Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision Oneā¢ Defenses
Summary:
A new wave of ransomware attacks has been observed targeting cloud-native environments, specifically Amazon Simple Storage Service (S3) buckets, to extort victims. Unlike traditional on-premise ransomware attacks that encrypt files using malware, these actors take advantage of weak access controls and misconfigurations in cloud environments to lock organizations out of their own data. According to a new blog post from Trend Micro, adversaries have been abusing AWS features such as S3 APIs, Key Management Service (KMS), and snapshot management to overwrite, encrypt, and steal data. Notably, researchers outlined five S3 ransomware variants that they want you to be aware of:
As organizations transition their operations to the cloud, actors continue to shift their attention away from on-premise systems to cloud resources like AWS S3 bucket where sensitive information is stored. Using native cloud features such as KMS, adversaries can conduct their encryption routines without triggering security monitoring tools. According to researchers, actors behind the latest wave of attacks typically gain access through stolen credentials or leaked access keys found in public code repositories. From there, they will identify vulnerable S3 buckets, looking for weaknesses such as disabled versioning, missing object lock protection, and improper write permissions. Once they find these buckets, the actors can effectively lock and steal stored data, while deleting the initial files before demanding ransom payments.
Suggested Corrections:
Recommendations from Trend Micro:
https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html
A new wave of ransomware attacks has been observed targeting cloud-native environments, specifically Amazon Simple Storage Service (S3) buckets, to extort victims. Unlike traditional on-premise ransomware attacks that encrypt files using malware, these actors take advantage of weak access controls and misconfigurations in cloud environments to lock organizations out of their own data. According to a new blog post from Trend Micro, adversaries have been abusing AWS features such as S3 APIs, Key Management Service (KMS), and snapshot management to overwrite, encrypt, and steal data. Notably, researchers outlined five S3 ransomware variants that they want you to be aware of:
- Variant 1 (Using default AWS KMS keys – SSE-KMS)
- The attacker creates a KMS key in their own AWS account, uses it to encrypt the victim’s S3 data, and then proceeds to schedule the deletion of the KMS key used, giving the victim a seven-day deadline before the key and access to the data are permanently lost.
- Variant 2 (Using server-side encryption using customer provided keys – SSE-C)
- The attacker encrypts S3 objects using their own AES-256 key via server-side encryption. Note: This key is never stored by AWS. So neither AWS or the customer can decrypt the data.
- Variant 3 (S3 exfiltration and deletion)
- The attacker steals all data from S3 and then proceeds to delete the bucket’s contents, threatening to leak the data if the victim doesn’t pay the ransom demanded.
- Variant 4 (Using AWS KMS External Key Material)
- The attack imports their own key material into AWS KMS and uses it to encrypt S3 objects. In imported external key material, expiration can be set to any duration. In this case, the actors could deliberately set a short expiration to render the key (and encrypted data) inaccessible to both customers and AWS.
- Variant 5 (using External Key Store - XKS)
- The attacker deploys or spoofs an external key store and uses it to encrypt the victim’s S3 data. Since the key never exists within AWS, neither AWS or the customer can recover the data.
As organizations transition their operations to the cloud, actors continue to shift their attention away from on-premise systems to cloud resources like AWS S3 bucket where sensitive information is stored. Using native cloud features such as KMS, adversaries can conduct their encryption routines without triggering security monitoring tools. According to researchers, actors behind the latest wave of attacks typically gain access through stolen credentials or leaked access keys found in public code repositories. From there, they will identify vulnerable S3 buckets, looking for weaknesses such as disabled versioning, missing object lock protection, and improper write permissions. Once they find these buckets, the actors can effectively lock and steal stored data, while deleting the initial files before demanding ransom payments.
Suggested Corrections:
Recommendations from Trend Micro:
- Enforce least-privilege access. Limit s3:PutObject, s3:DeleteObject, and KMS operations to specific roles. Use IAM conditions, multi-factor authentication (MFA), and separation of duties to block unauthorized activity.
- Harden KMS governance. Restrict cross-account KMS grants, disable unused imported key material or XKS connections, and separate key administrators from data owners.
- Enable Object Immutability. Turn on S3 Object Lock and versioning to prevent overwrites or encryption of existing data and ensure fast recovery.
- Enforce MFA Delete on critical buckets. Enable MFA Delete to require a second authentication factor before object version deletions or versioning changes, a strong final safeguard against ransomware-triggered wipes.
- Block public and untrusted access. Enforce S3 Block Public Access at both account and bucket level. Route access through VPC endpoints or private access points only.
- Avoid weak encryption practices. Restrict or disable SSE-C usage; preferably, use SSE-KMS with monitored customer-managed keys. Regularly review any external or imported key material.
- Detect anomalous activity early with unified monitoring. Continuously monitor CloudTrail, S3 Data Events, and KMS logs for unusual encryption, cross-account activity, or bulk write/delete patterns.
- Isolate and protect backups. Maintain cross-account replication to a separate AWS account with its own CMKs and deletion protections to ensure clean recovery options.
- Validate recovery regularly. Periodically test restoration from versioned objects or replicas, and audit IAM/KMS policies for privilege creep or misconfigurations.
- Automate response actions. Configure automated alerts and response playbooks to revoke compromised credentials, disable suspicious KMS keys, and quarantine affected resources quickly.
https://www.trendmicro.com/en_us/research/25/k/s3-ransomware.html