Researchers discovered a ransomware campaign leveraging AWS Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data in Amazon S3 buckets. The attack, orchestrated by the threat actor "Codefinger," uses compromised AWS credentials to encrypt files securely. Victims are forced to pay ransoms to obtain the AES-256 keys needed for decryption. This method does not exploit AWS vulnerabilities but abuses legitimate features.
The campaign begins with the threat actor acquiring disclosed or stolen AWS keys with permissions to execute S3 operations. Using SSE-C, the attacker generates AES-256 encryption keys, which are stored locally while AWS infrastructure processes the encryption. Critically, AWS retains only an HMAC of the key, making data recovery impossible without the attacker’s cooperation. To pressure victims into paying the ransom, files are marked for deletion within seven days using S3 lifecycle policies, and ransom notes are placed in affected directories, detailing payment instructions and warnings against modifying permissions.