Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data
Summary:
A newly discovered Golang ransomware variant has been found to abuse Amazon S3's Transfer Acceleration feature to exfiltrate data from victim machines to attacker-controlled S3 buckets. The ransomware samples analyzed contained hardcoded AWS credentials, which were used to create S3 buckets and enable faster data transfers through Amazon’s globally distributed CloudFront edge locations. This functionality allowed the attackers to exfiltrate stolen files more efficiently. Notably, AWS Account IDs linked to these malicious activities provide critical Indicators of Compromise that defenders can track to mitigate future attacks. In addition, the ransomware attempts to disguise itself as the infamous LockBit ransomware, leveraging LockBit’s reputation to further pressure victims into compliance. This tactic of impersonating a well-known ransomware group increases the psychological stress on victims, making them more likely to meet the attackers' demands.
Upon discovering the use of hardcoded AWS credentials, the security team reported the issue to AWS. AWS quickly confirmed that the activity violated its acceptable use policy, leading to the suspension of the compromised AWS accounts and access keys. It is important to note that this incident did not reflect a vulnerability in AWS services themselves but rather an abuse of valid credentials by the threat actor. The ransomware was found to target both Windows and MacOS environments, encrypting files and uploading them to S3 buckets using the compromised AWS credentials. The encryption process involved generating a random master key, encrypting it using RSA, and storing it in a readme file along with system information about the victim’s machine. The ransomware also modifies the victim's desktop wallpaper, replacing it with images either stolen from LockBit campaigns or from security blogs, further adding to the deception.
Security Officer Comments:
In terms of technical execution, the ransomware makes use of the S3 Transfer Acceleration (S3TA) feature, which allows for faster data uploads over long distances by using Amazon CloudFront's edge locations. Files smaller than 100 MiB are prioritized for upload to minimize costs for the attacker. The encryption algorithm employed is AES-CTR, with the password being an MD5 hash of the file name concatenated with the master key.
Suggested Corrections:
IOCs:
https://documents.trendmicro.com/assets/txt/Golang-ransomware-IOCsOHRQ0iE.txt
This case highlights the trend of cybercriminals increasingly leveraging cloud services to carry out their malicious operations. The use of cloud infrastructure, particularly in this instance through Amazon Web Services, demonstrates the evolving tactics of threat actors who seek to evade detection and improve the efficiency of their attacks. Tracking AWS Account IDs involved in such activities is crucial for identifying and mitigating these threats. Moreover, the discovery of more than thirty samples suggests that the ransomware is still being actively developed and tested. AWS confirmed that the misuse of its services was promptly addressed, suspending the affected accounts.
Link(s):
https://www.trendmicro.com/en_us/re...-ransomware-samples-abuse-aws-s3-to-stea.html
A newly discovered Golang ransomware variant has been found to abuse Amazon S3's Transfer Acceleration feature to exfiltrate data from victim machines to attacker-controlled S3 buckets. The ransomware samples analyzed contained hardcoded AWS credentials, which were used to create S3 buckets and enable faster data transfers through Amazon’s globally distributed CloudFront edge locations. This functionality allowed the attackers to exfiltrate stolen files more efficiently. Notably, AWS Account IDs linked to these malicious activities provide critical Indicators of Compromise that defenders can track to mitigate future attacks. In addition, the ransomware attempts to disguise itself as the infamous LockBit ransomware, leveraging LockBit’s reputation to further pressure victims into compliance. This tactic of impersonating a well-known ransomware group increases the psychological stress on victims, making them more likely to meet the attackers' demands.
Upon discovering the use of hardcoded AWS credentials, the security team reported the issue to AWS. AWS quickly confirmed that the activity violated its acceptable use policy, leading to the suspension of the compromised AWS accounts and access keys. It is important to note that this incident did not reflect a vulnerability in AWS services themselves but rather an abuse of valid credentials by the threat actor. The ransomware was found to target both Windows and MacOS environments, encrypting files and uploading them to S3 buckets using the compromised AWS credentials. The encryption process involved generating a random master key, encrypting it using RSA, and storing it in a readme file along with system information about the victim’s machine. The ransomware also modifies the victim's desktop wallpaper, replacing it with images either stolen from LockBit campaigns or from security blogs, further adding to the deception.
Security Officer Comments:
In terms of technical execution, the ransomware makes use of the S3 Transfer Acceleration (S3TA) feature, which allows for faster data uploads over long distances by using Amazon CloudFront's edge locations. Files smaller than 100 MiB are prioritized for upload to minimize costs for the attacker. The encryption algorithm employed is AES-CTR, with the password being an MD5 hash of the file name concatenated with the master key.
Suggested Corrections:
IOCs:
https://documents.trendmicro.com/assets/txt/Golang-ransomware-IOCsOHRQ0iE.txt
This case highlights the trend of cybercriminals increasingly leveraging cloud services to carry out their malicious operations. The use of cloud infrastructure, particularly in this instance through Amazon Web Services, demonstrates the evolving tactics of threat actors who seek to evade detection and improve the efficiency of their attacks. Tracking AWS Account IDs involved in such activities is crucial for identifying and mitigating these threats. Moreover, the discovery of more than thirty samples suggests that the ransomware is still being actively developed and tested. AWS confirmed that the misuse of its services was promptly addressed, suspending the affected accounts.
Link(s):
https://www.trendmicro.com/en_us/re...-ransomware-samples-abuse-aws-s3-to-stea.html