GCS Ransomware through individual file deletion

Platform: GCP

Mappings

MITRE ATT&CK
- Impact

Description

Simulates GCS ransomware activity that empties a Cloud Storage bucket through individual object deletion, then uploads a ransom note.

Warm-up:

Create a Cloud Storage bucket, with object versioning enabled
Create a number of objects in the bucket, with random content and extensions

Detonation:

List all available objects and their versions in the bucket
Delete all objects in the bucket one by one, including all noncurrent versions, using objects.delete
Upload a ransom note to the bucket

Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.

References:

Instructions

Detonate with Stratus Red Team

stratus detonate gcp.impact.gcs-ransomware-individual-deletion

Detection

You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. This can be done through GCS Data Access audit logs by monitoring for high volumes of storage.objects.delete events attributed to a single principal in a short time window.

Note that GCS Data Access logs are not enabled by default and must be explicitly enabled at the project or organization level.

Sample audit log event for storage.objects.delete, shortened for readability:

{
  "protoPayload": {
    "serviceName": "storage.googleapis.com",
    "methodName": "storage.objects.delete",
    "resourceName": "projects/_/buckets/target-bucket/objects/target-object-key",
    "authorizationInfo": [
      { "permission": "storage.objects.delete", "granted": true }
    ],
    "authenticationInfo": {
      "principalEmail": "attacker@example.com"
    }
  },
  "resource": {
    "type": "gcs_bucket",
    "labels": {
      "bucket_name": "target-bucket"
    }
  }
}