Bucket / storage ransomware

Tags

CloudRansomware

ATT&CK Tactic

Impact (TA0040)

Incidents

BlackCat Azure Storage Account RansomOp Codefinger Ransomware Campaign Targeting S3 Buckets

References

https://ermetic.com/blog/aws/new-research-the-urgent-threat-of-ransomware-to-s3-buckets/https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/

Last edited

Mar 27, 2025 1:04 PM

Status

Stub

Defenses

Data Backups Data Replication

An attacker gains access to a S3 bucket and lists its objects (list-objects), downloads all the bucket’s objects (get-object) and finally uploads them back to the bucket with the same name to overwrite the old files - encrypted with his own KMS key (cross-account key) (put-object).

Related sequence of CT events: s3:ListObjects, s3:GetObject, s3:PutObject

It’s enough to just take 1 single object and analyze the s3:GetObject and s3:PutObject events (with KMS key in the request/response field).