GCS Ransomware through client-side encryption

Platform: GCP

Mappings

• MITRE ATT&CK
  • Impact

Description

Simulates GCS ransomware activity that encrypts files in a Cloud Storage bucket with a static key, through GCS Customer-Supplied Encryption Keys (CSEK).

Warm-up:

• Create a Cloud Storage bucket
• Create a number of objects in the bucket, with random content and extensions

Detonation:

• List all objects in the bucket
• Rewrite every object in place with a customer-supplied AES-256 encryption key, using objects.rewrite. Once encrypted, the object can no longer be read without supplying the same key.
• Upload a ransom note to the bucket

References:

• Detecting and Hunting for Cloud Ransomware Part 2: GCP GCS (Panther)
• Mitigate ransomware attacks using Google Cloud (Google Cloud Architecture Center)
• Customer-supplied encryption keys (GCS documentation)

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.impact.gcs-ransomware-client-side-encryption

Detection

You can detect ransomware activity by identifying abnormal patterns of objects being rewritten in place. The GCS rewrite API (used to encrypt an object with a customer-supplied key without changing its name) is recorded in Data Access audit logs with methodName: storage.objects.create

A rewrite-in-place can be distinguished from a regular upload by inspecting authorizationInfo: a rewrite checks both storage.objects.delete and storage.objects.create permissions on the same object, whereas a plain upload only checks storage.objects.create.

Note that GCS Data Access logs are not enabled by default and must be explicitly enabled at the project or organization level.

Sample audit log event for a rewrite-in-place, shortened for readability:

{
  "protoPayload": {
    "serviceName": "storage.googleapis.com",
    "methodName": "storage.objects.create",
    "resourceName": "projects/_/buckets/target-bucket/objects/target-object-key",
    "authorizationInfo": [
      { "permission": "storage.objects.delete", "granted": true },
      { "permission": "storage.objects.create", "granted": true }
    ],
    "authenticationInfo": {
      "principalEmail": "attacker@example.com"
    }
  },
  "resource": {
    "type": "gcs_bucket",
    "labels": {
      "bucket_name": "target-bucket"
    }
  }
}