The Codefinger ransomware campaign has emerged, targeting Amazon S3 users by exploiting compromised AWS credentials to encrypt stored data using Server-Side Encryption with Customer-Provided Keys (SSE-C). Attackers are demanding ransom payments for the symmetric AES-256 keys necessary to decrypt this data. Following observed patterns of malicious re-encryptions, AWS has issued guidance to help users mitigate these attacks. The method allows attackers to overwrite original encryption through legitimate requests—complicating recovery efforts and raising new security challenges for users relying on S3.
Unlike traditional ransomware that encrypts files for ransom, Codefinger's use of AWS encryption models creates a uniquely difficult scenario for recovery, as the keys are removed from user control.
Attackers exploit valid AWS credentials to gain access and re-encrypt S3 objects under their control, demanding ransom for the decryption keys they generate.
Collection
[
|
...
]