On January 13, 2025, Halcyon released a research blog about the Codefinger group conducting a ransomware campaign targeting Amazon S3 buckets. The attacks leverage AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data. The threat actors then demand ransom payments for the symmetric AES-256 keys required to decrypt it. Due to how the encryption takes place using Amazons secure encryption infrastructure, once data is encrypted, recovery is impossible without the threat actor’s key.
Halcyon notes that the attack does not require exploitation of any AWS vulnerability, instead relying on them obtaining an AWS customer’s account credentials. The threat actor uses publicly disclosed or compromised AWS keys with permissions to execute s3:GetObject and s3:PutObject requests. The threat actor initiates the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header and utilizing an AES-256 encryption key that they generate and store locally. AWS processes the key during encryption process but does not store it, instead only an HMAC (hash-based message authentication code) is logged in AWS CloudTrail, which is not sufficient to reconstruct the key or decrypt the data.
Using the S3 Object Lifecycle Management API, the threat actors mark the files for deletion within seven days.
Recommendations
Secure AWS Accounts by Following AWS Best Practices
Amazon encourages customers to implement strict security protocols and follow these steps to quickly resolve unauthorized AWS account activity issues.
- Restrict SSE-C by using the Condition element in IAM policies to prevent the application of SSE-C to S3 buckets. Policies can be configured to restrict this feature to authorized data and users.
- Review permissions for all AWS keys to ensure they have the minimum required access.
- Rotate active keys frequently and disable unused ones.
- Enable detailed logging for S3 operations to identify suspicious activity such as bulk encryption or lifecycle policy changes.
Additionally AWS provided the following statement and guidance for customers:
AWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment.
We encourage all customers to follow security, identity, and compliance best practices. In the event a customer suspects they may have exposed their credentials, they can start by following the steps listed in this post. As always, customers can contact AWS Support with any questions or concerns about the security of their account.
AWS provides a rich set of capabilities that eliminate the need to ever store credentials in source code or in configuration files.
References
Resources
