hunting, integrate with Google Security Operations.

Plan for incidents

• Complete business continuity and disaster recovery plans.

• Create a ransomware incident response playbook, and perform tabletop exercises. Regularly practice recovery procedures to ensure readiness and identify gaps.

• Understand your obligations for reporting attacks to authorities and include relevant contact information in your playbook.

For more security best practices, see Well-Architected Framework: Security, privacy, and compliance pillar.

Respond to and recover from attacks

When you detect a ransomware attack, activate your incident response plan. After you confirm that the incident isn't a false positive and that it affects your Google Cloud services, open a P1 support case. Cloud Customer Care responds as documented in the Google Cloud: Technical Support Services Guidelines.

After you activate your plan, gather the team within your organization that needs to be involved in your incident coordination and resolution processes. Ensure that these tools and processes are in place to investigate and resolve the incident.

Follow your incident response plan to remove the ransomware and restore your environment to a healthy state. Depending on the severity of the attack and the security controls that you have enabled, your plan can include activities such as the following:

• Quarantining infected systems.
• Restoring from healthy backups.
• Restoring your infrastructure to a previously known good state using your CI/CD pipeline.
• Verifying that the vulnerability was removed.
• Patching all systems that might be vulnerable to a similar attack.
• Implementing the controls that you require to avoid a similar attack.

As you progress through your response process, continue to monitor your Google support ticket. Cloud Customer Care takes appropriate actions within Google Cloud to contain, eradicate, and (if possible) recover your environment.

Inform Cloud Customer Care when your incident is resolved and your environment is restored. If one is scheduled, participate in a joint retrospective with your Google representative.

Ensure that you capture any lessons learned from the incident, and set in place the controls that you require to avoid a similar attack. Depending on the nature of the attack, you could consider the following actions:

• Write detection rules and alerts that would automatically trigger should the attack occur again.
• Update your incident response playbook to include any lessons learned.
• Improve your security posture based on your retrospective findings.

What's next

• Help ensure continuity and protect your business against adverse cyber events using the Security and resilience framework.
• Contact Mandiant consultants for a ransomware defense assessment.
• Review the Google Cloud Well-Architected Framework for additional best practices.
• For information on how Google manages incidents, see Data incident response process.