The new Codefinger ransomware poses a high risk to your data.
Getty Images
Update 15 January 2025: This article was originally published on 13 January New UK government plans to make ransomware payments illegal as nature of Amazon threat becomes fully clear Contains analysis from security experts on how it can affect victims. In addition to these cyber crimes, we also provide further mitigation advice for victims of these attacks.
Ransomware is a cybersecurity threat that will never go away. The impact of falling victim to an attack, whether by a group such as the one behind the ongoing Play attack, or by a key player such as LockBit who has returned from the dead, is likely to be the biggest threat to ransomware in 2024. The scope is revealed in a report. Codefinger has been observed targeting users of Amazon Web Services S3 buckets. Here’s what you need to know:
Ongoing Codefinger ransomware attack targeting Amazon Cloud users
A new ransomware campaign targeting Amazon Web Services users by an attacker known as Codefinger was confirmed in a January 13 threat intelligence report by the Halcyon Threat Research and Intelligence team. The Codefinger attack takes advantage of AWS’s server-side encryption using a customer-provided key (usually abbreviated to SSE-C, thankfully) to encrypt data, and the symmetric AES-C required for decryption. Request payment for 256 keys. “This ransomware campaign is particularly dangerous due to the design of SSE-C, which integrates directly with AWS’s secure cryptographic infrastructure and encrypts data, making recovery impossible without the attacker’s keys. ” warned Halcyon researchers.
Halcyon went so far as to suggest that Codefinger represents a significant evolution in ransomware capabilities, saying, “If it spreads rapidly, it poses a systemic threat to organizations that use AWS S3 for critical data storage. It is possible,” he added. I’m not sure I fully agree that the inability to decrypt data without paying for the key is due to evolution, and after all is the foundation on which all ransomware operates, but SSE Using -C is certainly a new approach. “Unlike traditional ransomware, which encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure. “Once encrypted, the attacker’s keys are Without it, recovery is impossible,” the researchers said.
That said, this attack campaign does not exploit any AWS vulnerabilities, but rather relies on the old tactic of obtaining AWS customer account credentials by hook or crook.
“This is a great example of how reusing passwords without two-factor authentication or sticking with easy-to-guess passwords comes back to administrators,” said Darren James, senior product manager at Specops Software. I am. James said this latest ransomware attack could have been avoided by using different passwords on all systems and enabling 2FA, which is as strong and phish-resistant as possible. On the plus side, at least SSE-C is a strong encryption method, but it’s bad when it’s used against the good guys instead of against the good guys. ”
Amazon Cloud Codefinger ransomware attack flow
Halcyon reports that the attack flow used by Codefinger was as follows:
Identify vulnerable AWS keys using publicly available or previously compromised keys. Encrypt files using SSE-C, leveraging locally generated and stored AES-256 encryption keys. Configure file deletion lifecycle policies and use the S3 Object Lifecycle Management application programming interface to mark these to 7 days to increase the urgency of ransom demands. It stores a ransom note in each affected directory, warning that any changes to account permissions or files will end the negotiation.
Unrecoverable Amazon ransomware highlights the illegality of ransom payments
Following news of the UK Home Office’s plans to make ransomware payments to some victims, particularly national infrastructure companies and services, illegal, security experts are voicing their opinions on such a move. Such laws are anything but simple, given that the Amazon attack made recovery impossible without paying a ransom to the incident response table. “The topic of ransomware payments is a hotly debated topic,” said Javvad Malik, head of security awareness at KnowBe4. Almost everyone agrees that they do not want to contribute to sponsored activities.”However, it is very important that the law requires ransom payments to be illegal. “People usually want to do the right thing. No executive organizes themselves to become a victim of ransomware, but when ransomware does occur, there is a lot of pressure from shareholders, customers and governments. Even if pressure starts to mount, pay the ransom unless an alternative is provided Malik said that to minimize the disruption caused by ransomware, governments should work together with organizations to “at least prevent, detect, respond to, and recover from ransomware attacks.” “We need to provide extensive guidance on how to do so.”
Dr. Darren Williams, CEO and founder of BlackFog, said that ransomware gangs, like most criminals, are “very profit-motivated and tend to gravitate toward targets that are more likely to pay them.” There is,” he pointed out. As Williams said, payment is no guarantee. “At the end of the day, you are negotiating with criminals who are unlikely to honor their end of the deal, and in many cases they will do more than target and leak stolen data for a while. The same victims occurred.”
Jochen Michels, head of European communications at Kaspersky Lab, argued that paying ransoms does perpetuate the cycle of crime, but there are many no-win scenarios to consider. “We recommend against paying a ransom to cybercriminals, as it perpetuates the cycle of crime and provides no guarantee of resolution,” Michels said, adding that Kaspersky’s “Ransom It added that safeguarding industry initiatives such as the “None” initiative are being implemented. Provide victims with a solution to recover data without bowing to criminal demands. Unfortunately, these efforts to provide free ransomware decryption tools are of little use to victims of Amazon’s “irrecoverable” ransomware attacks due to the use of SSE-C keys. No wonder, then, that Michels said, “In certain high-risk scenarios, the decision to pay or not pay becomes much more complex.” This highlights the urgent need for government safeguards to support victims facing no-win situations, Michels said. “This could include financial support for the effort, access to decryption tools, and even compensation if payment of the ransom is deemed exclusive.” It’s a viable option. ”
Meanwhile, Jamie Akhtar, co-founder and CEO of Cybersmart, also said that while the UK government’s sentiments towards the proposed policy were to be applauded, caution needed to be taken. “This approach only works if the organization has cybersecurity measures in place, such as regular backups and properly siled data, so it can bounce back quickly even if the ransom is not paid. ” warned Akhtar. Of course, many organizations do not have these measures in place, or at least not to the extent necessary, and as a result are left with little choice but to pay the ransom or face reputational and financial ruin. “Such steps need to be taken in conjunction with broader efforts to improve cybersecurity practices,” Akhtar concluded. ”
However, Mike Kaiser, SailPoint’s director of strategy and standards, said: “Ransom payments should be prohibited. An increase in payments means a corresponding increase in malicious activity.” I stated it more clearly. But as Kaiser acknowledged, everything is not as simple as it sounds. “As soon as a law is passed prohibiting the payment of ransoms, an underground market may emerge, resulting in a hidden economic system.” So who is responsible for violating the law? Kaiser questioned, “Is it the corporation’s responsibility or the security personnel’s responsibility?”
Amazon statement regarding Codefinger ransomware attack
An Amazon Web Services spokesperson said: “AWS helps customers protect their cloud resources through a shared responsibility model. When AWS becomes aware of exposed keys, it notifies affected customers and ensures that all reporting of exposed keys is done. We quickly investigate and take necessary actions, including enforcing quarantine policies to minimize risk to our customers without disrupting their IT environments. As always, if you suspect that your credentials may have been compromised, you can start by following the steps outlined in this post. You can contact AWS Support if you have questions or concerns about the security of your account.
