The new Codefinger ransomware poses a high risk to your data.
Getty Images
Updated January 14, 2025: This article was originally published on January 13, and now that the nature of Amazon’s threat is fully clear, its new plan to make ransomware payments illegal Contains analysis from security experts on how cybercrime attacks like this can affect victims. , adds further mitigation advice.
Ransomware is a cybersecurity threat that will never go away. The impact of falling victim to an attack, whether by a group such as the one behind the ongoing Play attack, or by a key player such as LockBit who has returned from the dead, is likely to be the biggest threat to ransomware in 2024. The scope is revealed in a report. Codefinger has been observed targeting users of Amazon Web Services S3 buckets. Here’s what you need to know:
Ongoing Codefinger ransomware attack targeting Amazon Cloud users
A new ransomware campaign targeting Amazon Web Services users by an attacker known as Codefinger was confirmed in a January 13 threat intelligence report by the Halcyon Threat Research and Intelligence team. The Codefinger attack takes advantage of AWS’s server-side encryption using customer-provided keys (thankfully abbreviated to SSE-C) to encrypt data, and the symmetric AES-C required for decryption. Request payment for 256 keys. “This ransomware campaign is particularly dangerous due to the design of SSE-C, which integrates directly with AWS’s secure cryptographic infrastructure and encrypts data, making recovery impossible without the attacker’s keys. ” warned Halcyon researchers.
Halcyon went so far as to suggest that Codefinger represents a significant evolution in ransomware capabilities, saying, “If it spreads rapidly, it poses a systemic threat to organizations that use AWS S3 for critical data storage. “It’s possible,” he added. I’m not sure I fully agree that the inability to decrypt data without paying for the key is due to evolution, and after all is the foundation on which all ransomware operates, but SSE Using -C is certainly a new approach. “Unlike traditional ransomware, which encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure. “Once encrypted, the attacker’s keys are Without it, recovery is impossible,” the researchers said.
That said, this attack campaign does not exploit any AWS vulnerabilities, but rather relies on the old tactic of obtaining AWS customer account credentials by hook or crook.
“This is a great example of how reusing passwords without two-factor authentication or sticking with easy-to-guess passwords comes back to administrators,” said Darren James, senior product manager at Specops Software. I am. James said this latest ransomware attack could have been avoided by using different passwords on all systems and enabling 2FA, which is as strong and phish-resistant as possible. On the plus side, at least SSE-C is a strong encryption method, but it’s bad when it’s used against the good guys instead of against the good guys. ”
Amazon Cloud Codefinger ransomware attack flow
Halcyon reports that the attack flow used by Codefinger was as follows:
Identify vulnerable AWS keys using publicly available or previously compromised keys. Encrypt files using SSE-C, leveraging locally generated and stored AES-256 encryption keys. Configure file deletion lifecycle policies and use the S3 Object Lifecycle Management application programming interface to mark these to 7 days to increase the urgency of ransom demands. It stores a ransom note in each affected directory, warning that any changes to account permissions or files will end the negotiation.
Unrecoverable Amazon ransomware highlights the difficulty of making ransom payments illegal
Following news of the UK Home Office’s plans to make ransomware payments to some victims, particularly national infrastructure companies and services, illegal, security experts are voicing their opinions on such a move. Such laws are anything but simple, given that the Amazon attack made recovery impossible without paying a ransom to the incident response table. “The topic of ransomware payments is a hotly debated topic,” said Javvad Malik, head of security awareness at KnowBe4. Almost everyone agrees that they do not want to contribute to sponsored activities.”However, it is very important that the law requires ransom payments to be illegal. “People usually want to do the right thing. No executive organizes themselves to become a victim of ransomware, but when ransomware does occur, there is a lot of pressure from shareholders, customers and governments. Even if pressure starts to mount, they will try to pay the ransom unless an alternative is provided. In this regard, governments should work with organizations to minimize the disruption caused by ransomware and, at the very least, how to prevent, detect, respond to, and recover from ransomware attacks. should provide extensive guidance on the
Amazon statement regarding Codefinger ransomware attack
An Amazon Web Services spokesperson said: “AWS helps customers protect their cloud resources through a shared responsibility model. When AWS becomes aware of exposed keys, it notifies affected customers and ensures that all reporting of exposed keys is done. We quickly investigate and take necessary actions, including enforcing quarantine policies to minimize risk to our customers without disrupting their IT environments. As always, if you suspect your credentials may have been compromised, you can start by following the steps outlined in this post. You can contact AWS Support if you have questions or concerns about the security of your account.
