Mass Ransomware Campaign Hits S3 Buckets Using Stolen AWS Keys

Researchers reveal a large-scale ransomware campaign leveraging over 1,200 stolen AWS access keys to encrypt S3 buckets. Learn how attackers used SSE-C silently and the key takeaways for cloud security.

Researchers have uncovered a security incident concerning Amazon Web Services (AWS). According to Cybernews’ report, shared with Hackread.com, ransomware attacks are being launched using 1,200 unique AWS access keys. Administrators using AWS S3 buckets (a type of cloud storage offered by AWS) find their files locked with a ransom note left behind.

Researchers reportedly discovered a database with over 158 million AWS secret key records, including 1,229 unique login credentials with “an Access Key ID and corresponding Secret Access Key” after removing duplicate entries. Some were no longer active, but allowed attackers to view S3 bucket contents and demand a ransom of 0.3 BTC (approximately $25,000).

What’s worse, data owners were not aware of the encryption incident because attackers used AWS S3’s feature called Server-Side Encryption with Customer-Provided Keys (SSE-C). This method allows users to provide their own encryption keys to encrypt data at rest. In this case, the attackers generated their own strong encryption keys using a standard called AES-256 to lock the data.

This “silent compromise” technique, documented by the Halcyon RISE Team, did not trigger typical warnings or file deletion logs, and the storage bucket structure remained unchanged. Unlike double extortion attacks, the attackers did not steal data, but they may have set automatic deletion schedules within AWS to pressure victims to pay quickly. Some affected accounts were found to be running normally, suggesting some victims may not realise their data has been encrypted, researchers assessed.

According to the Cybernews report, cybersecurity researcher Bob Diachenko identified a coordinated extortion campaign that is both unprecedented and dangerous, as it relies solely on stolen keys rather than complex hacking techniques. This means that even newly created, empty backups could be at risk in future projects.

So, how could attackers gather such a large number of AWS keys?

Researchers believe that certain mistakes like putting secret login details into public code storage sites like GitHub, weaknesses in CI/CD tools like Jenkins, misconfigured private files in web applications, data breaches of developer tools or password managers, and old and unmonitored IAM user accounts with outdated credentials could be responsible or attackers possibly found hardcoded secrets in mobile applications.

Nevertheless, attackers’ identities are still unclear, and the entire operation appears to be automated. The ransom notes are found in a file titled “warning.txt.” Interestingly, each affected S3 bucket has its own unique note with a specific Bitcoin address for payment and an email address, awsdecrypttechie.com, for victims to contact them.

Cybernews has reported this security issue to AWS and is awaiting their response for further information. Meanwhile, to secure AWS storage, researchers advise that organisations immediately audit and update IAM credentials, implement AWS security services, scan for exposed secrets, enforce short-lived tokens and least privilege, and restrict SSE-C usage with detailed logging.