Published on: January 21, 2025
A new ransomware campaign is targeting Amazon Web Services (AWS) S3 buckets, encrypting data in a way that makes recovery impossible without paying the ransom. Dubbed “Codefinger,” the attack leverages AWS’s own Server-Side Encryption with Customer-Provided Keys (SSE-C) to lock sensitive files.
Security researchers have confirmed that the attack isn’t due to an AWS vulnerability. Instead, it hinges on attackers getting hold of valid AWS credentials. Once inside, they use SSE-C to encrypt data with unique AES-256 keys, which only they control.
“This is a great example of where password reuse or sticking with easy-to-guess passwords, along with no two-factor authentication, will come back to bite admins,” says Darren James, Senior Product Manager at Specops Software.
Once the data is encrypted, Codefinger raises the stakes by scheduling it for deletion within seven days. Victims receive a ransom note warning against any attempts to modify account permissions. Many organizations, facing potential data loss and operational chaos, feel pressured to pay.
The debate around ransomware payments continues to divide experts.
“The topic of ransomware payments is one which is fiercely debated,” said Javvad Malik, Lead Security Awareness Advocate at KnowBe4.
On the other hand, Dr. Darren Williams, CEO of BlackFog, warns against trusting cybercriminals.
“At the end of the day, you are negotiating with criminals who are unlikely to uphold their end of the deal, and in many cases, they go further than leaking stolen data by targeting the same victim a short time later,” he said.
Some experts are pushing for a complete ban on ransomware payments, especially for critical infrastructure.
“Ransom payments should be banned: increasing payouts mean a corresponding rise in malicious activity,” said Mike Kiser, Director of Strategy and Standards at SailPoint.
However, critics argue that banning payments may lead to under-the-table dealings, making things even more complicated.
Security professionals emphasize that Codefinger’s success is largely due to compromised AWS credentials.
“This latest ransomware attack could have been avoided,” James said. “On the upside, at least SSE-C is a strong encryption method, but it is not good to see it used against the good guys rather than for them.”
Experts recommend enforcing strong passwords, regular key rotation, and mandatory 2FA. Monitoring AWS CloudTrail logs for unusual activity, such as bulk encryption events, can also aid in detection.
While SSE-C is a valuable tool for enhancing data security, experts suggest that its use should be strictly controlled. Limiting SSE-C access through IAM (Identity and Access Management) policies and keeping a close watch on key usage can help prevent misuse.
The rise of ransomware attacks like Codefinger highlights the evolving threat landscape, where even trusted security features can become tools of extortion. AWS follows a shared responsibility model, placing the burden on users to safeguard credentials and manage access diligently.
Regular security audits, disabling unused keys, and following best practices can go a long way in defending against threats like Codefinger. Ultimately, staying ahead of ransomware requires proactive measures and strong cyber hygiene. Whether or not to pay a ransom remains a tough ethical and legal decision, but powerful security practices remain the best defense against such attacks.