
A sophisticated ransomware operation targeting Amazon S3 buckets has been uncovered by cybersecurity firm Halcyon. The threat actor, known as “Codefinger,” exploits AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt victims’ cloud storage.
Attack Methodology
The attackers gain access through compromised AWS credentials with specific permissions (‘s3:GetObject’ and ‘s3:PutObject’). They generate a custom AES-256 encryption key locally and use AWS’s native SSE-C feature to encrypt victims’ data. Since AWS doesn’t store these encryption keys, data recovery becomes impossible without the attacker’s cooperation.
Impact and Tactics
– Implementation of seven-day file deletion policies
– Placement of ransom notes demanding Bitcoin payment
– Threats to terminate negotiations if victims attempt to modify permissions
– At least two confirmed victims, with potential for escalation
Security Recommendations
1. Implement restrictive policies preventing SSE-C usage on S3 buckets
2. Disable unused AWS keys
3. Rotate active keys regularly
4. Maintain minimal required account permissions
5. Monitor for unauthorized AWS account activity
Amazon has committed to promptly notifying affected customers and encourages implementation of strict security protocols. The incident highlights the growing sophistication of ransomware attacks targeting cloud storage infrastructure.