Hackers Weaponize AWS Encryption to Hold S3 Buckets for Ransom

Hackers Weaponize AWS Encryption to Hold S3 Buckets for Ransom

AWS S3 Buckets Targeted in New Ransomware Campaign

A sophisticated ransomware operation targeting Amazon S3 buckets has been uncovered by cybersecurity firm Halcyon. The threat actor, known as “Codefinger,” exploits AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victims’ cloud storage.

Attack Methodology
The attackers gain access through compromised AWS credentials with specific permissions (‘s3:GetObject’ and ‘s3:PutObject’). They generate a custom AES-256 encryption key locally and use AWS’s native SSE-C feature to encrypt victims’ data. Since AWS doesn’t store these encryption keys, data recovery becomes impossible without the attacker’s cooperation.

Impact and Tactics
– Implementation of seven-day file deletion policies
– Placement of ransom notes demanding Bitcoin payment
– Threats to terminate negotiations if victims attempt to modify permissions
– At least two confirmed victims, with potential for escalation

Security Recommendations
1. Implement restrictive policies preventing SSE-C usage on S3 buckets
2. Disable unused AWS keys
3. Rotate active keys regularly
4. Maintain minimal required account permissions
5. Monitor for unauthorized AWS account activity

Amazon has committed to promptly notifying affected customers and encourages implementation of strict security protocols. The incident highlights the growing sophistication of ransomware attacks targeting cloud storage infrastructure.

Share This Article