Ransomware Goes Cloud-Native

Ransomware has evolved from encrypting endpoints to abusing cloud features at API speed. Instead of binaries, attackers hijack identities, keys, and control planes to re-encrypt storage, delete snapshots, and lock out admins—often across hybrid and multi-cloud setups (e.g., Storm-0501). Classic detection misses this because “normal” admin calls hide intent. The new defense playbook: treat identity as perimeter, monitor behavioral anomalies in API activity, make backups truly immutable and isolated, automate clean-slate recovery with IaC, and continuously drill resilience. In short—detect by intent, not files; design for containment; and test recovery like production.