Skip to main content

New Ransomware Campaign: Codefinger Exploits AWS S3 Encryption

Imagine this: you log into your cloud storage account only to find that all your files are encrypted, and a ransom note demands payment to get them back. This is the reality for some Amazon Web Services (AWS) users who have fallen victim to a new ransomware group known as “Codefinger.”1 What makes this attack particularly concerning is that Codefinger isn’t exploiting a weakness in AWS’s systems. Instead, they are exploiting a legitimate feature — Server-Side Encryption with Customer Provided Keys (SSE-C) — to hold your data hostage. This highlights a critical aspect of cloud security: even with robust security measures in place, the way users manage their accounts and features can create vulnerabilities1.

The Details

But how does this attack work?

First, Codefinger needs access to your AWS login information. They might find this information publicly available or obtain it through other malicious means4. They then seek out logins with permission to both read and write data in your S3 storage buckets. Think of it like this: they need the keys to both your house and your safe. Once they have those keys, they use SSE-C, a feature designed to let you encrypt your data with your own keys, to re-encrypt your files with keys that only they control. It’s like them changing the lock on your safe and keeping the only key. Since Amazon doesn’t store the customer-provided keys used in SSE-C, you’re locked out of your own data5. To make matters worse, Codefinger uses the S3 Object Lifecycle Management API to schedule your files for deletion within seven days, adding immense pressure to pay the ransom1.

Protect Yourself

Before we discuss the devastating impact of this attack, let’s talk about how you can protect yourself.

The good news is that there are steps you can take to significantly reduce your risk.

  • First, secure your AWS login information by using strong, unique passwords and enabling multi-factor authentication. Think of this as having both a strong front door lock and a security system for your house.
  • Next, review the permissions for all your AWS logins and make sure they have the minimum necessary access. Don’t give anyone the keys to your safe unless they absolutely need them. Regularly rotate your AWS keys and disable any unused ones, just like you might change the locks on your house periodically2. Amazon also recommends restricting or even blocking the use of SSE-C if it’s not essential for your applications7.

By taking these proactive steps, you can make it much harder for attackers like Codefinger to gain access to your data.

The Danger

Now, let’s talk about why this attack is so dangerous.

The impact of losing access to your data can be severe, both for businesses and individuals. For businesses, imagine losing all your customer records, financial data, or intellectual property. This could disrupt operations, damage your reputation, and lead to significant financial losses. For example, a healthcare provider losing access to patient data could face legal repercussions and jeopardize patient care. Financial institutions could lose transaction records, leading to chaos and distrust. Individuals could lose precious photos, videos, and important documents, causing irreparable personal loss5. Without the decryption keys, this data is effectively lost forever1.

Response

In response to this threat, AWS has taken steps to mitigate these attacks.

They have implemented automatic mitigations that help prevent unauthorized activity in many cases8. However, because the attackers use valid login information, it’s difficult for AWS to always distinguish between legitimate and malicious use. This is why it’s crucial for users to follow security best practices and take responsibility for their own data protection. Amazon is also urging customers to deploy additional security measures to further secure their S3 buckets7.

Conclusion

This incident underscores the importance of continuous vigilance when it comes to cloud security. While cloud providers like AWS work hard to secure their infrastructure, users also have a critical role to play. Think of it as a partnership: AWS provides the secure building, but you’re responsible for locking the doors and windows. Continuous monitoring of your cloud environment is essential to detect and respond to potential threats quickly9. Implementing security information and event management (SIEM) tools can help you track activity in your AWS account and identify any suspicious behavior10. By staying informed about emerging threats like the Codefinger attack and taking proactive steps to secure your data, you can ensure that your valuable information remains safe in the cloud.

by Thomas Whang, Feb 7, 2025

Works cited
  1. Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C – Halcyon.ai, accessed January 20, 2025, https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c
  2. Ransomware Campaign Encrypting Amazon S3 Buckets using SSE-C – Arctic Wolf, accessed January 20, 2025, https://arcticwolf.com/resources/blog/ransomware-campaign-encrypting-amazon-s3-buckets-using-sse-c/
  3. Ransomware crew abuses AWS native encryption • The Register – TheRegister., accessed January 20, 2025, https://www.theregister.com/2025/01/13/ransomware_crew_abuses_compromised_aws/
  4. AWS S3 Buckets Under Siege: New Ransomware Exploits SSE-C, accessed January 20, 2025, https://informationsecuritybuzz.com/aws-s3-buckets-ransomware-exploits/
  5. Compromised AWS Keys Abused in Codefinger Ransomware Attacks – SecurityWeek, accessed January 20, 2025, https://www.securityweek.com/compromised-aws-keys-abused-in-codefinger-ransomware-attacks/
  6. Ransomware Campaign Targets Amazon S3 Buckets – BankInfoSecurity, accessed January 20, 2025, https://www.bankinfosecurity.com/ransomware-campaign-targets-amazon-s3-buckets-a-27294
  7. Amazon Details Measures to Counter S3 Encryption Hacks, accessed January 20, 2025, https://www.govinfosecurity.com/amazon-details-measures-to-counter-s3-encryption-hacks-a-27339
  8. Preventing unintended encryption of Amazon S3 objects | AWS Security Blog, accessed January 20, 2025, https://aws.amazon.com/blogs/security/preventing-unintended-encryption-of-amazon-s3-objects/
  9. What is Cloud Security Monitoring? Benefits & Challenges – SentinelOne, accessed January 20, 2025, https://www.sentinelone.com/cybersecurity-101/cloud-security/cloud-security-monitoring/
  10. What is Cloud Security Monitoring? Benefits, Challenges, and Best Practices – Wiz, accessed January 20, 2025, https://www.wiz.io/academy/cloud-security-monitoring

We can do the hard work for you.

Talk to an Expert