Cloud Threat Landscape
  • Incidents
  • Actors
  • Techniques
  • Defenses
  • Tools
  • Targeted Technologies
  • Posters & Newspapers
  • About
  • RSS
  • STIX
  • Back to wiz.io
Cloud Threat Landscape

Bucket / storage ransomware

Tags
CloudRansomware
ATT&CK Tactic
Impact (TA0040)
Incidents
BlackCat Azure Storage Account RansomOpCodefinger Ransomware Campaign Targeting S3 Buckets
References
https://ermetic.com/blog/aws/new-research-the-urgent-threat-of-ransomware-to-s3-buckets/https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
Last edited
Mar 27, 2025 1:04 PM
Status
Stub
Defenses
Data BackupsData Replication

An attacker gains access to a S3 bucket and lists its objects (list-objects), downloads all the bucket’s objects (get-object) and finally uploads them back to the bucket with the same name to overwrite the old files - encrypted with his own KMS key (cross-account key) (put-object).

Related sequence of CT events: s3:ListObjects, s3:GetObject, s3:PutObject

It’s enough to just take 1 single object and analyze the s3:GetObject and s3:PutObject events (with KMS key in the request/response field).

Made with 💙 by Wiz

Last Updated: April 3, 2025