Ransomware Crews Set Their Sights on the Cloud Control Plane

Varonis warns that attackers are moving beyond servers and endpoints—and into the heart of enterprise cloud management.

For years, ransomware crews followed a predictable playbook: steal data, encrypt what’s left, and demand a payout. Their targets were usually on-premises infrastructure or virtual servers. But that familiar landscape is shifting. According to new research from Varonis, threat actors are increasingly probing the cloud control plane—the layer that governs how organizations provision, manage, and scale their cloud environments.

That shift, once reserved for advanced actors like nation-states or high-sophistication groups such as Scattered Spider, signals a troubling new phase for defenders. By striking at the control plane itself, ransomware operators can leapfrog traditional defenses and gain sweeping access to the very systems companies rely on to run critical workloads.

AWS Keys as the Golden Ticket

At the center of these attacks are AWS access keys—machine-to-machine credentials that allow automation and interaction with Amazon’s APIs. Unlike user passwords, keys can operate independently, meaning a compromised set doesn’t necessarily indicate an account has been fully breached. But in the wrong hands, they can be devastating.

“Targeting your cloud management layer exposes a whole new attack surface, where monitoring and detection may not be as mature,” warned Varonis researchers in their analysis. “Any post-breach ransomware investigation now needs to include the cloud environment.”

A Real-World Incident: Pacu in the Wild

Varonis detailed one AWS incident in which its Data Security Platform detected the use of Pacu, a legitimate open-source exploitation framework for cloud penetration testing. While designed for red teams, Pacu’s modules offer ransomware actors an arsenal:

• Exfiltration of S3 buckets, RDS databases, and EBS snapshots

• Exploitation tools for remote code execution and API gateway abuse

• Persistence techniques through IAM misconfigurations and Lambda backdoors

• Evasion features to tamper with CloudTrail and CloudWatch logging

In this case, investigators tied the malicious activity back to compromised AWS keys linked to a Veeam Backup Server that had also been struck by on-prem ransomware. The cross-environment intrusion underscored how quickly cloud management layers can become collateral damage in hybrid attacks.

Why It Matters

Unlike traditional endpoint compromises, control plane intrusions can alter how cloud infrastructure itself is created, scaled, and destroyed. That means attackers could exfiltrate enormous volumes of data, disable critical services, or saddle victims with runaway compute costs—damage far beyond a single encrypted server.

Perhaps more concerning, legacy tooling like endpoint detection and response (EDR) software often can’t even see this activity. That leaves defenders blind unless they’ve invested in cloud-native telemetry and anomaly detection.

Recommendations for Defenders

Varonis stresses that organizations must re-examine their defenses with the cloud in mind:

• Identify: Turn on comprehensive logging across all cloud services and monitor those feeds for anomalies.

• Prevent: Avoid static programmatic keys when possible; enforce MFA; restrict API access to trusted IP ranges.

• Mitigate: Minimize key permissions, and use frameworks like Pacu yourself to test for exploitable gaps before adversaries do.

As the report concludes, the trend is clear: ransomware groups no longer see cloud management layers as out of reach. “This case could have been much more impactful had the threat actor remained in the environment longer,” Varonis warned.

The message is stark: the control plane is now fair game, and security teams must prepare for a world where cloud keys—not just endpoints—are the first target.