Ransomware Exploits AWS S3 Buckets to Encrypt Data, here is what to know. A Quick look.

  • Home » Ransomware Exploits AWS S3 Buckets to Encrypt Data, here is what to know. A Quick look.
DeepSeek
Data Breaches Featured News Latest News Latest Vulnerabilities Recommended News Security Technology , , , , , ,

Ransomware Exploits AWS S3 Buckets to Encrypt Data, here is what to know. A Quick look.

A new ransomware campaign has emerged, targeting Amazon Web Services (AWS) S3 buckets. This campaign, identified by Halcyon, uses AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data. The attackers, known as “Codefinger,” demand ransoms to provide the decryption key.

Data_Breach-1024x657-1 Ransomware Exploits AWS S3 Buckets to Encrypt Data, here is what to know. A Quick look.

How the Attack Works

The attackers first obtain compromised AWS credentials. With these credentials, they gain access to S3 buckets and use the ‘s3:GetObject’ and ‘s3:PutObject’ permissions to encrypt the data. They generate an AES-256 encryption key locally and use it to encrypt the victim’s data. Since AWS does not store these keys, the data cannot be decrypted without the attacker’s key.

Ransom Notes and Data Deletion

After encrypting the data, Codefinger leaves ransom notes in each affected directory. These notes include the attacker’s Bitcoin address and a client ID associated with the encrypted data. The notes also warn victims not to change account permissions or modify files, as this will end negotiations. Additionally, the attackers set a seven-day file deletion policy using the S3 Object Lifecycle Management API, adding urgency to the ransom demand.

Impact and Recommendations

This attack represents a significant evolution in ransomware capabilities. AWS customers are advised to restrict the use of SSE-C and implement strict security protocols. Unused keys should be disabled, active keys should be rotated frequently, and account permissions should be kept at the minimum level required.

Halcyon has reported its findings to Amazon, and the cloud services provider has encouraged customers to take immediate action to resolve unauthorized AWS account activity. By following these recommendations, organizations can better protect their data from such attacks.

Conclusion

The Codefinger ransomware campaign highlights the importance of robust security measures for cloud storage. As ransomware tactics continue to evolve, it is crucial for organizations to stay vigilant and implement best practices to safeguard their data.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it

Share this content:

Tag

Related Posts

Post Comment