Ransomware gangs integrating AWS features into their toolkits

Ransomware tactics have adapted as more organizations move to the cloud with bad actors not just targeting services such as Amazon’s Simple Storage Service (S3) buckets and cloud databases, but the groups are integrating them into their own toolkits.

In a Nov. 18 blog, Trend Micro researchers said cloud malware variants now leverage native cloud features to execute malicious operations such as the ability to delete or overwrite data, suspend access, or extract sensitive info — all while staying under the radar of conventional tools.

The researchers pointed out that some of the integration targets include: compute snapshots, cloud static storage, cloud databases, container images and registries, and cloud backup and DR systems.

“We've seen S3-focused attacks for years — even before the well-publicized incident in 2019, when a Capital One misconfiguration was exploited — and the economics still incentivize attackers to move toward whatever gives them access,” said Crystal Morin, senior cybersecurity strategist at Sysdig.

Morin said what’s changed is how ransomware groups now weaponize cloud services themselves. As defenders adopt stronger perimeter protections, these attackers abuse built-in capabilities, such as encryption management and key rotation, to make data unrecoverable, Morin said.

Trey Ford, chief strategy and trust officer at Bugcrowd, explained that the Trend Micro research represents a systematic and theoretical threat modeling exercise on how an attacker might encrypt and ransom an AWS environment within an account boundary.

"It’s something we’ve talked about over the last 10 years, but I can't ever recall having seen this done in the wild," Ford said.

Ford said the attacks the researchers documented specifically target the use of external or customer provided keys (SSE-C or XKS, respectively) to assert control over key management for the cryptography used in storage. The classical backup guidance of three copies: one hot, one cold, and one offsite was adapted slightly for superscaler deployments in the cloud such as AWS, GCP, Azure, and OCS.

Jason Soroko, a senior fellow at Sectigo, said ransomware actors shifting toward cloud environments has been more an evolution than a sudden break with the past. Attackers have abused exposed S3 buckets, stolen AWS keys, and misconfigurations for years, said Soroko, often for data theft, cryptomining or simple extortion.

“What kept the spotlight on on-premises ransomware was the sheer volume of legacy infrastructure and the ease of dropping traditional malware on desktops and servers,” said Soroko. “As cloud adoption has matured and more critical data has moved from local file servers into services like S3, it’s natural that financially motivated groups would follow the data and invest in cloud specific tradecraft rather than rely only on endpoint based encryption.”

Soroko said the part that feels newer in this Trend Micro research is not that S3 buckets were attacked, but how deeply the attackers are now integrating with AWS native encryption features. They are using default KMS backed encryption, scheduling key deletion, abusing SSE with customer supplied keys, and experimenting with external key material and External Key Store, turning the cloud platform itself into the ransomware mechanism, said Soroko.

“That represents a step up from simply stealing or deleting data in S3 buckets and it narrows recovery options even for organizations that think they have good backups,” said Soroko. “So, the overall cloud trend has been emerging for quite a while, yet this wave of S3 focused techniques shows that attackers are starting to treat AWS services as their toolkit instead of just their target, which is why this research deserves attention.”