The new Codefinger ransomware poses a high risk to data.
Update, January 15, 2025: This story, originally published on January 13, now includes analysis from security experts, as the nature of Amazon’s threat is fully revealed, how the new UK government plans to outlaw them ransomware payments can affect victims of such cybercrimes, plus further mitigation tips for victims of these attacks.
Ransomware is a cybersecurity threat that just won’t go away. Whether it’s from groups like those behind the ongoing Play attacks, or kingpins like LockBit coming back from the dead, the consequences of being the victim of an attack are revealed in reports that expose the extent of ransomware through 2024. A new threat The ransomware, known as Codefinger, targeting users of Amazon Web Services S3 buckets has now been confirmed. Here’s what you need to know.
Ongoing Codefinger Ransomware attacks target Amazon Cloud users
A new ransomware campaign targeting Amazon Web Services users by a threat actor known as Codefinger has been confirmed in a Jan. 13 threat intelligence report from the Halcyon threat intelligence and research team. The Codefinger attack exploits AWS server-side encryption with client-supplied keys, thankfully usually shortened to SSE-C, in order to encrypt data and then demand payment for the AES-256 symmetric keys required to decrypt it with success. “This ransomware campaign is particularly dangerous due to the design of SSE-C,” Halcyon researchers warned, “integrating directly with AWS’ secure encryption infrastructure and encrypting data, recovery is impossible without the attacker’s key.”
Halcyon has gone so far as to suggest that Codefinger represents a significant evolution in ransomware capabilities, adding that: “If this spreads quickly, it could pose a systemic threat to organizations using AWS S3 to store critical data.” I’m not sure I can fully agree that not being able to decrypt data without paying for a key is evolutionary, it’s the basis on which all ransomware works, after all, but using SSE-C is certainly a new approach. “Unlike traditional ransomware that encrypts files locally or in transit, this attack integrates directly with AWS’s secure encryption infrastructure,” the researchers said, “once encrypted, recovery is impossible without the attacker’s key.”
All that said, the attack campaign does not exploit any AWS vulnerabilities, instead relying on the age-old tactic of obtaining an AWS customer’s account credentials by hook or by crook.
“This is a great example of where password reuse or sticking with easy-to-guess passwords, along with no two-factor authentication, will backfire on the admin,” said Darren James, a senior manager product at Specops Software. If people had ensured that they used different passwords for all systems, as well as enabling strong, phishing-resistant 2FA wherever possible, James said, “this latest ransomware attack could have been avoid. On the other hand, at least SSE-C is a strong encryption method, but it’s not good to see it used against the good guys rather than for them.”
Flow of Kodofinger Ransomware Attack on Amazon Cloud
The Halcyon Report reported that the attack flow used by Codefinger is as follows:
- Identify vulnerable AWS keys using publicly disclosed or previously compromised keys.
- Encrypt files using SSE-C using an AES-256 encryption key that is generated and stored locally.
- Set lifecycle policies for file deletion, marking them at 7 days using the S3 Object Lifecycle Management API to add urgency to the ransom demand.
- Deposit a ransom note in each affected directory, warning that any changes to the account’s permissions or files will end the negotiation.
Amazon Ransomware’s Impossible Recovery Highlights Difficulties in Making Ransom Payments Illegal
As news of the UK Home Office’s plans to make ransomware payments to some victims illegal, particularly companies and national infrastructure services, security experts have come out with their opinions on such a move. Given that Amazon’s attack makes it impossible to recover without paying a ransom issue on the incident response table, such laws are far from simple. “The topic of ransomware payments is hotly debated,” said Javvad Malik, chief security awareness advocate at KnowBe4, “while almost everyone agrees that ransomware payments are not desirable and organizations do not want to contribute to cybercrime or state-sponsored activities.” But mandating by law that ransoms are illegal is the best thing: “People usually want to do the right thing,” Malik said, “no executive willingly set up their organization to become a victim of ransomware, but when he strikes, and. As pressure starts to mount from shareholders, customers and the government, the temptation to pay the ransom continues to rise, unless alternative ways are provided.” This is where the government must work together with organizations to minimize disruption from ransomware, Malik concluded, ” or at least provide broad guidance on how to prevent, detect, respond to, and recover from ransomware attacks.”
Dr. Darren Williams, CEO and founder of BlackFog, noted that ransomware gangs, like most criminals, are “highly motivated by profit and tend to gravitate towards targets that are more likely to pay.” Not that payment is any guarantee, as Williams said: “At the end of the day, you’re negotiating with criminals who are unlikely to hold up their end of the bargain, and in many cases, they go further than just releasing stolen data.” targeting the same victim a short time later.”
Jochen Michels is the European head of public affairs at Kaspersky and argued that although paying rewards perpetuates the cycle of crime, there are numerous no-profit scenarios to consider. “Paying ransoms to cybercriminals perpetuates the cycle of crime and offers no guarantee of resolution, so we advise against it,” Michels said, adding that there are industry protection initiatives, such as the Kaspersky No Ransom initiative, which aim to provide victims with solutions to recover their data without submitting to criminal demands. Unfortunately, these initiatives offering free ransomware decryptors would be of little use to victims of Amazon’s “impossible recovery” ransomware attack due to the use of SSE-C keys. It’s no wonder, then, that Michels said, “In some high-stakes scenarios, the decision to pay or not to pay becomes much more complex.” This highlights the urgent need for government safeguards to support victims facing no-win situations, Michels said, “such measures could include financial assistance for recovery efforts, access to decryption tools, or even compensation in cases where payment of reward is considered the only possible option.”
Meanwhile, Jamie Akhtar, co-founder and CEO of CyberSmart, also said that while the sentiment of the UK government’s proposed policy should be welcomed, a note of caution should be sounded. “This approach will only work if organizations have the cyber security measures in place – such as regular backups and properly aggregated data – to get back on their feet quickly, even if a ransom is not paid,” warned Akhtar. Many organizations, of course, do not have these measures in place, or at least not to the extent necessary and, as a result, have no choice but to pay the ransom or face reputational or financial ruin. “A step like this needs to be taken in conjunction with a broader commitment to improve cyber security practice,” concluded Akhtar, “otherwise it risks causing a lot of collateral damage, especially for the small businesses that form the backbone of our economy.” “.
Mike Kiser, director of strategy and standards at SailPoint, however, was much clearer when he said, “reward payments must be stopped: increased payments mean a corresponding increase in malicious activity.” However, all is not as straightforward as it may sound, as Kiser admitted: “Once laws are passed to stop ransom payments, an underground market is likely to follow – resulting in a hidden economic system.” Who is then held responsible for breaking the laws, Kiser asked, “is it the corporate entity or the fault of the security executive?”
Amazon Statement Regarding Codefinger Ransomware Attacks
An Amazon Web Services spokesperson provided the following statement: “AWS helps customers secure their cloud resources through a shared responsibility model. Whenever AWS is aware of exposed keys, we notify affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary action, such as applying quarantine policies to minimize risks to customers without disrupting their IT environment. We encourage all customers to follow security, identity and compliance best practices. In case a customer suspects that they may have exposed their credentials, they can start by following the steps listed in this post. As always, customers can contact AWS Support with any questions or concerns about the security of their account.”
