Trend Micro researchers are warning that bad actors are exploiting the weakest points in S3 environments: misconfigurations, leaked access keys, and relaxed encryption controls.
Their latest analysis tracks five emerging ransomware variants built specifically to break, lock, or wipe cloud storage.
The playbook is different from traditional ransomware. Rather than dropping malware and encrypting files on a machine, attackers are weaponizing AWS’s features. Several variants use the Key Management Service or Server-Side Encryption to encrypt S3 objects at scale.
One strain employs default AWS KMS keys to secure bucket data and then schedules the key for deletion, providing victims with a narrow recovery window. Another relies on SSE-C, where encryption keys are supplied by the attacker and never stored by AWS. Once the data is encrypted, even AWS can’t reverse it.
Trend Micro also highlights cases where groups such as Bling Libra used stolen AWS credentials to access, exfiltrate, and delete S3 data before dropping ransom notes or threatening public leaks.
Two newer tactics take things further: attacks using external key material and AWS’s External Key Store (XKS). These allow adversaries to manage encryption keys outside AWS’s visibility and destroy them at will. If that happens, the data inside S3 is effectively gone.
The research tracks a broader trend: ransomware operators are moving away from on-premises smash-and-grab tactics and toward cloud-native attacks that blend seamlessly into normal operations.
S3 is an attractive target because it holds everything from backups to application data to logs: core business assets organizations can’t afford to lose.
Trend Micro’s guidance is to lock down access, strengthen KMS governance, enforce object immutability and MFA Delete, and block public access by default. It also says to monitor CloudTrail for unexpected encryption or deletion events, test recovery processes instead of assuming they work, and automate the response wherever possible.
Cloud ransomware is becoming more sophisticated, faster, and harder to spot. The organizations that avoid irreversible data loss will be the ones that treat S3 not as cheap storage, but as critical infrastructure that demands real security discipline.
Weaponizing Cloud Services Themselves
Crystal Morin, Senior Cybersecurity Strategist at Sysdig, says: “Malicious activity targeting S3 buckets isn’t new, although the techniques continue to evolve as organizations harden their cloud environments. We’ve seen S3-focused attacks for years — even before the well-publicized incident in 2019, when a Capital One misconfiguration was exploited — and the economics still incentivize attackers to move toward whatever gives them access. Whether that’s exposed keys, misconfigurations, or abusing cloud features, their motivation remains the same.”
What is changing, she says, is how ransomware groups are weaponizing cloud services themselves. “As defenders adopt stronger perimeter protections, these attackers are to abusing built-in capabilities, such as encryption management and key rotation, to make data unrecoverable. This follows a long-running trend of cloud attacks and threat actors following the data wherever it lives.”
Morin adds that this is why prevention alone is no longer enough. “An “assume breach” mindset is essential in the cloud: runtime environments should be immutable, identities must have tightly scoped permissions and short-lived credentials, networks need meaningful segmentation, and critical datasets must have backups. We’re firmly in an era of compounding risk, and resiliency is what separates organizations that withstand incidents from those that don’t. It’s also important to understand that resilience extends beyond your own infrastructure. Modern operations depend on complex supply chains, and a ransomware event affecting a key partner can disrupt your business just as completely as a direct compromise.
“The Change Healthcare incident made that painfully clear. If a critical provider goes offline, how quickly can you shift workflows, maintain cash flow, and support customers?”
Investing in Cloud-specific Tradecraft
Jason Soroko, Senior Fellow at Sectigo says the shift by ransomware actors toward cloud environments is more of an evolution than a sudden break with the past. “Attackers have been abusing exposed S3 buckets, stolen AWS keys, and misconfigurations for years, often for data theft, cryptomining, or simple extortion. What kept the spotlight on, on premises ransomware was the sheer volume of legacy infrastructure and the ease of dropping traditional malware on desktops and servers. As cloud adoption has matured and more critical data has moved from local file servers into services like S3, it is natural that financially motivated groups would follow the data and invest in cloud specific tradecraft rather than rely only on endpoint based encryption.”
The part that Soroko feels is newer in this Trend Micro research is not that S3 is being attacked at all, but how deeply the attackers are now integrating with AWS native encryption features.
“Using default KMS backed encryption, scheduling key deletion, abusing SSE with customer supplied keys, and experimenting with external key material and External Key Store turns the cloud platform itself into the ransomware mechanism. That represents a step up from simply stealing or deleting data in S3 buckets and it narrows recovery options even for organizations that think they have good backups. So the overall trend has been emerging for quite a while, yet this wave of S3 focused techniques shows that attackers are starting to treat AWS services as their toolkit instead of just their target, which is why this research deserves attention.”
A Systematic and Theoretical Threat Modeling Exercise
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, calls this research “a systematic and theoretical threat modeling exercise on how an attacker might encrypt and ransom an AWS environment within an account boundary”.
“This is something we’ve talked about over the last 10 years. I can’t recall having seen this done in the wild. This specifically targets the use of external or customer provided keys (SSE-C or XKS, respectively) to assert control over key management for the cryptography used in storage.
Ford says the classical backup guidance of three copies – one hot, one cold, and one offsite needs adapted slightly for superscaler deployments in the cloud (AWS, GCP, Azure, OCS, and so forth).
“Enterprises will want a cross-account write-only relationship where those backups are not readily accessible from the production environment except to export backups, requiring SRE/operations to facilitate BCP operations and restoral of the cold storage protected by account or cloud boundaries.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.