Ransomware Exploits AWS Encryption to Lock S3 Buckets

The Codefinger ransomware campaign uses AWS's SSE-C feature to encrypt cloud data, making recovery impossible without paying for the attacker's decryption key.

• A new ransomware group, Codefinger, targets Amazon Web Services (AWS) S3 buckets by leveraging the platform's Server-Side Encryption with Customer-Provided Keys (SSE-C).
• Attackers use compromised or publicly exposed AWS credentials to encrypt data with locally generated AES-256 keys, which are not stored by AWS, rendering recovery impossible without the attacker's cooperation.
• Codefinger sets a seven-day file deletion timer using AWS's S3 Object Lifecycle Management API, adding urgency to ransom demands issued via Bitcoin.
• Victims are warned in ransom notes that any changes to account permissions or files will terminate negotiations, leaving the data permanently inaccessible.
• Security researchers and AWS advise users to restrict SSE-C usage through IAM policies, frequently rotate and monitor keys, and follow best practices to minimize exposure to such attacks.

3 Articles

BleepingComputer The Register Forbes