AWS S3 Buckets Under Siege: New Ransomware Exploits SSE-C

Research from the Halcyon RISE Team has revealed that a ransomware actor dubbed “Codefinger” has launched a new campaign on Amazon S3 buckets, leveraging WS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data and render victims powerless to recover data without paying the ransom.

New Technique a Systemic Threat

Halcyon says this tactic “represents a significant evolution in ransomware capabilities” and that its widespread use could “pose a systemic threat to organizations using Amazon S3 for critical data storage.”

Unlike traditional ransomware that encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure, meaning recovery is impossible without the attacker’s symmetric AES-256 key. Moreover, as AWS CloudTrail logs only the encryption key’s hash-based message authentication code (HMAC), log evidence is limited, and recovery and forensic analysis are impossible.

Understanding the Attacker’s Workflow

According to Halcyon, Codefinger attacks in four stages:

• Identifying Vulnerable AWS Keys: Attackers use publicly available or compromised AWS keys to locate keys with permissions to execute s3:GetObject and s3:PutObject requests.
• Encrypting Files with SSE-C: Attackers encrypt data using their own AES-256 keys. AWS encrypts the data but doesn’t store the keys. Only an HMAC is logged, making key recovery and data decryption impossible.
• Setting Lifecycle Policies for File Deletion: Attackers add urgency to the ransomware demand by marking files for deletion within seven days using the S3 Object Lifecycle Management API.
• Issuing Ransom Demand: Attackers deposit ransom notes in each impacted directory, providing a Bitcoin address and client ID associated with encrypted data and warning that changes to account permissions or files will end negotiations.

This workflow highlights the attacker’s advanced technical abilities.

How Organizations Can Defend Themselves

To protect themselves from this evolving threat, Halcyon recommends organizations proactively harden AWS environments by restricting SSE-C usage, monitoring and auditing AWS keys, implementing AWS logging, and engaging with AWS support to identify potential vulnerabilities and implement tailored security measures.

Amazon Web Service’s Response

AWS has acknowledged the report, emphasizing the importance of the shared responsibility model for cloud security, encouraging customers to follow security best practices, and highlighting resources for those who suspect their credentials may have been exposed.

AWS also highlighted capabilities designed to eliminate the need to store credentials in source code or configuration files, including AM Roles, Roles Anywhere, and Identity Center, and also emphasized the use of AWS Secrets Manager to securely manage and rotate non-AWS credentials.

You can read the full statement here.