Ransomware Operators Continue to Hone Techniques to Encrypt Data on the Cloud

The Halcyon RISE Team has uncovered a novel ransomware campaign targeting Amazon S3 buckets. This attack, orchestrated by a threat actor named Codefinger, exploits AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C).  

By using compromised AWS account credentials, Codefinger encrypts S3 bucket data with AES-256 keys generated and stored locally, demanding ransom for these keys to decrypt the data.

Notably, this tactic does not exploit AWS vulnerabilities but leverages legitimate AWS encryption infrastructure, making recovery without payment impossible, the report notes.

Key Findings:

• Native Resource Abuse: Codefinger uses compromised AWS keys with permissions to read and write S3 objects, encrypting data via SSE-C in a secure but unrecoverable manner.

• Irrecoverable Data Loss: AWS CloudTrail logs only an HMAC of the encryption key, which is insufficient for recovery or forensic analysis.

• Urgent Ransom Tactics: Files are marked for deletion within seven days, accompanied by ransom notes detailing payment instructions and warnings against altering permissions.

This campaign represents a critical evolution in ransomware strategies, utilizing AWS-native features to render data permanently inaccessible. To mitigate risks, organizations should restrict SSE-C usage through IAM policies, audit AWS key permissions regularly, and engage AWS support to strengthen security measures.  

Takeaway: The Halcyon RISE Team first identified the threat actor behind this campaign in December 2024, naming them Codefinger. Currently, intelligence on Codefinger remains limited; they have only been observed in the two attacks detailed in this report. Their origin, operating region, and typical targets are unknown. Both victims identified so far were AWS-native software developers.

Codefinger employs a unique approach to ransomware by encrypting S3 bucket data and scheduling it for deletion if the ransom is not paid within seven days. Unlike most ransomware operators who rely on double extortion—threatening to leak or sell stolen data—Codefinger’s tactic focuses on permanent data destruction, significantly raising the stakes for victims and adding a new dimension of risk for targeted organizations.

While techniques for encrypting S3 buckets have been documented before, this is the first known instance of threat actors leveraging AWS’s native encryption infrastructure, specifically Server-Side Encryption with Customer-Provided Keys (SSE-C), in real-world attacks. Historically, leaked AWS Identity and Access Management (IAM) keys have been exploited for data theft. However, widespread adoption of this method could pose a systemic risk to organizations relying on AWS S3 for critical data storage.

To mitigate the risks associated with this ransomware campaign, organizations should take several proactive measures. First, restricting the use of Server-Side Encryption with Customer-Provided Keys (SSE-C) is critical; this can be achieved by leveraging the Condition element in IAM policies to ensure that only authorized users and data can apply SSE-C.  

Additionally, regular auditing and rotation of AWS keys are essential to maintain security. Permissions should be reviewed frequently to adhere to the principle of least privilege, unused keys should be disabled, and active keys rotated to reduce exposure. Advanced logging should also be enabled to monitor S3 operations for anomalies, such as bulk encryption activities or unexpected lifecycle policy changes, which could indicate malicious activity.  

Finally, organizations should engage with AWS support to receive tailored guidance on hardening S3 environments, addressing vulnerabilities, and mitigating risks stemming from IAM key leaks and misuse of SSE-C.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.