Smart Cloud Security: Recover from Cloud-based Ransomware Infections


This is yet another post on ransomware – so we’ll keep this short. But, for cloud-first organizations, this post is an important one. Not only is ransomware hard to detect, but also hard to recover from. Recovery cost, whether or not the organization pays a ransom, is high as well. Often, organizations hit by ransomware have little recourse but to negotiate and pay the ransom and hope they can recover their mission-critical systems and data.

Netskope customers have deployed our unified, cloud-native platform to enforce policies across SaaS, IaaS, and web to recover from cloud-based ransomware attacks. We have noted 20 of these use cases in our e-book, 20 Examples of Smart Cloud Security, and we’re highlighting each one in this blog.

Here’s use case #20: Recover from cloud-based ransomware infections.

Cloud-based ransomware infections are troubling because across an organization, many users will have synced folders that are shared with many others. When files start being encrypted on the device of one person, that file in a sync folder will update and propagate across to all the other people part of that shared sync folder, an effect we call the “malware fan-out.” So while it’s easy to share files, it’s also easy to spread the ransomware-infected files. You’ll need a solution that will alert you when a ransomware infection has taken place and provide a seamless workflow to recover from the infection.

How can a CASB enable this use case? A CASB sits in between the user and the cloud service provider and monitors usage, secures data, and guards against threats. In the case of recovering from a cloud-based ransomware infection, a CASB needs to have an API-based deployment into the sanctioned cloud service to detect the ransomware and start the workflow to revert files back to their previous, unencrypted state. Versioning capabilities in the cloud storage service will need to be activated for full functionality.

Besides deployment choices, here are some functional requirements needed to achieve this use case:

  • Use 70 different signals to identify unauthorized encryption
  • Integration with cloud storage services like OneDrive to enable “roll-back” functionality
  • A streamlined UI to enable an intuitive workflow for rolling back infected content to pre-infected state