A newly identified ransomware group, “Codefinger,” has begun targeting AWS S3 buckets with alarming precision. Using AWS’s server-side encryption with customer-provided keys (SSE-C), the attackers encrypt data and hold it hostage, demanding payment for decryption keys. This approach represents a novel and potentially devastating tactic in the cloud security landscape.
According to Halcyon’s cybersecurity team, Codefinger executed two confirmed attacks on AWS-native software developers. The group first gains access to cloud storage by exploiting publicly exposed or compromised AWS keys.
Once inside, they employ the “x-amz-server-side-encryption-customer-algorithm” header to lock data using AES-256 encryption. Since AWS processes these encryption keys but does not store them, victims are unable to decrypt the files without the attackers’ cooperation.
Moreover, Codefinger escalates the threat by marking encrypted files for deletion within seven days using AWS’s S3 Object Lifecycle Management API. This strategy adds significant pressure, as organizations face the dual risk of losing access to their data and permanent deletion. Unlike traditional ransomware groups, Codefinger does not threaten to leak or sell data but instead focuses on destruction as leverage.
The attackers leave behind ransom notes in each directory, providing a Bitcoin address and a client ID linked to the encrypted data. They explicitly warn against altering permissions or files, emphasizing that such actions could terminate negotiations.
Tim West, VP at Halcyon, highlighted the systemic risks of this technique. He noted that leveraging AWS’s native encryption infrastructure could encourage broader adoption of similar methods. Consequently, he urged AWS users to enforce stricter IAM policies and limit SSE-C use to authorized applications. Additionally, he recommended frequent audits of AWS keys and regular rotation to reduce exposure.
In response, AWS detailed its proactive measures to mitigate such risks. These include identifying exposed keys, applying quarantine policies, and encouraging best practices like short-term credentials, multi-factor authentication, and secure API requests. AWS’s tools, such as Identity Center and Security Token Service, further reduce the likelihood of long-term key misuse.
The Codefinger attacks highlight the escalating sophistication of ransomware operations. They also underscore the critical importance of proactive cloud security measures. By addressing these vulnerabilities, organizations can better defend against increasingly complex threats.
