Summary: A ransomware gang named Codefinger is targeting organizations by encrypting data in their AWS S3 buckets using server-side encryption with customer-provided keys, demanding ransom for the decryption key. The attackers leverage previously compromised AWS keys, adding urgency by threatening to delete the encrypted files within seven days if the ransom is not paid.

Threat Actor: Codefinger | Codefinger
Victim: Organizations using AWS S3 | Organizations using AWS S3

Key Point :

• Codefinger encrypts data in AWS S3 buckets without exfiltration, using compromised AWS keys.
• The attackers threaten to delete encrypted files within seven days to pressure victims into paying the ransom.
• Organizations are advised to implement IAM policies to restrict SSE-C usage and regularly review AWS key permissions.
• Enabling detailed logging for S3 operations can help detect unusual activity quickly.
• AWS provides capabilities to avoid storing long-term credentials, enhancing security against such attacks.