A new ransomware campaign, Codefinger, is targeting Amazon Web Services (AWS) users by using a relatively novel method.
The attacks do not exploit any vulnerabilities in AWS itself. Instead, they rely on obtaining user credentials, potentially including credentials found in marketplaces on the dark web.
The compromised credentials are used to create S3 buckets, a scalable object storage service offered through AWS. S3 buckets often contain mission-critical data, so they’re prime targets for bad actors.
Codefinger Ransomware: Attack Flow and Key Considerations
The Codefinger campaign was first identified by Halcylon AI, a ransomware prevention service. According to a threat review published on the company’s website, Codefinger follows this general attack workflow:
- Identify vulnerable AWS keys: The attackers search for AWS keys that have been publicly disclosed or previously compromised. For the attack to progress, those credentials must have the necessary permissions to execute certain S3 requests.
- Encrypt files using SSE-C: Attackers use server-side encryption with customer-provided keys (SSE-C) to encrypt the victim’s files with an AES-256 encryption key. This key is generated and stored locally by the attackers.
- Set lifecycle policies: To increase the pressure on the victim, the attackers set a 7-day lifecycle policy for the encrypted files. The files will be automatically deleted after 7 days if not recovered.
- Deposit a ransom note: A ransom note is placed in each affected directory, warning the victim not to alter account permissions or files, or “negotiations will be terminated.”
Notably, the attackers are using SSE-C to encrypt the victim’s data with keys that only they control. AWS doesn’t store the key used for encryption and description processes — so if that key is lost, the data is irretrievable.
Codefinger’s attackers generate and hold onto the encryption keys, making it impossible for the victim to decrypt their data without paying the ransom. This is a departure from traditional ransomware that encrypts files locally on a victim’s machine. By leveraging SSE-C, the attackers are essentially taking advantage of a legitimate security feature to make their attack more potent.
Are There Data Recovery Options for Codefinger Ransomware Attacks?
Unfortunately, there’s no known effective recovery strategy for the current wave of attacks. Amazon can’t resolve the issue — that’s fundamental to the shared responsibility model of AWS. While Amazon has pledged to investigate any reports of stolen keys, they can’t take many additional actions.
Businesses can prevent these types of targeted attacks by limiting access to S3 buckets to essential users. Detailed logging may also help businesses detect unusual activities and quarantine systems when attacks occur.
And since the Codefinger threat group seems especially active at the moment, now would be a great time to review your organization’s credential policies.
Is Codefinger a “new evolution” in ransomware?
While the Codefinger attacks have already attracted some headlines — as any major ransomware operation targeting AWS users would tend to do — its methodology isn’t particularly frightening (though we’ll admit that it’s a new take on an old idea).
What it is, however, is effective: For victims, there’s virtually no way to regain access to the target data without paying the ransom. And since paying for ransoms is often illegal, Codefinger victims don’t have many good options.
Get Help with Ransomware Recovery and Prevention
Datarecovery.com offers comprehensive ransomware recovery services., including expert analysis, decryption attempts, secure data restoration, and proactive threat mitigation. Our “no data, no charge” guarantee ensures you only pay for successful file recovery.
To learn more, call 1-800-237-4200 to speak with a ransomware expert or submit a case online.
