Researchers from Halcyon's RISE Team identified a new ransomware technique targeting Amazon Web Services (AWS) S3 storage. The attack, attributed to a threat actor known as Codefinger, leverages AWS's built-in Server-Side Encryption with Customer Provided Keys (SSE-C) feature to encrypt victims' data.
Unlike traditional ransomware that encrypts files locally, this novel approach abuses AWS's native encryption infrastructure. The attack doesn't exploit any AWS vulnerability but instead relies on compromised AWS account credentials with permissions to read and write S3 objects.
The attack workflow begins when Codefinger identifies AWS keys with necessary S3 bucket permissions. Using these credentials, the attacker initiates encryption through the SSE-C feature, generating AES-256 encryption keys that are retained only by the attacker.
AWS processes the encryption but stores just a hash-based message authentication code (HMAC) in CloudTrail logs, making data recovery impossible without the attacker's key.
“This ransomware campaign is particularly dangerous because of SSE-C’s design,” the Halcyon researchers warned, “by integrating directly with AWS’s secure encryption infrastructure and encrypting the data, recovery is impossible without the attacker’s key.”
To increase pressure on victims, the attackers implement S3 Object Lifecycle policies that mark files for deletion within seven days. They also leave ransom notes containing Bitcoin payment details and warnings against modifying account permissions.
Halcyon researchers have identified two victims in recent weeks, suggesting this technique could gain broader adoption among cybercriminals. The attack is particularly concerning because it exploits legitimate AWS features and leaves minimal forensic evidence.
AWS has responded to these findings by emphasizing their shared responsibility model for security. They recommend customers implement security best practices, including restricting SSE-C usage through IAM policies, regularly auditing AWS keys, and enabling detailed logging for S3 operations.
Last week, Rhino Security Labs also uncovered a related vulnerability in AWS S3 storage systems, demonstrating how attackers could encrypt S3 bucket contents using AWS Key Management Service (KMS). Their research showed attackers could encrypt approximately 900 MB of data per second, potentially affecting massive amounts of corporate data in minutes.
Organizations can protect themselves by implementing IAM conditions to prevent unauthorized SSE-C usage, monitoring AWS credentials, and maintaining comprehensive logging of S3 activities.
Halcyon warns that similar encryption features in other cloud platforms could be vulnerable to comparable attacks, highlighting the need for robust cloud security measures.