• Codefinger is a new ransomware campaign that encrypts AWS S3 buckets.
• The attack uses AWS features to lock data and demand a ransom in exchange for the decryption keys.
• Codefinger relies on compromised credentials rather than an AWS vulnerability.

There’s a new big bad in the ransomware world known as Codefinger. Like the ransomware we’re accustomed to, it encrypts data and demands payment but this particular variant is remixing that playbook in a worrying way.

Codefinger is targeting AWS S3 buckets and encrypting them using Amazon’s own tools. The attacker grabs the symmetric AWS-256 keys and demands the owner of the AWS account pay up to decrypt their files.

The ransomware campaign was discovered by Halcyon which was clear in stating that the attack wasn’t happening because of a vulnerability in AWS but instead relied on compromised credentials. Once the attack is successfully executed, it is impossible to decrypt the data without the AES-256 keys thanks to how the attack leverages AWS’s encryption infrastructure.

“If this method becomes widespread, it could pose a systemic threat to organizations using Amazon S3 for critical data storage,” the Halcyon Research Team wrote earlier this week.

The threat actor leaves a ransom note in the affected directories which contains a Bitcoin Address and a Client ID associated with the ransom.

The big question now is how Codefinger is getting access to enough accounts to trigger alarms. At present just two victims have been identified in recent weeks but there could a be a storm brewing.

“In the first two weeks of January 2025 alone, over 100 unique accounts for AWS platform were compromised and published on the dark web. Over a longer period, Kaspersky observed more than 18 000 compromised credentials linked to ‘console.aws.amazon.com’, where system access keys are managed; over 126 000 accounts associated with ‘portal.aws.amazon.com’; and more than 245 000 accounts tied to ‘signin.aws.amazon.com’. These resources provide access to AWS in different ways,” security expert at Kaspersky Digital Footprint Intelligence Alexander Zabrovsky told Hypertext via email.

The expert says that these account details are usually compromised via data stealers with Lumma and RedLine being the most popular to lift the credentials outlined above.

Batten down the hatches

Organisations that make use of AWS S3 buckets are advised to harden their environments in an effort to prevent the unauthorised encryption of data.

“We encourage all customers to follow security, identity, and compliance best practices,” AWS said in a statement. The organisation says that if a customer suspects their account has been compromised they should follow the steps outlined here.

Halcyon also advises organisation restrict SSE-C usage to select, authorised users rather than anybody with an account. It also suggests monitoring and auditing all AWS keys and disabling and rotating unused and frequently used keys respectively.

“Organisations can also take proactive measures by scanning the dark web for exposed credentials and immediately changing any that are found to be compromised. Regularly updating passwords and access keys, combined with the use of password management tools, is a good practice for bolstering defenses. Additionally, adopting role-based access management and adhering to the principle of least privilege can minimise the impact of potential breaches,” advises Zabrovsky.

Be careful out their folks, cybercriminals are only going to get more crafty as Codefinger illustrates.