Cloud Forensics and Ransomware: Key Insights from the SANS Stay Ahead of Ransomware Livestream

On the November 2025 episode of the SANS Stay Ahead of Ransomware livestream, special guest Megan Roddie-Fonseca joined host Mari DeGrazia and guest host Eric Taylor to discuss how ransomware and cyber extortion operations are manifesting in the cloud. 

The Critical Mindset Shift for Cloud Investigations 

One of the most significant challenges organizations face when performing digital forensics in the cloud is the fundamental mindset shift required. Many practitioners attempt to apply traditional endpoint forensics concepts directly to the cloud, but this approach quickly falls short. When it comes down to it, cloud forensics focuses less on traditional methods and more on log analysis. 

The cloud fundamentally changes how we approach investigations. Unlike traditional forensics, where we have direct access to systems and artifacts, in the cloud we work with the visibility and tools provided by various cloud providers. This requires understanding that different cloud providers (e.g., AWS, Microsoft Azure, Google Cloud) each have their own terminology, tools, and logging capabilities that investigators must master. 

Logging: The Foundation of Cloud Incident Response 

Throughout the discussion, I emphasized that understanding cloud-based logging is absolutely critical to the success of cloud-based incident response. Unfortunately, many organizations discover far too late that essential logs weren't enabled or that log retention wasn’t configured for long enough. Based on her experience teaching SANS FOR509, most incident responders come into the course not knowing what their organization is actually logging in their cloud environments, let alone for how long those logs are stored. 

Key cloud-based logging considerations include: 

• Default vs. Non-Default Logs: Many crucial logs for investigations are not enabled by default. For example, storage access logs are not enabled by default. 

• Retention Times: Default retention periods (often 30-90 days) may be insufficient for detecting long-dwelling threats. 

• Lag Times: Some providers have delays for certain logs, which, if not considered, could lead to responders missing critical events when a threat actor is active in an environment. For example, Google Workspace login logs can take up to 24 hours to appear. 

The Evolution of Cloud Ransomware Tactics 

Cloud ransomware and cyber extortion have evolved significantly in recent years. While early attacks were primarily data theft and extortion, threat actors have now developed sophisticated techniques for encryption-based attacks in cloud environments.  

Current attack techniques include: 

• Storage Encryption: Threat actors (TAs) may use their own encryption keys to encrypt data in storage buckets. 

• Lifecycle Policy Manipulation: TAs set policies to delete data after a specific timeframe, often shortening log data retention times to remove evidence. 

• Permission-Based Attacks: TAs creatively manipulate over-permissioned accounts to achieve maximum impact. 

The primary entry point for cloud-based ransomware and cyber extortion remains Identity and Access Management (IAM), with leaked long-term access keys and over-permissioned roles being common vulnerabilities. Initial Access Brokers (IABs) are also active in cloud environments, gaining access and then eventually selling access to multiple threat actors simultaneously. 

Preparing Your Organization for Cloud Incidents 

Based on my experience, the following essential steps organizations should take to prepare for cloud-based incident response: 

1. Enable Critical Logging Now: Don't wait for an incident to discover that you lack necessary logs. Review and enable logging for all sensitive resources, especially storage accounts. 
2. Centralize Log Management: Implement a SIEM or use cloud-native tools like AWS Athena, Azure Sentinel, or Google Log Explorer to aggregate and retain logs beyond default periods. 
3. Establish Incident Response Procedures: Ensure your incident response team has preconfigured, least-privilege access to investigate across all cloud accounts without delay. Also, establish contacts and procedures that may be required when responding to save critical time. 
4. Build Cloud Competency: While not everyone needs to be a cloud expert, all team members should have basic cloud log triage competency. Identify and develop cloud specialists within your team for each provider you use (multiple people – do not rely on a single contact due to potential availability matters). 
5. Understand Your Environment: Know what's normal in your cloud infrastructure. For example, if your organization doesn't use certain services, their sudden appearance should trigger immediate investigation. 

The Importance of Continuous Learning 

The cloud security landscape evolves rapidly, and staying current is essential. Whether it involves attending conferences, reading technical blogs and newsletters, or taking courses, it's important to stay educated when it comes to the cloud. Don't wait for an incident to start learning – even examining sample CloudTrail or Azure Activity logs and exploring cloud admin portals can provide valuable familiarity. 

For those interested in deepening their cloud forensics expertise, FOR509: Enterprise Cloud Forensics and Incident Response provides instructor-led training and hands-on labs that teach how to run investigations across AWS, Azure, and Google Cloud. 

Looking Forward 

As organizations continue their cloud journey, the intersection of traditional forensics knowledge and cloud-specific expertise becomes increasingly valuable. While the tools and artifacts may differ, the investigative mindset and problem-solving skills remain fundamental. The key is adapting these skills to the unique challenges and opportunities the cloud presents. 

To learn more, watch the November 2025 episode of the SANS Stay Ahead of Ransomware livestream. You can also review the SANS Stay Ahead of Ransomware livestream playlist on YouTube. 

Join us on the first Tuesday of each month at 1:00 PM Eastern | 10:00 AM Pacific to take part in the SANS Stay Ahead of Ransomware show. 

To learn more about preventing, detecting, and responding to ransomware, check out SANS FOR528: Ransomware and Cyber Extortion.