Skip to main content

AWS S3 Encryption Ransomware Threat Bulletin

David Hayes

Summary

Halcyon has identified a threat actor in the wild demanding a ransom payment after encrypting AWS S3 buckets using AWS native services. Specifically, the threat actor exploits publicly disclosed AWS keys to utilize Server-Side Encryption with Customer Provided Keys (SSE-C). This attack has no known path to recovery without paying the threat actor for the symmetric AES-256 key. While SSE-C has been available since 2014, Halcyon believes that ransomware threat actors have only recently figured out how to leverage SSE-C. In the past two weeks, Halcyon’s Ransomware Detection and
Recovery Team has intelligence confirming two victims of this campaign. They were not previous Halcyon customers.

Halcyon is reporting this to all Halcyon customers on December 18, 2024 and will publicly post this to our company blog on Dec 26, 2024 (one week). We are delaying wider notice in order to give our customers time since these notifications can sometimes lead to more threat actors using the disclosed information. Given the nature of the mitigations, we believe organizations at risk have enough time to remediate before this technique becomes well known to threat actors. We understand that the holidays are a difficult time to respond to threat advisories but given the ease of attack, we believe this bests balances our goal to protect our customers while contributing to the security community before this becomes a larger attack trend.

 

Breakdown of threat actor behavior:

  • Threat actor identifies AWS keys that have the ability to write s3:GetObject and s3:PutObject requests to files in S3 directories.

  • Threat actor calls x-amz-server-side-encryption-customer-algorithm to encrypt S3 data with threat actor provided AES-256 key. Threat actor generates and stores the key locally on their system, keeping its secret private and associating it to a client ID in the ransom note. AWS does not store this key once processed and as such, is unrecoverable. Only a HMAC is stored in the AWS Cloudtrail logs for the Encrypt operation. This value is not useful in recovering the encrypted S3 data. From AWS:

image-20241218-184016.png

  • Threat actor marks all files for delete after 7 days using REST API for S3 Object lifecycle management.

  • Threat actor writes a ransom note to the S3 to the directory of all files impacted requesting bitcoin to an address provided.

  • Threat actor threatens that any changes in permissions to accounts or files will result in unwillingness of the threat actor to negotiate.

Recommendations for Hardening Your Environment

AWS makes it fairly simple to restrict the ability to use SSE-C in your environment using policy restrictions assigned to S3 buckets you own. The Condition element of IAM policies can restrict the application of this service to data you manage.

 

Contact your AWS support team for further assistance.

 

For more information:

https://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys

 

Additional Resources:

Using server-side encryption with customer-provided keys (SSE-C) - Amazon Simple Storage Service

Protecting data with server-side encryption - Amazon Simple Storage Service

GetObject - Amazon Simple Storage Service

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk