Now that more enterprises are supporting remote employees, the migration of data storage and other business services to the cloud continues to expand. One of the attractions of cloud services is the robustness of operation and increased business continuity. 

The infrastructure supporting these various cloud offerings comes from service providers, with some heavy hitters being Google, Microsoft, and Amazon. Yet even these large-scale platforms are at risk from a specific type of cyberattack; ransomcloud.

Cybercriminals are targeting cloud platforms and services with ransomware attacks at alarming rates. The term ransomcloud is widely used to identify this type of ransomware attack. Your data is at risk whether your organisation relies on a public cloud, hybrid cloud, or multi-cloud infrastructure. The more corporate data you store in one place, the larger a target your cloud footprint becomes.

This article explains how ransomcloud works, how your organisation can be affected, and describes the seven most common ransomcloud attack vectors.

Ransomware Overview

Ransomware Overview

Ransomware is a cyberattack that compromises a user’s device, such as a laptop, desktop, or mobile, via malware. The ransomware encrypts the user’s data so they can no longer access it. Ransomware typically spreads to other computers on the network, replicating the damage on each device, including servers and data backup storage systems. 

At some point, the attacker sends a message directing the victim to make a ransom payment for decrypting your data. Often, the demand payment is an untraceable cryptocurrency such as Bitcoin. You can pay the ransom, though there’s no guarantee that you’ll recover your files.

What Is Ransomcloud?

What Is Ransomcloud?

Ransomcloud is a type of malicious attack deployed by malware that infects user systems by phishing scams that deliver the malware via a malicious email, attachment or link.

A step further than traditional ransomware, ransomcloud can encrypt data on unprotected cloud email services, remote cloud data drives and even cloud-based backup solutions.

Because of the high demand for cloud services, companies are employing them rapidly. Often, missteps in security make them vulnerable to ransomware or ransomcloud attacks.

How Is Ransomcloud Deployed?

How Is Ransomcloud Deployed?

As with ransomware, ransomcloud malware is deployed via trickery. One strain uses a social-engineering tactic that tricks users into providing the criminal agent access to their cloud email account. It does this under the guise of a “new Microsoft Anti-spam service” and uses social engineering to deceive victims and enable hackers to control the victim’s system.

Attackers send a phishing email that appears to be an official anti-spam service called Microsoft “AntiSpam PRO.” Unsuspecting users click the link to accept this service. Then, the ransomcloud payload encrypts the user’s online emails, attachments, and cloud data drives. 

It can allow malicious third-party apps to control your account through an authorisation system called OAuth. Once you click “Accept,” cyber thieves gain control of your computer. They can now encrypt your emails, attachments and even cloud-located data files.

After this takes effect, you can read the headlines on your emails, but the content is encrypted and held captive in the cloud. You will receive an email from your attacker stating that your messages have been encrypted. If you want them recovered, you will have to pay a ransom, usually in Bitcoin.

Which Services Can Ransomware Affect?

Which Services Can Ransomware Affect?

Until recently, ransomware affected mostly local computers, servers and mobile devices. However, ransomcloud attacks infiltrate cloud apps. Businesses are moving their services and data storage to the cloud, and as more data moves to the cloud, they become a larger target for ransomware.

Businesses across all industries use the cloud services for several vital cloud services, including file storage, big data analytics, data backup and archiving, disaster recovery, software testing and development, Platform as a service (PaaS), and infrastructure as a Service (IaaS).

7 Main Ransomcloud Attack Vectors

The following are the seven major ransomcloud attack vectors that every business should be acutely aware of.

1. Malware & Phishing via Email

Malware & Phishing via Email

Phishing attacks are the most common delivery vehicles for both ransomware and ransomcloud. During phishing attacks, hackers convince the victim to click a link or open an attachment that downloads ransomware to the victim’s system. 

Often, this attack vector arrives in the form of social engineering. Cybercriminal gangs pose as someone trustworthy and trick users into sharing their access credentials to corporate systems.

2. File Sync Piggybacking

File Sync Piggybacking

File sync piggybacking uses phishing to infect the victim’s computer with ransomcloud malware. Once it embeds into your system, the malware appears as a popup permission request from known, trusted software. By approving, the user activates the malware, which spreads across the network, infecting any connected machine. 

As the malware scans for file sync services that interact with cloud services, once those services are identified, the ransomware piggybacks on the file sync, enabling the threat to enter, infect, and encrypt any data in the cloud.

3. User Cloud Service/Account Compromise

User Cloud Service/Account Compromise

A cloud account is considered compromised when a malicious agent takes control of a user’s cloud-based email or cloud service account. The attacker then has broad access to a range of valuable data, including calendar events, contacts, email messages, and other system tools.

The attacker can also use the account to impersonate the user and carry out additional social engineering attacks like Business Email Compromise (BEC). They may carry these attacks out inside or outside of the organisation.

By gaining access to a victim’s cloud service account, they can access sensitive data, persuade additional victims to wire money for some reasonable-sounding reason, or even install backdoors for future attacks.

4. Lack of Endpoint Protection (EPP)

Lack of Endpoint Protection

Endpoint Protection (EPP) is a security solution that detects and blocks threats at network endpoints, usually at the device level. Thus, EPP is a critical security element for all endpoint types like laptops, smartphones, and Internet of Things (IoT) devices. 

Cloud services continue to gain popularity because they enable businesses to cut costs and stay current with the competition. However, if the company doesn’t prioritise EPP security for their connected devices, the organisation’s data becomes vulnerable to attack. 

EPP combines antivirus, anti-malware, Virtual Private Network (VPN) data encryption, personal firewalls, and Data Loss Prevention (DLP). It is more effective than legacy security products that don’t communicate with one another and is a must to thwart ransomware and ransomcloud attacks.

5. Malvertising


In a malvertising attack, the perpetrator injects malicious code into legitimate online advertising networks. The code redirects unsuspecting users to malicious websites where ransomware or ransomcloud malware lurks.

Some of the websites that have been impacted by malvertising are The London Stock Exchange, The New York Times Online, The Atlantic, and Spotify, to name a few.

Online advertising is a complex network that includes publisher sites, ad servers, ad exchanges, retargeting networks, and Content Delivery Networks (CDNs). Multiple redirections occur between different servers after a user clicks on an ad. This complexity creates vulnerabilities, and attackers exploit these weak points, placing malicious content where ad publishers least expect it.

6. Cloud Provider Security

Cloud Provider Security

Alarmingly, a ransomcloud attack can target a cloud provider directly. As you can imagine, this is a damaging and lucrative malware attack because the attacker can compromise the entire cloud platform. They can demand ransoms from every customer on the now compromised service.

Due to the cloud migration process structure and multiple access points of cloud networks and services, cloud provider security is a partnership between customers, cloud vendors, and managed cloud service providers.

7. Lack of Staff Security Training

Lack of Staff Security Training

A lack of staff security compliant training creates security vulnerabilities within a network. Employees are the first line of defence against cyberthreats, so the intelligent approach is to train staff to recognise the common social engineering attacks they will encounter. 

Training employees on how to identify suspicious emails to mitigate cyber risk is vital. When employees are adequately trained, businesses can block potential ransomware and phishing attacks before they have a chance to do damage.


Ransomware has become a lucrative business for cybercriminals, and it’s not going away. On the contrary, attacks will only increase with the use of cloud services as ransomware has evolved and is now a threat to cloud services in the guise of ransomcloud. 

Since the beginning of the COVID-19 pandemic, ransomware attacks have increased by 105% (source). In most of these cases, phishing emails tricked a victim into giving the malicious agent access to the network. 

Today, most organisations rely on the cloud because it has become an essential component of every IT network. IT security teams must secure their cloud networks now more than ever to protect the valuable data stored within the cloud environment. 

From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage, Securus has a security solution to suit your requirement and budget. If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.

Further Technology Articles