Cybercriminals have begun leveraging Amazon Web Services (AWS) cloud storage tools to lock companies out of their data, researchers with the cybersecurity firm Halcyon have warned.
The firm spotted a series of attacks where hackers, tracked as the Codefinger group have used AWS's own encryption features to encrypt data stored in S3 buckets.
The attacks, which began surfacing in early December, rely on AWS's Server-Side Encryption with Customer-Provided Keys (SSE-C) feature, allowing attackers to lock victims out of their own cloud-stored files by encrypting them with encryption keys they have stolen from the targeted organizations.
The hackers begin by gaining access to a victim's AWS account, typically through stolen credentials or by exploiting compromised AWS keys. Once inside, they obtain the necessary encryption keys and initiate the encryption process on the victim’s S3 bucket data.
By making use of the SSE-C protocol, attackers encrypt the data using AES-256 encryption keys, which are generated and stored locally by the attackers. These encryption keys are not stored in AWS’s infrastructure, making it impossible for victims to retrieve the data without access to the keys.
Once the encryption process is complete, the attackers leave a ransom note in each affected directory, providing their Bitcoin payment address and a unique client ID tied to the victim's encrypted data. The hackers also mark the files for deletion within seven days using AWS’s S3 Object Lifecycle Management API, placing additional pressure on victims to comply with their demands.
Halcyon researchers described the Codefinger attack as a "significant evolution in ransomware capabilities," noting that the encryption process is irreversible without the encryption keys, and there is no known method of recovery for the encrypted data other than paying the ransom. The ransom notes warn victims that any attempts to alter AWS account permissions or files will end the negotiations.
“While SSE-C has been available since 2014, this appears to be a novel use of the feature by ransomware operators,” the researchers said.