Description
A ransomware campaign conducted by the Codefinger group is actively targeting Amazon S3 buckets. Halcyon’s research highlights that the attacks utilize AWS Server-Side Encryption with customer-provided keys (SSE-C) to encrypt data. The attackers then demand ransom payments for the symmetric AES-256 keys required for decryption. Recovery is impossible without the key, as AWS’s secure encryption infrastructure does not store it.
Threat actors exploit compromised AWS credentials to execute s3: GetObject and s3: PutObject requests. They initiate encryption using the x-amz-server-side-encryption-customer-algorithm header, relying on an AES-256 encryption key generated and stored locally. Additionally, files are marked for deletion within seven days using the S3 Object Lifecycle Management API.
Impact
- Data encrypted using SSE-C cannot be recovered without the attackers’ decryption keys.
- Compromised credentials enable attackers to gain access, encrypt data, and render it inaccessible.
- AWS CloudTrail only logs an HMAC for the encryption process, which is insufficient for key reconstruction or data recovery.
Recommendations
To mitigate the risk, organizations using Amazon S3 buckets should:
- Secure AWS Accounts:
- Implement strict security protocols following AWS best practices.
- Restrict SSE-C usage by configuring the IAM policy condition element.
- Review AWS Permissions:
- Limit access to minimum required levels and frequently rotate active keys.
- Disable unused keys.
- Enable Detailed Logging:
- Monitor S3 operations for suspicious activities such as bulk encryption or policy changes.
References
New Amazon Ransomware Attack— ‘Recovery Impossible’ Without Payment
For further assistance, contact us at info@accorian.com or schedule an appointment via our Calendly link.
Threat Advisory
Team Accorian
Recipients can either scan the code on a phone or tablet to access the form