Ransomware Attack Utilizes AWS Server-Side Encryption to Demand Ransom Payments

New Use of SSE-C by Ransomware Operators

The attacker leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, demanding ransom payments if the victim firm wants the symmetric AES-256 keys required for decryption. While SSE-C has been available since 2014, say the researchers, this appears to be a novel use of the feature by ransomware operators.

Encryption and Threats

The encrypted files are marked for deletion within seven days, adding pressure on the victims to pay the ransom.

How Stolen AWS Keys are Obtained

The report doesn’t detail how the stolen AWS keys are obtained. However, in response to emailed questions, Halcyon said keys can be exposed in a variety of ways, including through compromised IT networks and phishing. Keys often get leaked publicly by developers or employees who embed them in code repos such as GitHub or GitLab.

Conclusion

The use of AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) by ransomware operators is a new and significant trend in the world of cyber attacks. The pressure to pay the ransom is further amplified by the threat of data deletion, making it essential for organizations to take immediate action to protect themselves against such attacks.

FAQs

• What is AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C)? SSE-C is a feature available on AWS since 2014 that allows customers to encrypt their data using their own encryption keys.
• How do attackers obtain the stolen AWS keys? The report does not detail the exact methods used by attackers to obtain the stolen AWS keys, but Halcyon suggests that they can be exposed through compromised IT networks, phishing, and publicly leaked keys.
• What is the impact of the ransomware attack? The ransomware attack encrypts the victim’s files and demands a ransom payment in exchange for the decryption keys. The files are marked for deletion within seven days, adding pressure on the victims to pay the ransom.
• What can organizations do to protect themselves against such attacks? Organizations should take immediate action to protect themselves against such attacks by implementing robust security measures, including encryption, access controls, and monitoring systems.