{
	"id": "cf488a2d-22c1-413c-ac6f-8926e2b401a7",
	"created_at": "2026-04-06T00:17:31.604196Z",
	"updated_at": "2026-04-10T13:12:32.699946Z",
	"deleted_at": null,
	"sha1_hash": "84bc0c20f0da4f106b06a5fbb54d4a33ed00e31c",
	"title": "Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 82054,
	"plain_text": "Abusing AWS Native Services: Ransomware Encrypting S3\r\nBuckets with SSE-C\r\nBy Halcyon RISE Team\r\nPublished: 2025-01-13 · Archived: 2026-04-05 12:51:19 UTC\r\nThe Halcyon RISE Team has identified a concerning new ransomware campaign targeting Amazon S3 buckets.\r\nThis attack leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data,\r\ndemanding ransom payments for the symmetric AES-256 keys required to decrypt it.  \r\nIt is important to note that this attack does not require the exploitation of any AWS vulnerability but instead relies\r\non the threat actor first obtaining an AWS customer’s account credentials.\r\nWith no known method to recover the data without paying the ransom, this tactic represents a significant evolution\r\nin ransomware capabilities.\r\nExecutive Summary:\r\nNative Resource Abuse: Threat actor dubbed Codefinger uses compromised AWS keys to encrypt S3\r\nbucket data via SSE-C, leveraging AWS’s secure encryption infrastructure in a way that prevents recovery\r\nwithout their generated key.\r\nIrrecoverable Data Loss: AWS CloudTrail logs only an HMAC of the encryption key, which is\r\ninsufficient for recovery or forensic analysis.\r\nUrgent Ransom Tactics: Files are marked for deletion within seven days to pressure victims, with ransom\r\nnotes providing payment details and warnings against altering account permissions.\r\nCampaign Overview\r\nThreat actor Codefinger abuses publicly disclosed AWS keys with permissions to write and read S3 objects. By\r\nutilizing AWS native services, they achieve encryption in a way that is both secure and unrecoverable without\r\ntheir cooperation.  \r\nWhile SSE-C has been available since 2014, this appears to be a novel use of the feature by ransomware\r\noperators. Halcyon has identified two victims in recent weeks (neither were Halcyon customers at time of the\r\nattacks) who were impacted by this attack, underscoring its severity and the need for immediate action by\r\norganizations utilizing Amazon S3.\r\nHow the Attack Works\r\nThe threat actor’s workflow highlights their technical capabilities:\r\nhttps://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c\r\nPage 1 of 4\n\nIdentify Vulnerable AWS Keys:\r\nUsing publicly disclosed or compromised AWS keys, the threat actor locates keys with permissions to\r\nexecute s3:GetObject and s3:PutObject requests.\r\nEncrypt Files Using SSE-C:\r\nThe attacker initiates the encryption process by calling the x-amz-server-side-encryption-customer-algorithm header, utilizing an AES-256 encryption key they generate and store locally.\r\nAWS processes the key during the encryption operation but does not store it. Instead, only an HMAC\r\n(hash-based message authentication code) is logged in AWS CloudTrail. This HMAC is not sufficient to\r\nreconstruct the key or decrypt the data.\r\nSet Lifecycle Policies for File Deletion:\r\nFiles are marked for deletion within seven days using the S3 Object Lifecycle Management API, adding\r\nurgency to the ransom demand.\r\nRansom Note:\r\nA ransom note is deposited in each affected directory, providing the attacker’s Bitcoin address and a client\r\nID associated with the encrypted data. The note warns that changes to account permissions or files will end\r\nnegotiations.\r\nWhy This Matters\r\nThis ransomware campaign is particularly dangerous because of SSE-C’s design:\r\nData Loss is Permanent Without the Key: Unlike traditional ransomware that encrypts files locally or in\r\ntransit, this attack integrates directly with AWS’s secure encryption infrastructure. Once encrypted,\r\nrecovery is impossible without the attacker’s key.\r\nLog Evidence is Limited: AWS CloudTrail logs only the HMAC of the encryption key, which is\r\ninsufficient for recovery or forensic analysis.\r\nScope for Escalation: If this method becomes widespread, it could pose a systemic threat to organizations\r\nusing Amazon S3 for critical data storage.\r\nMitigating the Threat\r\nOrganizations can protect themselves by proactively hardening their AWS environments:\r\nRestrict SSE-C Usage:\r\nhttps://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c\r\nPage 2 of 4\n\nUse the Condition element in IAM policies to prevent the application of SSE-C to S3 buckets. Policies can\r\nbe configured to restrict this feature to authorized data and users.\r\nMonitor and Audit AWS Keys:\r\nRegularly review permissions for all AWS keys to ensure they have the minimum required access.\r\nDisable unused keys and rotate active ones frequently.\r\nImplement Advanced Logging:\r\nEnable detailed logging for S3 operations to detect unusual activity, such as bulk encryption or lifecycle\r\npolicy changes.\r\nEngage AWS Support:\r\nWork with AWS support to identify potential vulnerabilities and implement tailored security measures.\r\nStatement from Amazon Web Services:\r\nHalcyon provided AWS with advance notice of the findings in this report, and they provided the following\r\nstatement and guidance:\r\nAWS helps customers secure their cloud resources through a shared responsibility model. Anytime AWS\r\nis aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of\r\nexposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize\r\nrisks for customers without disrupting their IT environment.\r\nWe encourage all customers to follow security, identity, and compliance best practices. In the event a\r\ncustomer suspects they may have exposed their credentials, they can start by following the steps listed\r\nin this post. As always, customers can contact AWS Support with any questions or concerns about the\r\nsecurity of their account.\r\nAWS provides a rich set of capabilities that eliminate the need to ever store credentials in source code\r\nor in configuration files. IAM Roles enable applications to securely make signed API requests from EC2\r\ninstances, ECS or EKS containers, or Lambda functions using short-term credentials that are\r\nautomatically deployed, frequently rotated, requiring zero customer management. Even compute nodes\r\noutside the AWS cloud can make authenticated calls without long-term AWS credentials using the Roles\r\nAnywhere feature. Developer workstations use Identity Center to obtain short-term credentials backed\r\nby their longer-term user identities protected by MFA tokens. All these technologies rely on the AWS\r\nSecurity Token Service (AWS STS) to issue temporary security credentials that can control access to\r\ntheir AWS resources without distributing or embedding long-term AWS security credentials within an\r\napplication, whether in code or configuration files. Even secure access to non-AWS technologies can be\r\nprotected using the AWS Secrets Manager service. The purpose of that service is to create, manage,\r\nretrieve, and automatically rotate non-AWS credentials like database usernames and passwords, non-AWS API keys, and other such secrets throughout their lifecycles.\r\nhttps://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c\r\nPage 3 of 4\n\nJanuary 16, 2025: AWS published more guidance in response to our report  \r\nFor more information:\r\nhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/security_iam_service-with-iam.html#security_iam_service-with-iam-id-based-policies-conditionkeys\r\nAdditional Resources:\r\nUsing server-side encryption with customer-provided keys (SSE-C) - Amazon Simple Storage Service  \r\nProtecting data with server-side encryption - Amazon Simple Storage Service\r\nGetObject - Amazon Simple Storage Service\r\nTakeaway\r\nHalcyon intelligence indicates that while this attack is currently targeted, the technique may soon gain traction\r\namong other threat actors. This campaign highlights the need to secure AWS keys or access tokens by\r\norganizations relying on Amazon S3 for data storage. Immediate mitigation measures include restricting SSE-C\r\nusage, auditing AWS keys, implementing advanced logging, and engaging AWS support to bolster defenses.\r\nHalcyon urges organizations to act swiftly, as this attack method could gain broader adoption, posing a systemic\r\nthreat to cloud data security. All major cloud service providers offer similar client-side encryption functionality\r\nthat could be abused.\r\nStay vigilant and ensure your environment is resilient against emerging ransomware techniques. The Halcyon\r\nRISE Team will continue to monitor and provide updates as this campaign develops.\r\nHalcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent\r\nransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies –\r\ntalk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon\r\nalso publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious\r\nQuartile.\r\nSource: https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c\r\nhttps://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c"
	],
	"report_names": [
		"abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c"
	],
	"threat_actors": [
		{
			"id": "5db75358-a99f-4023-b081-6fdc33996906",
			"created_at": "2025-01-21T02:00:03.595641Z",
			"updated_at": "2026-04-10T02:00:03.803086Z",
			"deleted_at": null,
			"main_name": "Codefinger",
			"aliases": [],
			"source_name": "MISPGALAXY:Codefinger",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434651,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84bc0c20f0da4f106b06a5fbb54d4a33ed00e31c.pdf",
		"text": "https://archive.orkl.eu/84bc0c20f0da4f106b06a5fbb54d4a33ed00e31c.txt",
		"img": "https://archive.orkl.eu/84bc0c20f0da4f106b06a5fbb54d4a33ed00e31c.jpg"
	}
}