Code created by a third party to infiltrate your systems to hijack, encrypt, andsteal data is referred to asransomware. To help you mitigate ransomwareattacks, Google Cloud provides you with controls for identifying,protecting, detecting, responding, and recovering from attacks. These controlshelp you accomplish the following:

• Assess your risk.
• Protect your business from threats.
• Maintain continuous operations.
• Enable rapid response and recovery.

This document is intended for security architects and administrators. Itdescribes the ransomware attack sequence and how Google Cloud can helpyour organization mitigate the effects of ransomware attacks.

Ransomware attack sequence

Ransomware attacks can start as mass campaigns looking for potentialvulnerabilities or as directed campaigns. A directed campaign starts withidentification and reconnaissance, where an attacker determines whichorganizations are vulnerable and what attack vector to use.

There are many ransomware attack vectors. The most common vectors are phishingemails with malicious URLs or exploiting an exposed software vulnerability. Thissoftware vulnerability can be in the software that your organization uses, or avulnerability that exists in your software supply chain. Ransomware attackerstarget organizations, their supply chain, and their customers.

When the initial attack is successful, the ransomware installs itself andcontacts the command and control server to retrieve the encryption keys. Asransomware spreads throughout the network, it can infect resources, encrypt datausing the keys that it retrieved, and exfiltrate data. Attackers demand aransom, typically in cryptocoins, from the organization so that they can get thedecryption key.

The following diagram summarizes the typical ransomware attack sequenceexplained in the previous paragraphs, from identification and reconnaissance todata exfiltration and ransom demand.

Ransomware is often difficult to detect. It's critical, therefore, that you putin place prevention, monitoring, and detection capabilities, and that yourorganization is ready to respond swiftly when someone discovers an attack.

Security and resiliency controls in Google Cloud

Google Cloud includes built-in security and resiliency controls to helpprotect customers against ransomware attacks. These controls include thefollowing:

• Global infrastructure designed with security throughout theinformation-processing lifecycle.
• Built-in detective features for Google Cloud products and services,such as monitoring, threat detection, data loss prevention, and accesscontrols.
• Built-in preventive controls, such as Assured Workloads
• High availability with regional clusters and global load balancers.
• Built-in backup, with scalable services.
• Automation capabilities using Infrastructure as Code and configurationguardrails.

Google Threat Intelligence,VirusTotal, andMandiant Digital ThreatMonitoring track and respond tomany types of malware, including ransomware, across Google infrastructure andproducts. Google Threat Intelligence is a team of threat researchers thatdevelop threat intelligence for Google Cloud products. VirusTotal is a malwaredatabase and visualization solution that provides you with a betterunderstanding of how malware operates within your enterprise. MandiantDigital Threat Monitoring and other Mandiant services providethreat research, consultation, and incident response support.

For more information about built-in security controls, see theGoogle securityoverview andGoogle infrastructure securitydesign overview.

Security and resiliency controls in Google Workspace, Chrome browser, and Chromebooks

In addition to the controls within Google Cloud, other Google productslike Google Workspace, Google Chrome browser, andChromebooks include securitycontrols that can help protect your organization against ransomware attacks. Forexample, Google products provide security controls that allow remote workers toaccess resources from anywhere, based on their identity and context (such aslocation or IP address).

As described in theRansomware attack sequencesection, email is a key vector for many ransomware attacks. It can be exploitedto phish credentials for fraudulent network access and to distribute ransomwarebinaries directly.Advanced phishing and malwareprotection in Gmailprovides controls to quarantine emails, defends against dangerous attachmenttypes, and helps protect users from inbound spoofing emails.SecuritySandbox isdesigned to detect the presence of previously unknown malware in attachments.

Chrome browser includesGoogle SafeBrowsing, which is designed to providewarnings to users when they attempt to access an infected or malicious site.Sandboxes andsiteisolation helpprotect against the spread of malicious code within different processes on thesame tab.Passwordprotectionis designed to provide alerts when a corporate password is being used on apersonal account, and checks whether any of the user's saved passwords have beencompromised in an online breach. In this scenario, the browser prompts the userto change their password.

The followingChromebookfeatures help toprotect against phishing and ransomware attacks:

• Read-only operating system (ChromeOS). This system is designed to update constantlyand invisibly. Chrome OS helps protect against the mostrecent vulnerabilities and includes controls that ensure that applicationsand extensions can't modify it.
• Sandboxing. Each application runs in an isolated environment, so one harmfulapplication can't easily infect other applications.
• Verified boot. While the Chromebook is booting, it is designed to check thatthe system hasn't been modified.
• Safe Browsing.Chrome periodically downloads the most recent Safe Browsinglist of unsafe sites. It is designed to check the URLs of each site that auser visits and checks each file that a user downloads against this list.
• Google security chips. These chips help protect the operating system frommalicious tampering.

To help reduce your organization's attack surface, consider Chromebooks forusers who work primarily in a browser.

Best practices for mitigating ransomware attacks on Google Cloud

To protect your enterprise resources and data from ransomware attacks, you mustput multi-layered controls in place across your on-premises and cloudenvironments.

The following sections describe best practices to help your organizationidentify, prevent, detect, and respond to ransomware attacks on Google Cloud.

Identify your risks and assets

Consider the following best practices to identify your risks and assets inGoogle Cloud:

• Use Cloud Asset Inventory to maintain a five-week inventory of your resources inGoogle Cloud. To analyze changes,export your asset metadata toBigQuery.
• UseAudit Manager andattack pathsimulations inSecurity Command Center to and risk assessment to assess your current riskprofile. Consider cyber insurance options available through theRiskProtection Program.
• UseSensitive Data Protectionto discover and classify your sensitive data.

Control access to your resources and data

Consider the following best practices to limit access to Google Cloudresources and data:

• Use Identity and Access Management (IAM) to set up fine-grained access. You cananalyze your permissions regularly usingrolerecommender,Policy Analyzer, andCloud Infrastructure Entitlement Management(CIEM).
• Treat service accounts as highly privileged identities. Consider keylessauthentication usingWorkload Identity Federation and scopeyour permissions appropriately. For best practices on protecting serviceaccounts, seeBest practices for using serviceaccounts.
• Mandatemulti-factorauthentication forall users through Cloud Identity and use phishing-resistantTitan Security Key.

Protect critical data

Consider the following best practices to help protect your sensitive data:

• Configure redundancy (N+2) on the cloud storage option that you use to storeyour data. If you use Cloud Storage, you can enableObjectVersioning or theBucket Lockfeature.
• Implement and regularly test backups for databases (for example,Cloud SQL) and filestores(for example,Filestore), storing copiesin isolated locations. ConsiderBackup and DR Service for comprehensive workloadbackup. Verify recovery capabilities frequently.
• Rotate your keys regularly andmonitorkey-related activities. If using customer-suppliedkeys (CSEK) or Cloud External Key Manager (Cloud EKM), ensure robust external backup androtation processes.

Secure network and infrastructure

Consider the following best practices to secure your network and infrastructure:

• Use Infrastructure as Code (such as Terraform) with theenterprisefoundations blueprint as a securebaseline to ensure known-good states and enable rapid, consistentdeployments.
• EnableVPC Service Controls to create aperimeter isolating your resources and data. UseCloud Load Balancing withfirewall rules, and secure connectivity (usingCloud VPN orCloud Interconnect)for hybrid environments.

• Implementrestrictive organizationpoliciessuch as the following:

  • Restrict public IP access on new Vertex AI Workbench notebooks andinstances
  • Restrict Public IP access on Cloud SQL instances
  • Disable VM serial port access
  • Shielded VMs

Protect your workloads

Consider the following best practices to help protect your workloads:

• Integrate security into every phase of your software development lifecycle.For GKE workloads, implementsoftware supply chainsecurity, including trustedbuilds, application isolation, and pod isolation.
• UseCloud Build to track your build stepsandArtifact Registry to completevulnerability scanning onyour container images. UseBinary Authorization to verify that yourimages meet your standards.
• UseGoogle Cloud Armor for Layer 7 filteringand protection against common web attacks.
• Use GKE auto-upgrades andmaintenancewindows.Automate builds inCloud Build to include vulnerability scanning upon code commits.

Detect attacks

Consider the following best practices to help you detect attacks:

• UseCloud Logging to manage and analyze thelogs from your services in Google Cloud andCloud Monitoring to measure theperformance of your service and resources.
• Use Security Command Center todetect potential attacksand analyze alerts.
• For deep security analysis and threat hunting,integrate withGoogle Security Operations.

Plan for incidents

• Completebusiness continuityanddisaster recovery plans.

• Create a ransomware incident response playbook, and perform tabletopexercises. Regularly practice recovery procedures to ensure readiness andidentify gaps.

• Understand your obligations for reporting attacks to authorities and includerelevant contact information in your playbook.

For more security best practices, seeWell-Architected Framework: Security, privacy,and compliance pillar.

Respond to and recover from attacks

When you detect a ransomware attack, activate your incident response plan. Afteryou confirm that the incident isn't a false positive and that it affects yourGoogle Cloud services, open aP1 supportcase.Cloud Customer Care responds as documentedin theGoogle Cloud: Technical Support ServicesGuidelines.

After you activate your plan, gather the team within your organization thatneeds to be involved in your incident coordination and resolution processes.Ensure that these tools and processes are in place to investigate and resolvethe incident.

Follow your incident response plan to remove the ransomware and restore yourenvironment to a healthy state. Depending on the severity of the attack and thesecurity controls that you have enabled, your plan can include activities suchas the following:

• Quarantining infected systems.
• Restoring from healthy backups.
• Restoring your infrastructure to a previously known good state using yourCI/CD pipeline.
• Verifying that the vulnerability was removed.
• Patching all systems that might be vulnerable to a similar attack.
• Implementing the controls that you require to avoid a similar attack.

As you progress through your response process, continue to monitor your Googlesupport ticket. Cloud Customer Care takes appropriate actions withinGoogle Cloud to contain, eradicate, and (if possible) recover yourenvironment.

Inform Cloud Customer Care when your incident is resolved and your environment isrestored. If one is scheduled, participate in a joint retrospective with yourGoogle representative.

Ensure that you capture any lessons learned from the incident, and set in placethe controls that you require to avoid a similar attack. Depending on the natureof the attack, you could consider the following actions:

• Write detection rules and alerts that would automatically trigger should theattack occur again.
• Update your incident response playbook to include any lessons learned.
• Improve your security posture based on your retrospective findings.

What's next

• Help ensure continuity and protect your business against adverse cyberevents using theSecurity and resilienceframework.
• ContactMandiant consultants for a ransomware defenseassessment.
• Review theGoogle Cloud Well-Architected Framework for additional bestpractices.
• For information on how Google manages incidents, seeData incident responseprocess.