NAKIVO > Blog > Multiplatform

Can Ransomware Infect Cloud Storage?

Updated: March 4, 2025

Written by: NAKIVO Team

Users and organizations often mistakenly believe that public cloud storage is very reliable storage and cannot be harmed by ransomware. The reality is that cloud storage is reliable due to the redundancy of disks, network connections and replication measures implemented by cloud providers in their datacenters. However, this doesn’t mean that data is safe and cannot be corrupted by ransomware in the cloud. This blog post explains how ransomware can attack data in the cloud and how to prevent data loss in this case.

Say no to ransoms with NAKIVO

Say no to ransoms with NAKIVO

Use backups for fast data recovery after ransomware attacks. Multiple recovery options, immutable local and cloud storage, recovery automation features and more.

DISCOVER SOLUTION

The Evolving Landscape of Cloud Security Against Ransomware

Ransomware, unfortunately, continues to evolve, becoming more sophisticated and dangerous. Cyberattacks have also become more widespread. As a result, cloud security measures must evolve to keep up with this threat. Cybersecurity and backup vendors are developing solutions to help users and organizations protect their data.

One of the most dangerous trends in recent years has been ransomware as a service (RaaS). Skilled cybercriminals sell ready-to-use ransomware kits to less skilled attackers, thereby, increasing the number of ransomware attacks. The ransomware strains used in these types of attacks can also access local networks of organizations and spread across cloud environments.

Cloud ransomware is another new type of ransomware designed to gain access to data in the cloud. It can steal data and send it to attackers as well as encrypt it. This ransomware type can exploit vulnerabilities in cloud environments.

How Ransomware Targets Cloud Storage

Ransomware can target cloud storage in multiple ways, including exploiting software vulnerabilities and tricking users. Cloud providers like Microsoft, Amazon and Google always implement strong security measures, but attackers can exploit vulnerabilities on the user’s side, that is inside an organization’s local infrastructure.

  • File synchronization. Cloud storage services usually allow users to synchronize files on a local disk in addition to cloud storage (for example, Microsoft OneDrive, Google Drive, etc.). If a user’s computer is infected by ransomware, ransomware encrypts files on the local drive and then corrupted files are synchronized to the cloud storage. As a result, files in the public cloud are corrupted too.
  • Compromised user credentials. Attackers use phishing and brute-force attacks to compromise user credentials and gain access to files on the user’s computer and other computers in the network. After installing ransomware, files are encrypted and, as a result, corrupted. With this method, attackers can get access to the account in the cloud and delete or corrupt data.
  • Exploiting cloud APIs. Application programming interfaces (APIs) are provided by cloud vendors for more convenience and the ability to develop third-party applications to work with cloud services. APIs allow applications to automate tasks when working with cloud services. Attackers can use vulnerabilities in the APIs or use stolen API keys to access cloud storage. Once attackers gain access, they can deploy ransomware to corrupt and delete files. Thus, API vulnerabilities could allow ransomware to bypass normal security controls, giving attackers direct access to cloud storage data.
  • Shared folders and collaboration tools. Shared folders are mainly used for collaboration purposes within organizations. If one device or account is compromised, ransomware can be uploaded to shared folders. Since other users may access these shared files, ransomware can spread quickly across the organization. Cloud-based collaboration tools like Microsoft Teams or Google Workspace can amplify the spread of ransomware if shared files become infected.
  • Weak access controls. Without a robust security policy, attackers can take advantage of misconfigured permissions. If users have unnecessary write permissions or administrative access to cloud storage, ransomware can acquire this access to encrypt and destroy files.

Protecting Cloud Storage from Ransomware

Protecting cloud storage against ransomware requires a combination of approaches, including preventive measures, access controls and data recovery strategies. Even though cloud vendors ensure a high level of security, they are only responsible for the underlying cloud infrastructure. Organizations using those resources to store their data are responsible for data protection and related measures to avoid data loss on their side. This is called a shared responsibility model which is a part of the end-user license agreement of most cloud vendors.

Below, you can see the main ransomware protection measures available to organizations:

  • Enable versioning for cloud files. File versioning allows you to restore previous, uninfected file versions if the latest file versions are encrypted or corrupted by ransomware. You can configure this feature to retain multiple versions of each file on cloud storage. Main cloud storage providers, such as Microsoft OneDrive and Google Drive offer file versioning.
  • Enable data encryption. Strong encryption prevents attackers from easily accessing or manipulating sensitive files if they gain access to your cloud storage. Enable encryption in transit and at rest when possible to ensure a high level of security. Encrypted data can only be accessed by authorized users who have a key or password. Usually, there are options to use the service’s built-in encryption or apply client-side encryption. Note that ransomware can encrypt encrypted files but attackers cannot read files that you encrypted without the key.
  • Configure user permissions carefully. Use the principle of least privilege when configuring access permissions. Attackers always find it easier to start a ransomware attack by infecting a regular user, not a system administrator. When users only have the necessary administrative and writing permissions, it is more difficult for ransomware to spread over the network and infect other resources.
  • Implement advanced threat detection. Install antivirus software on the computers of end users to detect and remove ransomware if it tries to infect them. If a computer is not infected by ransomware, it will not be able to encrypt files that are synchronized with the cloud storage.
  • Monitoring. Use monitoring systems with automatic alerts and notifications to quickly detect suspicious behavior, which can be a sign of ransomware activities. Bulk file modifications, mass sharing and login attempts from unknown locations should be considered as suspicious activities. When ransomware is detected early, it is easier to stop the attack and avoid destructive results.
  • Isolate cloud storage. Avoid configuring file synchronization from local disks with cloud storage. This can reduce the risk of corrupting files stored in the cloud if a local user’s computer is infected by ransomware.
  • Disable file sharing for untrusted sources. Limit file sharing to external users to minimize the risk of ransomware infection via shared documents. Macros in Microsoft Office documents are a common way to infect a user’s computer. Set strict policies on who can share files and with whom, and regularly audit shared folders to ensure unauthorized users don’t have access.
  • Educate users. Continuously educate users and conduct security awareness training. When users understand at least the main principles of ransomware attacks and know what to do if they detect suspicious signs, the risk of ransomware infection is reduced. Phishing attacks that infect user computers are a common way to spread ransomware in the organization’s infrastructure. Users should be able to recognize phishing emails and suspicious links and report to system administrators if there is a sign of a potential cyber-attack.
  • Back up data regularly. Having a backup allows you to restore data if the original data was lost after a ransomware attack. Configure automated regular backups and set required scheduling and retention policies to ensure that you can recover data for different periods. Back up local data and data stored in the cloud.
  • Enable immutable backups. If ransomware can access backup storage, then backups become corrupted and unusable. Immutable backups use the write-once-read-many (WORM) principle. Once the immutable backup is written, it cannot be modified until the immutability period expires. In addition to immutable backups, you can use air-gapped storage such as tape or hard disk drives that are disconnected after writing backup data. Air-gapped backups are also resistant to ransomware because ransomware cannot physically access them.
  • Conduct disaster recovery training. It is important to be ready for ransomware attacks and test your backups. Each employee should know what to do if a ransomware attack is detected – how to stop the infection and file encryption. When a ransomware attack is stopped and removed, it is important to close gaps used by the ransomware and recover data. When data recovery scenarios are well-tested, you can easily and quickly restore data.

Ensuring Compliance and Security with NAKIVO

NAKIVO Backup & Replication is a data protection solution that allows you to back up and recover your data in case of a ransomware attack. The NAKIVO solution has a wide set of features, including features that are especially helpful in protecting data and backups against ransomware.

  • Backup of data in the cloud. The NAKIVO solution supports backup of VMware vSphere, Proxmox VE, Hyper-V, Nutanix AHV, Windows and Linux workstations/servers, Amazon EC2 and Microsoft 365, including Exchange Online, OneDrive for Business, SharePoint Online and Microsoft Teams.
  • Storing backups on different storage types. You can store backups in the cloud and on local storage. Amazon EC2, Amazon S3, S3-compatible storage, Azure Blob Storage, BackBlaze B2 and other cloud storage platforms are supported. As for local storage, you can store backups on local backup repositories on Linux and Windows machines, NAS devices and tape media. Disconnecting backup media and having an air-gapped backup protect against ransomware.
  • Immutable backups. Backup repositories attached to a Linux Transporter support backup immutability. Immutable backups can be written once and cannot be modified during the defined period. Backup repositories in Amazon S3 also support immutable backups and ensure cloud ransomware protection.
  • Scheduling and retention settings. NAKIVO Backup & Replication provides advanced scheduling and retention settings. You can schedule backup jobs to run automatically at any time, periodically or after another job. Flexible retention settings allow you to implement complex retention policies to recover data from recent or old recovery points. You can use the grandfather-father-son (GFS) scheme or other more complex retention policies, which also help meet compliance requirements.
  • Disaster recovery functionality. You can use the Site Recovery feature to create disaster recovery workflows and perform disaster recovery testing. This approach prepares you for possible failures so you can recover data smoothly and quickly in the cloud and on-premises.
  • Granular recovery. If ransomware infected your data and you need to recover only particular files and objects, you can quickly do that with the granular recovery feature. You can recover specific files and folders from VMware vSphere VMs, Microsoft Hyper-V VMs, Linux/Windows physical machines and Amazon EC2 backups as well as recover specific Microsoft OneDrive files, Exchange emails, SharePoint sites, Microsoft Teams objects, etc.
  • Role-based access control. You can configure user accounts, roles and permissions in NAKIVO Backup & Replication for backup and recovery operations. Configuring the right permissions using multiple access levels restricts unauthorized access. The multi-tenancy mode is useful for large organizations and managed service providers interested in cloud ransomware protection.
  • Backup encryption. Encrypting backup data protects it against theft by cybercriminals if backup servers are infected by ransomware. It is recommended that you use backup copies and follow the 3-2-1 backup rule with NAKIVO Backup & Replication to avoid backup corruption by ransomware. You can enable source-side backup encryption, network encryption and backup encryption at rest (at repository level).
  • Malware scan for backups. It is important to ensure that the backup data does not contain viruses and ransomware. In the case you restore files containing viruses and ransomware files, the secondary infection can damage data after recovery. The NAKIVO solution supports integration with different antivirus software to scan backups and check that they are virus-free.

Conclusion

Protecting cloud data from ransomware requires applying a set of preventive measures and performing regular data backups. Data stored in public cloud storage can be infected by ransomware in different ways. It is important to protect backups stored in the cloud and on-premises against ransomware because ransomware can attack backup files. NAKIVO Backup & Replication can protect your data in the cloud and on-premises with advanced backup and recovery capabilities.

Try NAKIVO Backup & Replication

Try NAKIVO Backup & Replication

Get a free trial to explore all the solution’s data protection capabilities. 15 days for free. Zero feature or capacity limitations. No credit card required.

Try for Free

People also read

Picture
A Guide to the General Data Protection Regulation
Picture
8 Proven Practices to Protect Against Ransomware
Picture
2023 Data Protection Trends for IT Infrastructures