Summary: A new ransomware campaign has emerged that encrypts Amazon S3 buckets using AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C), demanding ransoms for the decryption keys. The threat actor, known as “Codefinger,” has already targeted at least two victims, raising concerns about the potential for wider adoption of this tactic by other malicious actors.
Threat Actor: Codefinger | Codefinger
Victim: Unknown | Amazon S3 bucket victims
Key Point :
- The ransomware campaign uses compromised AWS credentials to access and encrypt S3 bucket data.
- Victims are left with no means of recovery without the attacker’s decryption key, as AWS does not store these keys.
- Attackers threaten to terminate negotiations if victims attempt to alter account permissions or files.
- Halcyon recommends AWS customers implement strict security measures to mitigate risks.