There’s a new ransomware gang on the block, and they’ve got a bold new playbook. Meet Codefinger, a group of cybercriminals who’ve figured out how to weaponize Amazon Web Services (AWS) encryption tools against their victims. They’re locking up valuable data stored in AWS’s S3 buckets by exploiting server-side encryption with customer-provided keys (SSE-C) - a fancy term for using encryption keys you provide yourself.
The catch? Codefinger uses their own keys, leaving victims locked out unless they pay up.
The Codefinger Playbook: A Step-by-Step Heist
1. Stealing the Keys to the Kingdom
· Codefinger sneaks into AWS accounts by abusing leaked or stolen credentials, often grabbed from poorly secured websites or apps.
· Once inside, they look for S3 buckets with the right permissions to read and write files.
2. Locking Down the Data
· Using AWS’s SSE-C feature, the attackers encrypt files with their own secret AES-256 encryption keys.
· AWS doesn’t keep these keys (that’s the point of SSE-C), so the data is locked tight without Codefinger’s key.
3. Ticking Time Bomb
· The gang sets up automatic deletion rules for the encrypted files, threatening to wipe everything within seven days if the ransom isn’t paid.
· Interestingly, they don’t bother with leaking or selling data. Their goal is simple: make the data unusable.
4. Pay Up or Lose It
· Victims find a ransom note in their S3 directories, complete with a Bitcoin address and a unique ID tied to their encrypted data.
· The note warns them not to mess with permissions or files, or negotiations could end badly.
Staying One Step Ahead: How to Protect Your Data
You don’t have to be a tech wiz to keep ransomware like Codefinger at bay. Here are practical steps to fortify your AWS setup:
1. Limit SSE-C Permissions
· Only let trusted users or apps apply SSE-C encryption. Use IAM policies (the rules AWS uses to control access) to block unauthorized use.
2. Keep an Eye on Your Keys
· Regularly check who has access to your AWS keys and trim permissions down to the bare minimum.
· Rotate your keys often and disable any you’re not actively using.
3. Better Credential Management
· Never leave credentials lying around in code or config files. Use AWS tools like IAM Roles and AWS Identity Center instead.
· Add an extra layer of protection with multi-factor authentication (MFA).
4. Act Fast if You’re Hit
· If you notice unusual activity, follow AWS’s incident response guide to secure your data.
· Use AWS Security Token Service (STS) to issue temporary credentials and shut down long-term access.
AWS to the Rescue
AWS reminds users that security is a shared responsibility, they provide the tools, and it’s up to you to use them wisely. Here’s what AWS recommends:
· Use IAM Roles for API requests instead of hard-coding credentials.
· Leverage Roles Anywhere to authenticate external calls securely.
· Stick to short-term credentials managed by AWS Identity Center.
To help catch issues early, AWS also promises to alert customers about exposed keys and apply protective measures to reduce risks without interrupting services.
.png)
.png)