A new wave of ransomware attacks is targeting cloud storage environments, specifically focusing on Amazon Simple Storage Service (S3) buckets that contain critical business data.
Unlike traditional ransomware that encrypts files using malicious software, these attacks exploit weak access controls and configuration mistakes in cloud environments to lock organizations out of their own data.
As more businesses move their operations to the cloud, attackers are adapting their methods, shifting away from on-premises systems to cloud-based resources where valuable information is stored.
These attacks can result in complete data loss, operational disruptions, and significant financial damage if organizations lack proper backup and recovery systems.
The threat actors behind these campaigns gain unauthorized access through stolen credentials, leaked access keys found in public code repositories, or compromised AWS accounts with excessive permissions.
Once inside, they identify vulnerable S3 buckets by checking for specific weaknesses such as disabled versioning, missing object lock protection, and improper write permissions.
The attackers then proceed to encrypt data using various encryption techniques, delete original files, or exfiltrate sensitive information before demanding ransom payments.
What makes these attacks particularly dangerous is their ability to use native cloud features to conduct malicious activities while remaining hidden from traditional security monitoring tools.
Trend Micro security researchers identified five distinct ransomware variants that specifically target S3 storage environments, each using different attack methods to achieve data encryption or deletion.
These variants range from using customer-managed encryption keys with scheduled deletion timelines to leveraging server-side encryption with customer-provided keys that AWS cannot recover.
The researchers documented both observed attack techniques used in real-world incidents and potential future attack vectors that organizations should prepare to defend against.
Their analysis provides detailed technical breakdowns of how each variant operates and what security measures can prevent these attacks.
Attack Mechanism and Technical Execution
The Server-Side Encryption with Customer-Provided Keys (SSE-C) variant represents one of the most dangerous attack methods because it creates permanently unrecoverable encrypted data.
In this approach, threat actors first gain write-level access to victim S3 buckets through compromised credentials or leaked IAM roles from public GitHub repositories.
After identifying target buckets without proper protections, attackers initiate encryption by providing a locally stored AES-256 encryption key through specific HTTP request headers or AWS command-line tools.
The critical aspect of this technique is that AWS uses the attacker’s encryption key to secure the data but never stores the actual key in its systems.
AWS only logs a Hash-based Message Authentication Code (HMAC) of the encryption key in CloudTrail logs, which cannot be reversed or used to decrypt the protected data.
This means neither the victim organization nor AWS support teams can recover the encrypted information once the attacker completes the encryption process.
After encrypting all target files, the attackers deposit ransom notes in the affected buckets, typically naming them “ransom-note.txt” or similar variations, which contain instructions for payment and communication.
.webp "New Ransomware Variants Targeting Amazon S3 Services Leveraging Misconfigurations and Access Controls 3")
The entire attack can be executed rapidly, and because the encryption key exists only on the attacker’s systems, victims face a permanent lockout unless they pay the ransom or have separate backup copies stored securely.
.webp "New Ransomware Variants Targeting Amazon S3 Services Leveraging Misconfigurations and Access Controls 4")
Organizations can protect against this variant by implementing specific policy controls that block SSE-C encryption requests at the bucket level or through organization-wide resource control policies.
Security teams should monitor CloudTrail logs for unusual SSE-C encryption activities and enforce policies that deny PutObject requests containing customer-provided encryption algorithm headers, effectively eliminating this attack vector from their cloud environments.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
