Summary: A ransomware group named Codefinger is targeting organizations by encrypting data in their AWS S3 buckets using server-side encryption with customer-provided keys, demanding ransom for the decryption key. The attackers exploit previously compromised AWS keys and threaten to delete the encrypted files if the ransom is not paid within a week.
Threat Actor: Codefinger | Codefinger
Victim: Organizations using AWS S3 | Organizations using AWS S3
Key Point :
- The attack leverages compromised AWS keys that allow reading and writing S3 objects.
- Attackers encrypt data without exfiltration, marking files for deletion to pressure victims.
- Organizations are advised to restrict SSE-C application through IAM policies and regularly review AWS key permissions.
- Enabling detailed logging for S3 operations can help detect unusual activity quickly.
- AWS provides capabilities to avoid storing long-term credentials, enhancing security against such attacks.
Source: https://helpnetsecurity.com/2025/01/13/codefinger-encrypting-aws-s3-data-without-ransomware-sse-c/