Tags
CloudRansomware
ATT&CK Tactic
Impact (TA0040)
Incidents
BlackCat Azure Storage Account RansomOpCodefinger Ransomware Campaign Targeting S3 Buckets
References
https://ermetic.com/blog/aws/new-research-the-urgent-threat-of-ransomware-to-s3-buckets/https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
Last edited
Mar 27, 2025 1:04 PM
Status
Stub
Defenses
Data BackupsData Replication
An attacker gains access to a S3 bucket and lists its objects (list-objects), downloads all the bucket’s objects (get-object) and finally uploads them back to the bucket with the same name to overwrite the old files - encrypted with his own KMS key (cross-account key) (put-object).
Related sequence of CT events: s3:ListObjects, s3:GetObject, s3:PutObject
It’s enough to just take 1 single object and analyze the s3:GetObject and s3:PutObject events (with KMS key in the request/response field).