Attacker 'Codefinger' gains AWS credentials and removes access, seeking payment for the keys.
A ransomware campaign which targets Amazon S3 buckets and locks out users has been detected.
This attack leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it, reported Halcyon.
The company claimed that the attack does not require the exploitation of any AWS vulnerability, but relies on the threat actor first obtaining an AWS customer’s account credentials. “With no known method to recover the data without paying the ransom, this tactic represents a significant evolution in ransomware capabilities,” it said.
The attacker behind this tactic has been named ‘Codefinger’ whom after obtaining AWS account credentials and their encryption keys, proceeds to remove targeted organisations' access to the accounts and seek payment for the keys.
Halcyon researchers noted that ransom payment is the only means to facilitate data recovery following the intrusion.
AWS has noted its immediate notification of customers with exposed keys, who have been urged to examine reported key exposures and implement quarantine policies.
Written by
Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.
