Loading content...
REPORT
See all your cloud vulnerabilities for free today.
Get a Report100% FREE TEST
Scan container images locally for vulnerabilities, misconfigs, and malware — right from your terminal or CI/CD pipeline.
Recent investigations have uncovered a sophisticated new attack vector targeting AWS S3 storage, where threat actors are exploiting Amazon's Server-Side Encryption with Customer-Provided Keys (SSE-C) feature to conduct ransomware attacks. Unlike traditional ransomware that requires malware deployment, these attacks leverage AWS's native functionality to hold data hostage. The innovation of this approach lies in its simplicity - attackers encrypt data using legitimate AWS features (e.g., AWS KMS), making detection particularly challenging.
In this blog, we explore the mechanics of these attacks, provide statistical context for the threat landscape, outline prevention strategies, and explain how cloud security tools can help organizations protect their cloud assets.
Recent research reveals concerning statistics about cloud storage security, highlighting why SSE-C attacks have become an attractive vector for threat actors:
These figures underscore why S3 buckets have become attractive targets for threat actors. They often contain valuable data and frequently suffer from security misconfigurations.
SSE-C ransomware attacks represent a sophisticated evolution in cloud-targeting tactics, exploiting legitimate AWS encryption functionality rather than deploying traditional malware. Here's how these attacks typically unfold:
The attack begins when threat actors gain access to compromised AWS credentials or locate publicly exposed AWS account keys with sufficient permissions to interact with S3 buckets. This typically requires credentials with at least s3:GetObject and s3:PutObject permissions.
A leading cybersecurity consultant warns that "In just the past few months, we have witnessed two different methods for executing a ransomware attack using nothing but legitimate cloud security features."
Once attackers have valid credentials, they execute a multi-step attack:
What makes this attack particularly insidious is that AWS processes the encryption request using the attacker's key but does not retain the key itself. Instead, it logs only a hash-based message authentication code (HMAC) in AWS CloudTrail, which is insufficient for recovery or forensic analysis.
A recently identified ransomware group, dubbed "Codefinger", has successfully targeted at least two organizations using the SSE-C encryption technique. This group specifically warns victims not to alter account permissions or attempt countermeasures during ransom negotiations, as any changes could result in the attackers cutting off communications, leaving victims with permanently encrypted data.
It was also observed by industry experts that the operation has already impacted multiple organizations who have warned about the potential for copycat attacks given the effectiveness of this approach.
A leading cybersecurity consultant reported multiple methods of cloud ransomware attacks that leverage legitimate cloud security features. Beyond the SSE-C technique, the team demonstrated a similar attack using AWS KMS keys with external key material, using scripts that could be easily generated by large language models like ChatGPT.
This diversification of attack methods indicates that cloud-native ransomware is evolving rapidly, with the experts noting that "this topic is top-of-mind for both threat actors and researchers alike."
Organizations can implement several key defenses to mitigate the risk of SSE-C ransomware attacks:
SSE-C ransomware attacks represent a sophisticated evolution in threat actor tactics, leveraging legitimate cloud functionality to achieve malicious objectives. As cloud adoption continues to accelerate, we can expect to see more threat actors exploiting native cloud features for financial gain.
The effectiveness of these attacks stems from their simplicity—they don't require traditional malware, exploit zero-day vulnerabilities, or exfiltrate data. Instead, they leverage the intended functionality of cloud services to harm organizations through data unavailability.
By implementing comprehensive security controls, restricting unnecessary encryption methods, maintaining strong identity management practices, and leveraging advanced security tools, organizations can significantly reduce their risk of falling victim to these emerging cloud-native ransomware techniques.
As cloud ransomware tactics are evolving rapidly, it is essential for security teams to stay informed about these new attack vectors and implement appropriate preventive measures before they become victims of an attack.
Learn more about the Qualys Threat Research Unit.
