New Codefinger Ransomware Exploits AWS to Encrypt S3 Buckets

The Halcyon RISE Team has identified a new Codefinger ransomware campaign targeting Amazon S3 buckets. This attack leverages AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt data, demanding ransom payments for the symmetric AES-256 keys required to decrypt it.

The Halcyon RISE Team has uncovered a novel ransomware campaign targeting Amazon S3 buckets, marking a significant escalation in sophistication. This campaign leverages AWS’s own Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt victim data, turning a powerful security feature into a weapon against its intended users.

Unlike traditional ransomware that encrypts files locally, this attack operates directly within the AWS environment, exploiting the inherent security of SSE-C to render data irretrievable without the attacker’s decryption keys.

According to Halcyon’s investigation, shared with Hackread.com, this campaign is attributed to a threat actor dubbed “Codefinger.” The attack begins by acquiring AWS credentials, either through social engineering ...