New Amazon Ransomware Attack—‘Recovery Impossible’ Without Payment

Ransomware is a cybersecurity threat that just won’t go away. Be it from groups such as those behind the ongoing Play attacks, or kingpins such as LockBit returning from the dead the consequences of falling victim to an attack are laid bare in reports exposing the reach of ransomware across 2024. A new ransomware threat, known as Codefinger, targeting users of Amazon Web Services S3 buckets, has now been confirmed. Here’s what you need to know.

ForbesNew Apple iPhone USB-C Hacked—What Users Need To KnowBy Davey Winder

Ongoing Codefinger Ransomware Attacks Target Amazon Cloud Users

A new ransomware campaign targeting Amazon Web Services users by a threat actor known as Codefinger has been confirmed in a Jan. 13 threat intelligence report from Halcyon threat research and intelligence team. The Codefinger attack leverages AWS’s server-side encryption with customer-provided keys, thankfully usually shortened to SSE-C, in order to encrypt data and then demand payment for the symmetric AES-256 keys that are required for it to be successfully decrypted. “This ransomware campaign is particularly dangerous because of SSE-C’s design,” the Halcyon researchers warned, “by integrating directly with AWS’s secure encryption infrastructure and encrypting the data, recovery is impossible without the attacker’s key.”

Halcyon has gone as far as suggesting that Codefinger represents a significant evolution in ransomware capabilities, adding that: “If this spreads quickly, it could pose a systemic threat to organizations using AWS S3 for critical data storage.” I’m not sure I can quite agree that not being able to decrypt data without paying for a key is evolutionary, it’s the basis upon which all ransomware operates, after all, but the use of SSE-C is certainly a novel approach. “Unlike traditional ransomware that encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure, the researchers said, “once encrypted, recovery is impossible without the attacker’s key.”

All of that said, the attack campaign doesn’t exploit any AWS vulnerability, instead relying upon the age-old tactic of obtaining an AWS customer’s account credentials by hook or by crook.

ForbesNew Gmail Cyber Attack— Encryption Key Crypto Hackers StrikeBy Davey Winder

Amazon Cloud Codefinger Ransomware Attack Flow

The Halcyon report reported that the attack flow used by Codefinger is as follows:

• Identify vulnerable AWS keys using publicly disclosed, or previously compromised, keys.
• Encrypt files using SSE-C utilizing an AES-256 encryption key that is generated and stored locally.
• Set lifecycle policies for file deletion, marking these at 7 days using the S3 Object Lifecycle Management application programming interface to add urgency to the ransom demand.
• Deposit a ransom note in each affected directory, warning that any changes to account permissions or files will end negotiations.

Amazon Statement Regarding The Codefinger Ransomware Attacks

An Amazon Web Services spokesperson provided the following statement: “AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment. We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post. As always, customers can contact AWS Support with any questions or concerns about the security of their account.”

ForbesGayfemboy 0-Day Router Attacks Ongoing—What You Need To KnowBy Davey Winder

Follow me on Twitter or LinkedIn. Check out my website or some of my other work here.