New Ransomware Variant Hits AWS Cloud Storage

Security researchers at Sophos X-Ops have identified a new ransomware attack that directly targets Amazon Web Services (AWS) S3 buckets. The attack campaign employs a double extortion tactic, where threat actors not only encrypt the data stored in the cloud but also exfiltrate it, threatening to release the data publicly if the ransom is not paid. The discovery was made during an incident response investigation for a small software company that fell victim to the attack.

Attack Methodology and Execution

The initial point of compromise for the observed attack was a set of leaked AWS access and secret keys. These credentials had been exposed in a public GitHub repository. The attackers used a tool named Mimic to find the AWS credentials. Following the discovery, they validated the stolen keys using an open-source tool called GO-AWS-Auth. Once they confirmed the credentials were valid, the attackers utilized the AWS Command Line Interface (CLI) to carry out their operation. Their actions involved listing all of the victim’s S3 buckets, exfiltrating the contents of one bucket to their own servers, and subsequently encrypting the data within all of the buckets. The ransomware used in the attack was written in the Go programming language. After the encryption process, a ransom note titled RECOVER-YOUR-FILES.txt was left in the compromised S3 buckets, detailing the attackers’ demands for payment.