Ransomware Goes Cloud-Native: Why Your Backups Are Not Safe Anymore

Cloud Ransomware: The Evolution No One Wanted

Remember the golden days where regular, well-guarded backups were the ultimate trump card against ransomware? Those times have changed fast. In 2025, ransomware actors are laser-focused on the cloud, and they are targeting your backups first. If you're leaning on cloud-native infrastructure and consider cloud-stored snapshots or object storage your lifeline during an attack, it's time for a rethink.

At EJN Labs, we’ve seen a steady surge in incidents where cloud backup systems become the first victims in a ransomware campaign. The game has changed: your backups are now the battleground itself.

Why the Cloud Became a Prime Target

Let’s unpack why cybercriminals are so interested in the cloud:

Huge Value, Big Surface: Cloud backup environments often have massive data sets, business-critical configurations, and integration with other services. Attackers know if they can compromise these, they have leverage that is hard to ignore.
Misconfigurations Are Everywhere: From public S3 buckets to cloud storage with relaxed permissions, human error and complexity mean mistakes are common. One misstep can open the door for outsiders.
Identity over Perimeter: Traditional, perimeter-focused security crumbles in cloud environments. Cloud security is all about identity and permissions, which sound robust until you realise how easily credentials can be leaked, reused, or stolen.
Automation Blind Spots: The drive for automation sometimes means privileged tokens and credentials end up exposed on GitHub or in public code repositories, giving attackers their own admin keys.

The shift to the cloud increases productivity and accessibility, but it also brings a sea of new risks.

How Ransomware Operators Compromise Cloud Backups

Attackers have raised the stakes. Here’s how modern ransomware gangs are disabling cloud recovery options before pulling the trigger on file encryption:

1. Direct Attacks on Backup Infrastructure

Cloud-hosted backups such as AWS snapshots, Azure Blob Storage, and Google Cloud Storage are under siege. Attackers:

Delete or disable backup agents and snapshots.
Alter retention policies to shorten or nullify backup lifespans.
Encrypt network-accessible backup volumes right alongside production data.

With just the right permissions (which are often too wide), they can eradicate every backup you thought was secure.

2. Credential and Token Abuse

Reusable or poorly secured credentials are gold for ransomware crews. They're not just hunting for admin passwords anymore:

Stolen OAuth tokens from DevOps tools such as GitHub can grant access to infrastructure-as-code secrets.
API keys or IAM roles with backup access get compromised from public leaks or old, forgotten code.

Once inside, attackers exfiltrate data or take control of backup resources, leaving nothing to restore.

3. Turning Cloud Tools Against You

Ironically, built-in cloud features like Amazon S3 Transfer Acceleration or Azure automation scripts can be used by attackers to extract data rapidly, delete logs, or disable alerting. The same tools that streamline your business operations can quickly become a hacker’s toolbox.

4. Disabling Recovery Before Launching Encryption

The classic ransomware playbook starts with stifling all means of recovery.
Modern threat actors will:

Systematically wipe out cloud snapshots and encrypted file backups.
Delete or tamper with backup schedules and retention locks.
Modify backup automation scripts to ensure survivors of any recovery points are also erased.

Only once there’s no way home, do they pull the trigger and encrypt the remaining, live data.

When Backup Strategy Isn’t Enough

Why isn’t “just have good backups” enough anymore? Because cybercriminals have adopted the same cloud native mindset as your IT team.

They take time to explore the infrastructure, find overlooked permissions, and exploit the flexibility and interconnectedness of cloud environments. Recovery windows shrink, and often, there is genuinely nothing left to restore.

Common Missteps Organisations Make

Reusing the same credentials for production and backup cloud automation.
Forgetting to audit and rotate IAM roles linked to backups for years.
Over-relying on built-in cloud restore features without proper segmentation.
Missing alerts of snapshot deletions or credential changes (or failing to log them at all).

Re-Thinking Cloud Backup Security

So, what can businesses and IT leaders do to defend against this new wave of ransomware?

1. Segment Your Backup Infrastructure

Apply the principle of zero trust. Your backup resources should exist in different accounts, projects or environments, with access tightly controlled and strictly limited.

Never use production credentials for backup access.
Create dedicated IAM roles for backup jobs, restricted by least privilege.
Routinely audit permissions and revoke what is not needed.

2. Offline and Immutable Backups

Keep at least one copy of critical backups air-gapped, or in a cloud bucket/object storage with immutability and “write once, read many” (WORM) retention enforced.
Use cross-region or cross-cloud replication to protect against an attacker who gains a foothold in one cloud provider.
Enforce retention policies that cannot be altered, and lock these configuration settings.

3. Monitor Cloud Backups Like High-Value Assets

Treat routine backup operations, including failed, deleted, or altered snapshots, as vital security events.
Set up real-time alerts for:
Any mass deletion of snapshots.
Disabled backup agents or sudden policy changes.
Access from unfamiliar locations or accounts.
Leverage cloud-native behavioural analytics tools to spot unusual backup-related activity quickly.

4. Credential Hygiene and Secrets Management

Rotate backup automation credentials frequently.
Ensure all secrets are encrypted, stored centrally, and never hardcoded into scripts or shared documents.
Scan your public repositories for leaked tokens and respond immediately if any are found.
Adopt short-lived credentials and avoid human-managed service accounts wherever possible.

5. Test Your Recovery, Don’t Assume It Works

Run regular, realistic restoration drills, not only for cloud production systems but for backup restoration as well.
Simulate ransomware events: Can your team recover if all current cloud resources are locked or encrypted?

6. Defensive Design: Think Like an Attacker

Approach cloud backup defence as a game of chess. Assume an adversary will bypass standard controls and see if your system can withstand sabotage or compromise.

Review backup access paths and lockdown unused ones.
Enforce multi-factor authentication on all backup and admin interfaces.
Set up alarms for any configuration drift, such as changes to backup schedules or permissions.

The Bigger Picture: Security is Shared, But the Responsibility is Yours

Remember: all major cloud providers operate on a ‘shared responsibility model’, but the configuration, resilience, and monitoring of your backups is firmly on your side of the fence.

If you’re not hardening every link in the backup chain, you risk losing your critical safety net. For those serious about safeguarding their cloud environments, a proactive review of your backup security strategy is far more urgent now than even two years ago.

Final Thoughts from EJN Labs

Cloud-driven innovation brings transformative power, but it’s time to face facts: as the landscape shifts, so do the threats. By viewing backups and their security not as afterthoughts but as core to your cyber resilience, you’re already ahead of most.

Curious about how your organisation’s cloud defences and backup strategy stack up? Start with a modern pentest, nowadays, it's not just about the perimeter, but about full-spectrum, cloud-aware assessments. To get started, check our guide: Why Do You Need a Pentest?

Stay vigilant. Ransomware isn’t standing still, and neither should you.