Ransomware Alert: How attackers sneak into your SAP system

How the cloud becomes a lifeline

Imagine it's Saturday evening, 10:30 p.m. Most of your employees are enjoying their well-deserved weekend. But in the digital bowels of your company network, trouble is brewing. Unnoticed, cybercriminals have taken up residence and are preparing their final blow.

Their goal: to paralyze your critical systems, the heart of your business, your SAP, and extort a ransom from you. A nightmare? For many companies, it's a bitter reality. But there are ways to protect yourself – and the cloud is playing an increasingly central role.

This article takes you on an attacker's journey through your IT systems and reveals how a well-thought-out cloud strategy and innovative protection mechanisms such as ALPACA SAP DR Ransomware Protection can mean the difference between disaster and a quick recovery.

The anatomy of an attack: The silent intrusion into the on-premise paradise

The attack outlined here is not a theoretical construct, but is based on real incidents. It illustrates how attackers proceed when systems are still operated on-premise in the traditional manner and which vulnerabilities they exploit mercilessly.

Phase 1: Reconnaissance – digital traces on the network

It all starts with gathering information. Ransomware attackers are patient. They use specialized search engines such as Shodan to search for externally exposed systems and software that have known vulnerabilities (CVEs – Common Vulnerabilities and Exposures). Any system that communicates directly with the internet is a potential gateway. In our case study, the attackers came across time tracking software. This software, integrated into the company network, offered an external HTTP endpoint – a necessity for remote access by employees, but also an open window for malicious actors if not adequately secured.

Cloud concept: If this service had already been obtained as a SaaS solution from the cloud or connected via a secure cloud access broker (CASB), the cloud provider would have borne much of the responsibility for securing the underlying infrastructure and quickly fixing known vulnerabilities. The attack surface of the company's own network would have been smaller.

Phase 2: Getting a foot in the door – thanks to code injection

The research was successful: The identified time tracking software had a known security vulnerability for code injection. Using the publicly accessible HTTP endpoint, the attackers were able to inject malicious code and gain initial access to the server running the software. Although this server was not located in the core zone of the data center, it was part of the internal network. The first hurdle had been cleared.

Cloud concept: Modern cloud platforms offer web application firewalls (WAFs) and advanced intrusion detection/prevention systems (IDS/IPS) that can often nip such attack attempts in the bud before they reach the actual server. Regular automated vulnerability scans are standard here.

Phase 3: In the network – The art of lateral movement and reconnaissance

Once inside the network, the attackers' real work begins. They initially behave inconspicuously, like a digital submarine. Their goal: to understand the infrastructure, gain administrator rights, and identify the crown jewels.

Through careful network mapping and exploiting other, often internal, vulnerabilities or misconfigured permissions, they moved laterally through the network. They discovered that this company relies on an extensive SAP landscape running on SAP HANA databases. The underlying infrastructure consisted of NetApp storage systems and a VMware virtualization layer. This information is worth its weight in gold to the attackers, as they now know exactly where the most sensitive data and critical systems are located.

Cloud concept: In a well-segmented cloud environment, for example with virtual private clouds (VPCs) and strict network security groups (NSGs) or firewalls, lateral movement would be much more difficult. SAP systems in the cloud can be operated in highly isolated environments where access paths can be granularly controlled and monitored. Cloud-native SIEM (security information and event management) solutions can detect suspicious activity that indicates lateral movement more quickly.

Phase 4: Preparing the final blow – sabotaging the defense

Before the actual encryption begins, attackers attempt to sabotage their victims' recovery options. In this case, they focused on two critical points:

1. NetApp Snapshots: The company used NetApp Snapshots as its primary backup method. This was a fatal mistake, as snapshots are not true backups because they are stored on the same system. The attackers managed to access the NetApp systems and delete the snapshot backups. The result: data loss.
2. VMware compromise: At the same time, they compromised the VMware environment. They manipulated the systems so that the virtual machines (VMs) of the SAP systems and other critical applications could no longer be easily restarted.

These steps are insidious: even if the victim notices the encryption, the most obvious recovery options have already been destroyed.

Cloud concept: Genuine backup strategies in the cloud rely on geo-redundant, versioned, and often immutable storage in separate availability zones or even regions. Services such as Azure Backup, AWS Backup, or Google Cloud Backup offer robust solutions that are isolated from compromise of the primary on-premises environment or even the primary cloud workload environment. Restoring VMs in the cloud is often standardized and less susceptible to manipulation of the underlying hypervisor layer, as this is managed by the cloud provider.

Phase 5: The strike – Saturday, 10:30 p.m.

The timing is strategic: late on a Saturday evening is when the likelihood of rapid discovery and response is lowest. The attackers activated their ransomware. All databases, especially the SAP HANA databases, were encrypted. Critical business processes came to a standstill. They left a message on the systems: a ransom demand with instructions on how to pay for the decryption code. The worst-case scenario had occurred.

The turning point: ALPACA Ransomware Protection and the power of the cloud

For many companies, this would be the start of a race against time, often accompanied by panic, massive financial losses, and damage to their reputation. But our affected customer had taken precautions with an SAP disaster recovery (DR) plan – a decision that now paid off.

Rescue from the cloud thanks to ALPACA:

• Regular data mirroring: By using ALPACA Ransomware Protection, the customer had regularly and automatically mirrored its critical data, including the SAP HANA databases, to the cloud. These backups were isolated from the on-premise environment and therefore inaccessible to the attackers.
• Minimal data loss: Due to the high frequency of mirroring (often in minutes or hours – Recovery Point Objective, RPO), data loss was extremely low.
• Tried and tested emergency concepts: The emergency concepts established with ALPACA were not just theory. Regular recovery tests (disaster recovery tests) ensured that the processes would work in an emergency. Everyone knew what to do.
• Fast restart in the cloud: Within half a day, the company was able to directly start its SAP systems and other critical workloads in the cloud and resume operations from there (Recovery Time Objective, RTO). The on-premise environment was immediately isolated and subjected to forensic investigation.
• Orderly return: After about a month of intensive cleanup, reinstallation, and hardening of the on-premises infrastructure, the data accumulated in the cloud since the attack was automatically and securely migrated back to the company's own data center.

This case impressively demonstrates that a disaster was averted thanks to a DR plan with proactive measures and the intelligent use of cloud resources.

Why the cloud (especially for SAP) makes the difference:

Moving workloads such as SAP to the cloud is not just a trend, but a strategic necessity for improved security and resilience:

1. Reduced attack surface: Cloud providers invest heavily in the physical and digital security of their data centers. They intercept many standard attack vectors targeting the underlying infrastructure.
2. Advanced security services: Hyperscalers (AWS, Azure, Google Cloud) offer a wealth of native security tools, from intelligent firewalls and threat detection to identity and access management solutions that are often only feasible on-premises at great expense.
3. Scalability and flexibility for disaster recovery (DR): In an emergency, systems in the cloud can be quickly scaled up to the required capacity. A “cold” or “warm” DR setup in the cloud is often more cost-effective than setting up a second, identical on-premises infrastructure.
4. Robust backup and archiving solutions: Cloud storage offers inherent advantages such as geo-redundancy, versioning, and immutability – crucial for ransomware-proof backups.
5. Specialized SAP solutions: The major cloud providers offer certified and optimized solutions for operating SAP systems, including HANA. These take performance, security, and compliance requirements into account.

Shared responsibility model: The cloud provider is responsible for the security of the cloud, while the customer is responsible for security in the cloud. When properly understood and implemented, this model relieves companies of many basic tasks and allows them to focus on application security.

Protective measures – What you should do now:

The threat is real, but you are not defenseless against it. Here are essential measures to protect your company and your SAP systems:

1. Harden on-premise (if still available):

• Vulnerability management: Regularly scan all systems, especially those with Internet contact, and patch them promptly.
• Network segmentation: Isolate critical systems (such as SAP) in separate network zones. Make lateral movements more difficult.
• Least privilege principle: Only grant the absolutely necessary permissions.
• Multi-factor authentication (MFA): Wherever possible, for all access, especially administrative access.

2. Rethink your backup strategy – the cloud is a must:

• 3-2-1 rule (modified): At least 3 copies of your data, on 2 different media, including 1 copy off-site (cloud!) and ideally 1 copy immutable or air-gapped.
• Snapshots are not backups: Do not rely solely on local snapshots.
• Regular testing: Test your recovery processes regularly and without prior notice. A backup that cannot be restored is worthless.

3. Take a strategic approach to cloud migration:

• Check which workloads, especially SAP, could benefit from migration to the cloud (resilience, scalability, security).
• Make active use of the security services offered by cloud providers.
• Consider specialized solutions such as ALPACA Ransomware Protection, which bridge the gap between on-premises and the cloud and enable a robust DR strategy.

4. Awareness and emergency plans:

• Employee training: Raise awareness among your employees about phishing and other social engineering tactics.
• Incident response plan: Have a detailed plan in place for what to do in the event of an attack. Who is responsible? How will communication take place?

Act before it's too late!

Ransomware attacks are not a question of “if,” but “when.” Attackers are rapidly becoming more professional and targeting business-critical systems such as SAP. The traditional on-premise world often no longer offers the agility and robust defense mechanisms that are necessary today.

The cloud, used intelligently and supplemented by innovative solutions such as ALPACA, offers a powerful response to these threats. It not only enables more secure operations, but above all the ability to quickly resume operations after a successful attack – often the decisive factor for the survival of the company.

Don't wait until your name hits the headlines. Review your security strategy, evaluate the potential of the cloud for your SAP systems, and ensure that your emergency plans are more than just paper. Your data, your reputation, and your business success depend on it.