Amazon S3 Buckets Banner

Ransomware Campaign Targets Amazon S3 Buckets 

2 Mins Read

PureVPNNewsRansomware Campaign Targets Amazon S3 Buckets 

A worrying cyber threat has emerged, where a ransomware operation named “Codefinger” exploits Amazon AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to lock data in Amazon S3 buckets. This attack encrypts the data with keys known only to the attackers, who then demand a ransom for decryption keys.

Halcyon, a cybersecurity firm, discovered the ransomware campaign. They have reported that although currently limited to a few incidents, the technique could potentially be adopted more broadly by other cybercriminals, increasing the risk and scope of the threat. 

How Does the Attack Work?

The attackers leverage compromised AWS credentials to encrypt victims’ data using SSE-C. This method involves generating an encryption key locally, which is then used to lock the data, making recovery impossible without the exact key, as AWS does not store these keys. 

The attackers further manipulate the situation by setting a seven-day deletion policy for the encrypted files using the S3 Object Lifecycle Management API, adding a critical time constraint for the victims to respond to the ransom demands.

In their ransom notes found in every affected directory, the attackers specify payment in Bitcoin, threatening that any attempts by the victims to modify account permissions or files could lead to the permanent loss of data.

Related Read: How to Whitelist IP Address in AWS

Upon discovery, Halcyon alerted Amazon, which has been proactive in notifying customers with potentially exposed keys to take swift actions to mitigate the risk. Amazon also urges users to adopt rigorous security measures and provides guidelines to address any unauthorized activities on AWS accounts.

To further protect against these attacks, users are advised to:

  • Implement restrictive policies that disable the use of SSE-C on S3 buckets unless absolutely necessary. 
  • Regularly rotate and manage AWS keys, disabling any unused ones. 
  • Maintain minimal account permissions to reduce the risk of unauthorized access.

It is crucial for AWS users to understand this ransomware attack and enforce strong security measures to safeguard their digital assets.

Related Read: Devastating Human Cost of Ransomware Attacks

author

Anas Hasan

date

January 14, 2025

time

9 months ago

Anas Hassan is a tech geek and cybersecurity enthusiast. He has a vast experience in the field of digital transformation industry. When Anas isn’t blogging, he watches the football games.

Related Stories

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025
A Single Password Breach Shut Down a 158 Year Old Business

A Single Password Breach Shut Down a 158 Year Old Business
Posted on October 7, 2025
Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely

Nepal Social Media Ban: How to Access Facebook, Instagram, and YouTube Safely
Posted on September 5, 2025

Have Your Say!!