{"id":5904,"date":"2025-11-21T11:46:59","date_gmt":"2025-11-21T11:46:59","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5904"},"modified":"2025-11-21T11:46:59","modified_gmt":"2025-11-21T11:46:59","slug":"ransomware-gangs-seize-a-new-hostage-your-aws-s3-buckets","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5904","title":{"rendered":"Ransomware gangs seize a new hostage: your AWS S3 buckets"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Ransomware operators are shifting their focus from traditional on-premises targets to cloud storage services, especially S3 buckets used by Amazon Web Services (AWS), cybersecurity researchers have warned.<\/p>\n

A recent Trend Micro report outlined a new wave of attacks, where attackers integrate with cloud-native encryption and key management services rather than merely stealing or deleting data.<\/p>\n

\u201cMalicious activity targeting S3 buckets isn\u2019t new, although the techniques continue to evolve as organizations harden their cloud environments,\u201d said Crystal Morin, senior cybersecurity strategist at Sysdig. \u201cAs defenders adopt stronger perimeter protections, these attackers are starting to abuse built-in capabilities, such as encryption management and key rotation, to make data unrecoverable.\u201d<\/p>\n

According to Trend Micro, attackers are probing a range of S3 setups, from buckets with AWS-managed KMS keys to customer-provided keys, imported key material, and even entirely external key stores.<\/p>\n

Why S3 is the new ransomware battleground<\/h2>\n

On-premise ransomware traditionally involved dropping malware, encrypting desktops or servers, and threatening payment. But as organizations have migrated critical workloads and backups to cloud services, researchers noted, attackers are following the data<\/a>.<\/p>\n

The Trend Micro report lists several prime cloud targets, including compute snapshots, static storage (S3) buckets, databases, containers\/registries, and backup vaults. Among these, S3 is especially valuable because it often holds backups, logs, configuration data, and static assets\u2013things an organization most wants back.<\/p>\n

To succeed, attackers typically look for S3 buckets that have: versioning disabled ( so old versions can\u2019t be restored), object-lock disabled ( so files can be overwritten or deleted), wide write permissions (via mis-configured IAM policies or leaked credentials), and hold high-value data (backup files, production config dumps).<\/p>\n

Once inside, the attackers try to impose a \u201ccomplete and irreversible lockout\u201d of data, which may involve encryption objects with keys inaccessible to the victim, deleting backups, and scheduling key deletion so AWS and the customer can\u2019t recover the data.<\/p>\n

\u201cThis research is a systematic and theoretical threat modelling exercise on how an attacker might encrypt and ransom an AWS environment within an account boundary\u2013something we\u2019ve talked about over the last 10 years,\u201d said Trey Ford, chief strategy and trust officer at Bugcrowd.<\/p>\n

Weaponizing cloud encryption and key management<\/h2>\n

Trend Micro has identified<\/a> five S3 ransomware variants that increasingly exploit AWS\u2019s built-in encryption paths. One abuses default AWS-managed KMS keys (SSE-KMS) by encrypting data with an attacker-created key and scheduling that key for deletion. Another uses customer-provided keys (SSE-C), where AWS has no copy, making recovery impossible. The third one exfiltrates S3 bucket data (with no versioning) and deletes the originals.<\/p>\n

The final two variants go deeper into key management infrastructure. One relies on imported key material (BYOK<\/a>), letting attackers encrypt data and then destroy or expire the imported keys. The other abuses AWS\u2019s External Key Store (XKS), where key operations happen outside AWS, which means that if attackers control the external key source, neither the customer nor AWS can restore access. Together, the techniques reveal that attackers are using AWS itself as the encryption mechanism.<\/p>\n

\u201cI can\u2019t recall having seen this done in the wild,\u201d Ford added. \u201cThis specifically targets the use of external or customer-provided keys (SSE-C or XKS, respectively) to assert control over key management for the cryptography used in storage.\u201d <\/p>\n

Researchers urge customers to harden their S3 environments<\/a> by enforcing least privilege access, enabling protective controls like versioning and Object Lock, and closely regulating the use of customer-provided or external key sources that can undermine recovery. Isolating backups in separate accounts and continuously monitoring cloud audit logs for signs of suspicious key activity, mass encryption, or large-scale object deletions was also recommended.<\/p>\n

\u201cAn \u2018assume breach\u2019 mindset is essential in the cloud: runtime environments should be immutable, identities must have tightly scoped permissions and short-lived credentials, networks need meaningful segmentation, and critical datasets must have backups,\u201d Morin added. \u201cModern operations depend on complex supply chains, and a ransomware affecting a key partner can disrupt your business just as completely as a direct compromise.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Ransomware operators are shifting their focus from traditional on-premises targets to cloud storage services, especially S3 buckets used by Amazon Web Services (AWS), cybersecurity researchers have warned. A recent Trend Micro report outlined a new wave of attacks, where attackers integrate with cloud-native encryption and key management services rather than merely stealing or deleting data. […]<\/p>\n","protected":false},"author":0,"featured_media":5905,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5904","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5904"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5904"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5904\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5905"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}