An emerging ransomware group dubbed Codefinger has been observed encrypting objects within the Amazon Web Services (AWS) Simple Storage Service (S3). While exposed buckets are a common target of extortionists looking for a payday, this is the first known instance of AWS cloud infrastructure being the target of encryption. The threat actor is able to accomplish data encryption in the S3 buckets, which are cloud storage containers for storing various types of data, by utilizing a native encryption function built into the AWS S3 services called SSE-C.
What’s Notable and Unique
- SSE-C allows AWS users to encrypt and secure their data by creating their own encryption key. AWS does not store the key, which is what ultimately allowed attackers to abuse this encryption capability. The threat actors associated with Codefinger gained access to the AWS services using compromised credentials before encrypting the victim data with the SSE-C functionality, forcing the victims to pay for the data or lose access to the encrypted data.
- In previous Arete engagements with data exfiltration through S3 buckets, the ransom demands have always been nominal. This, coupled with the fact that victims are less likely to pay cybercriminals demands in instances where there is no data encryption, kept the overall impact on the threat landscape low. However, with the newly identified encryption method showcased by Codefinger, it is possible that both the ransom demands and the likelihood of ransom payments will increase.
- It should be noted that native encryption capabilities are available in a variety of software and operating systems, with the most commonly abused being the Windows encryption tool Bitlocker.
Analyst Comments
The encryption of data held within the cloud is uniquely interesting because it opens the door to a whole new playing field for cybercriminals, with many organizations potentially operating under a false sense of security. It is still too early to tell with a high degree of confidence whether this encryption method will be adopted by other threat groups, or if Codefinger will become a prolific cybercrime group. However, should this tactic be heavily adopted, it could significantly increase the threat landscape available to cybercriminals.
Sources
Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C
Related Resources
![]()
Malware Spotlight: RansomHub Ransomware
Arete has responded to dozens of incidents attributed to the RansomHub threat actor group. This spotlight explores RansomHub’s observed behavior, statistics from Incident Response engagements, and a technical analysis of RansomHub’s ransomware execut
Read more![]()
Over 390,000 Credentials Stolen via Malicious GitHub Repository
Year-long trojanized supply chain attack targets pros and thieves, stealing credentials and installing cryptominers.
Read more![]()
Chinese Threat Actor Activity Drives US Government Recommendation for Encrypted Communications
FBI and CISA urge encrypted mobile use after Salt Typhoon cyberattacks target U.S. telecom providers for espionage.
Read more
