Attacker 'Codefinger' gains AWS credentials and removes access, seeking payment for the keys.
A ransomware campaign which targets Amazon S3 buckets and locks out users has been detected.
This attack leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it, reported Halcyon.
The company claimed that the attack does not require the exploitation of any AWS vulnerability, but relies on the threat actor first obtaining an AWS customer’s account credentials. “With no known method to recover the data without paying the ransom, this tactic represents a significant evolution in ransomware capabilities,” it said.
The attacker behind this tactic has been named ‘Codefinger’ whom after obtaining AWS account credentials and their encryption keys, proceeds to remove targeted organisations' access to the accounts and seek payment for the keys.
Halcyon researchers noted that ransom payment is the only means to facilitate data recovery following the intrusion.
AWS has noted its immediate notification of customers with exposed keys, who have been urged to examine reported key exposures and implement quarantine policies.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.
