- New ransomware abuses Amazon S3 Transfer Acceleration for faster file exfiltration.
- Hackers disguise attacks as more infamous ransomware, like LockBit, to confuse victims.
- Amazon suspended the malicious accounts, citing violation of its use policies.
Cybercriminals are getting craftier, with their most recent trick involving ransomware disguised as well-known file-lockers like LockBit.
They mimic LockBit's wallpaper and versioning, down to the “2.0” watermark, leading victims to believe they are being attacked by a more established ransomware group.
According to Trend Micro's recent research, these hackers are using Golang, a programming language known for its cross-platform functionality, to create ransomware that takes advantage of Amazon Web Services (AWS) features, resulting in faster and more efficient attacks.
This strategy, according to Trend Micro, has significantly increased the risk of these attacks.
AWS S3 Transfer Acceleration (S3TA) allows hackers to accelerate data transfers by routing them through Amazon's globally distributed edge locations.
Trend Micro discovered that many ransomware samples include hard-coded AWS credentials, allowing attackers to quickly extract data from infected systems and upload it to cloud storage.
To avoid expensive storage fees, attackers prioritize uploading files smaller than 100 MiB, demonstrating how methodical and cost-conscious cybercriminals have become.
Trend Micro's technical analysis of ransomware samples demonstrated the attack's precision.
After infiltrating a machine, the malware obtains the host machine's unique identifier and uses it to create an Amazon S3 bucket.
Embedded AWS credentials are used to enable the S3TA feature, which ensures fast transfers.
After encrypting the victim's files with AES-CTR, the ransomware uploads them to the attacker's cloud storage, preparing for ransom demands.
What makes this attack even more tricky is the criminals' attempt to disguise their malware as a more well-known strain, such as LockBit.
Subscribe to our newsletter
They're not simply encrypting your data. They're convincing you that it's from someone you've already know.
AWS responded quickly to reports of misuse. “AWS services are performing as expected.
The identified activity violates AWS's acceptable use policy, and the reported AWS access keys and account have been suspended, according to an AWS spokesperson.
Although AWS services work as intended, their capabilities are now being exploited in novel and malicious ways.
The growing dependence on cloud services in ransomware attacks reveals how hackers are adapting to modern infrastructure.
Cloud storage is now an essential component of businesses, making it an appealing target for cybercriminals.
The attackers are now using Amazon's fast file transfer features, which were designed for legitimate businesses, to speed up their malicious activities.
While AWS suspended the accounts involved, the abuse of these services indicates a concerning trend.
Cybersecurity experts warn that as cloud services become more integrated into business operations, attackers will seek new ways to exploit them.