Ransomware and cloud servers



  • Can a ransomware attack on a user's local machine affect the server of the company he works for, even if that server is in the cloud (VPS) and can only be accessed via SSH (with a key file, no password)?

    Team environment for remote administration: The only software that allows access to the server with files from the website are Termius (SSH) and Transmit (SFTP), TablePlus (for direct connection to a database, on another server and without access to configuration files). All with IP restriction for access.

    Server environment: Servers will only allow writing, deleting and modifying files if the user is root. To run sudo by the user who connected via SSH, it is always necessary to enter a password.

    With these settings is there any risk?



  • If the user's public ssh key is stored in the cloud server's authorized_keys, then the user's local machine has unfettered access any files that the user has been granted permissions to access on the cloud server. In that case, once the ransomware has infected the user's local machine, there is nothing to stop it from accessing these files on the cloud server. It's just a matter of whether or not the ransomware has been programmed to look for this possibility and exploit it.


    Edit - I see that you added the following to your question after I posed the answer above:

    Server environment: Servers will only allow writing, deleting and modifying files if the user is root. To run sudo by the user who connected via SSH, it is always necessary to enter a password.

    If that's the case, then the ransomware would need the root password to delete or modify files. Having said that, the fact that the user's local machine has been compromised means that the attacker is only limited by the user's privileges in terms of what they can do on the machine. Therefore, the ransomware or the attacker could easily install a keylogger, and pickup the root password that way. Again, it's a matter of whether or not the ransomware was programmed to look for this possibility and exploit it.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2