{ "id": "3a4cdd19-72d7-4dc9-a211-5b8b69585b02", "created_at": "2026-04-06T00:13:01.119073Z", "updated_at": "2026-04-10T03:36:48.183034Z", "deleted_at": null, "sha1_hash": "ff6f0637f1ae4c54d166949b729ac693a84f2ac5", "title": "Fake LockBit Real Damage Ransomware Samples Abuse Amazon S3 to Steal Data", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1477309, "plain_text": "Fake LockBit Real Damage Ransomware Samples Abuse Amazon\r\nS3 to Steal Data\r\nBy By: Jaromir Horejsi, Nitesh Surana Oct 16, 2024 Read time: 8 min (2112 words)\r\nPublished: 2024-10-16 · Archived: 2026-04-05 18:04:12 UTC\r\nRansomware\r\nThis article uncovers a Golang ransomware abusing Amazon S3 for data theft, and masking as LockBit to further\r\npressure victims. The discovery of hard-coded AWS credentials in these samples led to AWS account suspensions.\r\nKey Takeaways\r\nWe found Golang ransomware samples that abuse Amazon S3 (Simple Storage Service) Transfer\r\nAcceleration feature to exfiltrate the victim’s files and upload them to the attacker-controlled S3 buckets.\r\nAmazon Web Services (AWS) credentials hard coded in the samples were used to track the associated AWS\r\nAccount IDs linked to malicious activities, serving as valuable Indicators of Compromise (IOCs).\r\nAttempts were made to disguise the Golang ransomware as the notorious LockBit ransomware. This was\r\ndone presumably to use the ransomware family’s notoriety to further pressure victims.\r\nWe shared our findings with the AWS Security team. It is important to note that our finding is not a\r\nvulnerability in any of AWS Services. We confirmed with AWS the behavior we identified for this threat\r\nactor's activity and it was found to violate the AWS acceptable use policy (https://aws.amazon.com/aup/).\r\nThe reported AWS access keys and account have been suspended.\r\nIntroduction\r\nFrom infostealer development to data exfiltration, cloud service providers are increasingly being abusednews\r\narticle by threat actors for malicious schemes. While in this case the ransomware samples we examined contained\r\nhard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers\r\nleverage other online services as part of their tactics. In line with this, we examined ransomware samples written\r\nin Go languageopen on a new tab (aka Golang), targeting Windows and MacOS environments. Most of the\r\nsamples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket\r\ncontrolled by the threat actor.\r\nBy the tail end of the attack, the device’s wallpaper is changed into an image mentioning LockBit. This might lead\r\naffected users to think that LockBit is to be blamed for the incident, especially since this ransomware family had\r\nbeen active in recent years and even had the highest file detections during the first half of this year. However, such\r\nis not the case, and the attacker only seems to be capitalizing on LockBit’s notoriety to further tighten the noose\r\non their victims.\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 1 of 10\n\nWe suspect the ransomware author to be either using their own AWS account or a compromised AWS account. We\r\ncame across more than thirty samples possibly from the same author, signaling that this ransomware is being\r\nactively developed and tested prior to AWS taking action to suspend the Access Keys and the AWS Account.\r\nFurthermore, using the hard-coded credential consisting of the AWS Access Key ID, one can findopen on a new\r\ntab the associated AWS Account ID. This finding offers an alternative perspective of considering malicious or\r\ncompromised AWS Account IDs as possible IOCs in case of cross-account activities.\r\nThis blog describes the samples, their capabilities, and how they abuse Amazon S3 features in their attack.\r\nTechnical Analysis\r\nGolang provides developers with a single code base that can compile with dependencies for multiple different\r\nplatforms. This creates a binary for each platform, making the project multiplatform and dependency-free. Threat\r\nactors capitalize on these benefits by creating malicious files with Golang such as the Agenda ransomware as well\r\nas the newly-discovered KTLVdoor backdoor used by Earth Lusca.\r\nFor the ransomware samples we analyzed, most of the samples have AWS Access Key IDs and the Secret Access\r\nKeys hard-coded. While examining the inner workings of the sample, we found that it abuses a feature of Amazon\r\nS3 known as S3 Transfer Acceleration (S3TAopen on a new tab).\r\nOur analysis is based mainly on the following samples:\r\n1. 14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31\r\n2. 0c54e79e8317e73714f6e88df01bda2c569ec84893a7a33bb6e8e4cf96980430\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 2 of 10\n\nFigure 1. The sample’s attack flow\r\nWhen executed on the infected machine, the ransomware first performs initialization through the following steps:\r\n1. Get the host machine universal unique identifier (UUID)\r\n2. Import the hard-coded public key\r\nThe public key is encoded in Privacy Enhanced Mail (PEM) formatopen on a new tab.\r\nFigure 2. Hard-coded public key in PEM format\r\nDecoding the values of the public key reveals RSA encryption and the modulus size of 2048 bits.\r\n3. A random master key is generated and encrypted using the previously imported RSA public key. (This\r\nmeans that only the threat actor who owns the private key can use it to decrypt the master key.)\r\n4. Write the encrypted master key to the readme text file (README.txt).\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 3 of 10\n\n5. Use AWS SDK for Go v2open on a new tab library’s StaticCredentialsProvider to load static credentials.\r\nStatic credentials include hard-coded AccessKeyID, SecretAccessKey, and AWS_REGION.\r\nFigure 3. Hard-coded AWS credentials\r\nAfter the initialization, the ransomware starts enumerating all files available in / (root directory for the macOS\r\nvariant) by calling the filepath.Walkopen on a new tab function. Each enumerated file is checked to confirm if it is\r\nin the exclusion folder. If yes, such files will not be encrypted.\r\nFigure 4. Exclusion folders, macOS variant\r\nThe ransomware contains a list of file extensions (usually for documents, photos, and data files) that will be\r\nencrypted.\r\nFigure 5. Targeted file extensions\r\nThe README.txt file name is excluded from encryption.\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 4 of 10\n\nExfiltration\r\nBased on the acquired host machine UUID, the sample creates an Amazon S3 bucket on the attacker-controlled\r\nAWS account using the hard-coded pair of credentials.\r\nFigure 6. Creation of Amazon S3 bucket based on host machine UUID\r\nOnce the bucket has been created, the S3TA feature is enabled by modifying the configuration.\r\nThe last step is encryption of the file from the beginning to the end. The encryption algorithm is AES-CTR, with\r\npassword being md5 hash file name concatenated with master key.\r\nAs an example, ransomware generates random 16-byte master key 20 60 A3 EA 54 84 C9 27 57 76 1E CC 1F FC\r\n12. Name of the encrypted file is text.txt.\r\nSo the concatenated byte sequence is 74 65 78 74 2E 74 78 74 63 20 60 A3 EA 54 84 C9 27 57 76 1E CC 1F FC\r\n12 and its MD5 hash is 23 a3 ec c5 58 2d 97 41 07 3c 3b dc 31 7d 49 30.\r\nFigure 7. S3TA is enabled\r\nFiles are then uploaded from the victim’s machine to the attacker-controlled AWS account.\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 5 of 10\n\nS3TA enables users to achieve faster data transfer over long distances. It leverages the globally distributed edge\r\nlocations in Amazon CloudFront. To use this feature, it must be enabled on the bucket. The bucket name should be\r\nDomain Name System (DNS) compliant and must not have periods. An S3 bucket with S3TA enabled can be\r\naccessed by the following endpoints, depending on the type of AWS environment:\r\n1. bucketname[.]s3-accelerate.amazonaws.com\r\n2. bucketname[.]s3-accelerate.dualstack.amazonaws.com\r\nEach file, which passed the previous file extension checks and is smaller than 100 mebibytes (MiB), is uploaded\r\nto AWS by calling the Uploader.Uploadopen on a new tab function. This is due to saving AWS space and funds, as\r\nuploading big files will cost attackers more money.\r\nFigure 8. Uploading only files smaller than 100MiB\r\nThe last step is encryption of the file from beginning to end. The encryption algorithm is AES-CTR, with the\r\npassword being the MD5 hash of the file name concatenated with the master key.\r\nThe ransomware generates a random 16-byte master key (for example 63 20 60 A3 EA 54 84 C9 27 57 76 1E CC\r\n1F FC 12). The name of the encrypted file is text.txt.\r\nFigure 9. Ransomware generates a master key\r\nCorrespondingly, the concatenated byte sequence is 74 65 78 74 2E 74 78 74 63 20 60 A3 EA 54 84 C9 27 57 76\r\n1E CC 1F FC 12 and its MD5 hash is 23 a3 ec c5 58 2d 97 41 07 3c 3b dc 31 7d 49 30. This is shown in the\r\nscreenshot below (generated via CyberChefopen on a new tab, used here for visualization purposes only).\r\nFigure 10. Process of generating an AES key\r\nThis resulting hash is used as AES key parameter of crypto.AES.NewCipher functionopen on a new tab. The\r\ninitialization vector is a randomly generated 16-bytes and is passed into crypto.cipher.NewCTR function.\r\nAfter the encryption, the file is renamed according to the following format: \u003coriginal file name\u003e.\u003cinitialization\r\nvector\u003e.abcd. For instance, the file text.txt was renamed to text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd.\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 6 of 10\n\nFigure 11. Appending an .abcd extension to the encrypted files\r\nWe ran the ransomware sample in the debugger and dump master key. Then we verified that we can correctly\r\ndecrypt the previously encrypted file by choosing the proper cipher and passing the correct parameters, as shown\r\nin the screenshot below (generated via CyberChefopen on a new tab, used here for visualization purposes only).\r\nFigure 12. Verification of decryption when cipher and its parameters are known\r\nThe README.txt file contains base64 encoded content. Decoding it reveals the master key encrypted by\r\ncrypto.rsa.EncryptPKCS1v15 with a hard-coded public key as its parameter, then encoded by base64. This base64\r\nencoded blob is followed by hostname, OS version, and infected machine identifier. To decrypt the master key, we\r\nwould need the ransomware developer’s private key, which we do not have.\r\nFigure 13. Content of the README.txt file\r\nFigure 14. Decoded README.txt file\r\nAfter all files are processed, the ransomware changes the device’s wallpaper. We observed two different\r\nwallpapers in use, and both have been stolen or copied either from LockBit attacks or from a security blogopen on\r\na new tab mentioning the ransomware family. It should be noted however that 2.0 is not the latest LockBit version.\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 7 of 10\n\nFurthermore, key figures behind the ransomware operations have just been apprehended earlier this yearopen on a\r\nnew tab.\r\nFigure 15. Wallpaper changed into a photo stolen or copied from LockBit ransomware\r\nFigure 16. Wallpaper changed into a photo stolen from a security blog\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 8 of 10\n\nFigure xx: Code for deleting backups\r\nConclusion\r\nAttackers are increasingly leveraging cloud services and features to further their malicious activities. In this blog,\r\nwe analyzed a Golang ransomware that abuses Amazon S3's Transfer Acceleration feature to upload victim files to\r\nattacker-controlled S3 buckets. Such advanced capabilities enable attackers to efficiently exfiltrate data as they\r\ntake advantage of cloud service providers.\r\nFurthermore, account identifiers of cloud providers such as AWS Account IDs linked to malicious activities can\r\nserve as valuable IOCs. By tracking these IDs, defenders can better identify and mitigate threats within their cloud\r\nenvironments, underscoring the need for vigilant monitoring of cloud resources.\r\nThreat actors might also disguise their ransomware sample as another more publicly known variant, and it is not\r\ndifficult to see why: the infamy of high-profile ransomware attacks further pressures victims into doing the\r\nattacker’s bidding.\r\nTo further boost security, organizations can also employ security solutions such as Vision Oneone-platform to\r\ndetect and stop threats early and no matter where they are in the system.\r\nAWS Security Feedback\r\nWe contacted AWS about this incident and received the following comment:\r\nTrend Micro Vision One Threat Intelligence\r\nTo stay ahead of evolving threats, Trend Micro customers can access a range of Intelligence Reports and Threat\r\nInsights within Trend Micro Vision One. Threat Insights helps customers stay ahead of cyber threats before they\r\nhappen and better prepared for emerging threats. It offers comprehensive information on threat actors, their\r\nmalicious activities, and the techniques they use. By leveraging this intelligence, customers can take proactive\r\nsteps to protect their environments, mitigate risks, and respond effectively to threats.\r\nTrend Micro Vision One Intelligence Reports App [IOC Sweeping]\r\nFake LockBit, Real Damage: Ransomware Samples Abuse Amazon S3 to Steal Data\r\nTrend Micro Vision One Threat Insights App\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 9 of 10\n\nEmerging Threats: Fake Lockbit Ransomware Abuses Amazon S3 For Data Exfiltration\r\nHunting Queries\r\nTrend Micro Vision One Search App\r\nTrend Micro Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in\r\nthis blog post with data in their environment. \r\nDetection for BOCKLIT Malware Presence\r\nmalName:*BOCKLIT* AND eventName: MALWARE_DETECTION\r\nMore hunting queries are available for Vision One customers with Threat Insights Entitlement enabledproducts.\r\nIndicators of Compromise\r\nDuring our monitoring, we have seen different versions of this ransomware. All had encryption features, but only\r\nsome had upload functionality and valid tokens. This, along with other differences among variants, suggests that\r\nthe ransomware is still in development.\r\nThe full list of IOCs can be found here.\r\nTags\r\nSource: https://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nhttps://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_in/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html" ], "report_names": [ "fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434381, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ff6f0637f1ae4c54d166949b729ac693a84f2ac5.pdf", "text": "https://archive.orkl.eu/ff6f0637f1ae4c54d166949b729ac693a84f2ac5.txt", "img": "https://archive.orkl.eu/ff6f0637f1ae4c54d166949b729ac693a84f2ac5.jpg" } }