Ransomware operators are shifting their focus from traditional on-premises targets to cloud storage services, especially S3 buckets used by Amazon Web Services (AWS), cybersecurity researchers have warned.
A recent Trend Micro report outlined a new wave of attacks, where attackers integrate with cloud-native encryption and key management services rather than merely stealing or deleting data.
“Malicious activity targeting S3 buckets isn’t new, although the techniques continue to evolve as organizations harden their cloud environments,” said Crystal Morin, senior cybersecurity strategist at Sysdig. “As defenders adopt stronger perimeter protections, these attackers are starting to abuse built-in capabilities, such as encryption management and key rotation, to make data unrecoverable.”
According to Trend Micro, attackers are probing a range of S3 setups, from buckets with AWS-managed KMS keys to customer-provided keys, imported key material, and even entirely external key stores.
Why S3 is the new ransomware battleground
On-premise ransomware traditionally involved dropping malware, encrypting desktops or servers, and threatening payment. But as organizations have migrated critical workloads and backups to cloud services, researchers noted, attackers are following the data.
The Trend Micro report lists several prime cloud targets, including compute snapshots, static storage (S3) buckets, databases, containers/registries, and backup vaults. Among these, S3 is especially valuable because it often holds backups, logs, configuration data, and static assets–things an organization most wants back.
To succeed, attackers typically look for S3 buckets that have: versioning disabled ( so old versions can’t be restored), object-lock disabled ( so files can be overwritten or deleted), wide write permissions (via mis-configured IAM policies or leaked credentials), and hold high-value data (backup files, production config dumps).
Once inside, the attackers try to impose a “complete and irreversible lockout” of data, which may involve encryption objects with keys inaccessible to the victim, deleting backups, and scheduling key deletion so AWS and the customer can’t recover the data.
“This research is a systematic and theoretical threat modelling exercise on how an attacker might encrypt and ransom an AWS environment within an account boundary–something we’ve talked about over the last 10 years,” said Trey Ford, chief strategy and trust officer at Bugcrowd.
Weaponizing cloud encryption and key management
Trend Micro has identified five S3 ransomware variants that increasingly exploit AWS’s built-in encryption paths. One abuses default AWS-managed KMS keys (SSE-KMS) by encrypting data with an attacker-created key and scheduling that key for deletion. Another uses customer-provided keys (SSE-C), where AWS has no copy, making recovery impossible. The third one exfiltrates S3 bucket data (with no versioning) and deletes the originals.
The final two variants go deeper into key management infrastructure. One relies on imported key material (BYOK), letting attackers encrypt data and then destroy or expire the imported keys. The other abuses AWS’s External Key Store (XKS), where key operations happen outside AWS, which means that if attackers control the external key source, neither the customer nor AWS can restore access. Together, the techniques reveal that attackers are using AWS itself as the encryption mechanism.
“I can’t recall having seen this done in the wild,” Ford added. “This specifically targets the use of external or customer-provided keys (SSE-C or XKS, respectively) to assert control over key management for the cryptography used in storage.”
Researchers urge customers to harden their S3 environments by enforcing least privilege access, enabling protective controls like versioning and Object Lock, and closely regulating the use of customer-provided or external key sources that can undermine recovery. Isolating backups in separate accounts and continuously monitoring cloud audit logs for signs of suspicious key activity, mass encryption, or large-scale object deletions was also recommended.
“An ‘assume breach’ mindset is essential in the cloud: runtime environments should be immutable, identities must have tightly scoped permissions and short-lived credentials, networks need meaningful segmentation, and critical datasets must have backups,” Morin added. “Modern operations depend on complex supply chains, and a ransomware affecting a key partner can disrupt your business just as completely as a direct compromise.”
No Responses