Cybercriminals have found a new way to target AWS users by exploiting exposed AWS keys to access storage buckets. The group, known as Codefinger, encrypts the files using AWS server-side encryption and then schedules them for deletion within a week, utilizing unique tactics compared to traditional ransomware attacks.

Halcyon researchers observed this attack targeting AWS native software developers, emphasizing the potential risks organizations face when relying on AWS S3 for critical data storage. Tim West from Halcyon RISE Team expressed concerns over the systemic risk this method poses and highlighted the significance of securing AWS S3 buckets.

Unlike typical ransomware attacks that involve data theft or extortion, Codefinger’s approach focuses on data destruction, putting pressure on victims to pay the ransom. This distinctive strategy emphasizes the importance of cybersecurity measures, urging AWS customers to restrict the use of AWS server-side encryption with customer provided keys (SSE-C).

While Halcyon did not disclose the victims, they advised caution and vigilance. Amazon emphasized the importance of following cybersecurity best practices and monitoring for exposed keys to mitigate risks. This incident underscores the evolving tactics used by cybercriminals and the critical need for organizations to enhance their security measures to protect sensitive data on cloud storage platforms.