
The Halcyon RISE team has discovered a new dangerous ransomware campaign that uses Amazon S3 Service Encryption with Customer-Supplied Keys (SSE-C). Attackers use stolen AWS keys to encrypt data, forcing victims to pay a ransom for the decryption key.
This attack poses a serious risk to companies that store critical information in the AWS cloud environment: using read and write permissions on objects in S3 buckets, an attacker encrypts data using SSE-C and generates custom AES-256 keys. In AWS, these keys are not stored, so data recovery is impossible without paying a ransom. At the same time, CloudTrail records only the HMAC of the keys, which makes it impossible to reproduce them or carry out a thorough analysis.
Key stages of the attack:
Introduced in 2014, SSE-C enables customers to encrypt their data using their own key. This feature, once used to improve security, has now become a tool in the hands of cybercriminals; Halcyon identified two companies that were affected but were not customers at the time of the attack.
This attack shows that legitimate cloud services can be used for data encryption and ransom threats. Halcyon urges organizations to immediately strengthen the security of their AWS environments by limiting the use of SSE-C, auditing access keys, conducting detailed monitoring, and working with AWS to minimize risks. Similar practices can spread to other cloud services, creating an organizational threat to the security of cloud data.