Researchers have recently brought to light a concerning security incident surrounding Amazon Web Services (AWS), shedding light on a large-scale ransomware campaign exploiting over 1,200 stolen AWS access keys to encrypt S3 buckets, a type of cloud storage offered by AWS. The cyberattackers behind this campaign have left a ransom note demanding 0.3 BTC (equivalent to approximately $25,000) after locking administrators’ files using the accessed AWS S3 buckets.
Upon further investigation, researchers uncovered a database containing more than 158 million AWS secret key records, of which 1,229 were found to be unique login credentials, each comprising an Access Key ID and corresponding Secret Access Key. While some of these credentials were no longer active, they still allowed the attackers to gain access to S3 bucket contents and carry out their malicious encryption activities.
Of particular concern in this incident was the use of AWS S3’s Server-Side Encryption with Customer-Provided Keys (SSE-C) feature by the attackers. This method allows users to encrypt their data at rest using their own encryption keys. In this case, the cybercriminals leveraged this feature to quietly encrypt the data stored in the S3 buckets without triggering any typical warnings or file deletion logs, keeping the storage bucket structure unchanged.
Unlike traditional ransomware attacks that typically involve stealing data for extortion purposes, the attackers in this campaign opted for a “silent compromise” strategy. By encrypting the data using strong encryption keys generated by themselves, the attackers set automatic deletion schedules within AWS to pressure victims into paying the ransom quickly. Some affected accounts were found to be running normally, which led researchers to suspect that some victims may not even be aware that their data has been encrypted.
Cybersecurity researcher Bob Diachenko highlighted the unprecedented and dangerous nature of this coordinated ransomware campaign, emphasizing the reliance on stolen AWS keys rather than sophisticated hacking techniques. The use of stolen keys poses a significant threat to organizations, as even newly created and empty backups could be targeted in future attacks.
The methods by which the attackers obtained such a large number of AWS keys remain unclear, but researchers suggest that various vulnerabilities and mistakes, such as storing secret login details in public repositories, misconfigured CI/CD tools, data breaches, and old and unmonitored IAM user accounts with outdated credentials, could have facilitated the theft. The identities of the attackers are still unknown, and the operation appears to be largely automated, with ransom notes being left in each affected S3 bucket, providing specific payment details and contact information.
In response to this security incident, researchers recommend that organizations promptly audit and update their IAM credentials, implement AWS security services, scan for exposed secrets, enforce short-lived tokens and least privilege, and restrict the usage of SSE-C with detailed logging to enhance AWS storage security. The matter has been reported to AWS, and further information is awaited from the service provider regarding the incident.