Codefinger Ransomware Campaign Targets AWS Users via SSE-C

A new ransomware campaign by the threat actor Codefinger has been confirmed in a January 13 report from the Halcyon Threat Research and Intelligence Team. This campaign specifically targets Amazon Web Services (AWS) users by exploiting AWSs server-side encryption with customer-provided keys (SSE-C). By leveraging SSE-C, Codefinger encrypts user data and demands payment for the symmetric AES-256 keys required for decryption.

How the Attack Works

  1. Integration with SSE-C:
    Codefinger exploits SSE-C by encrypting user data through AWSs secure infrastructure. The encryption process relies on a symmetric AES-256 key supplied by the customer.

  2. Demand for Ransom:
    Once data is encrypted, Codefinger demands payment for the AES-256 decryption keys. Without these keys, data recovery is impossible.

  3. Challenges of SSE-C:
    Due to SSE-C’s design, AWS cannot assist with recovery if the encryption keys are unavailable, making this attack particularly effective.

Why This Campaign is Dangerous

  • SSE-Cs Secure Design:
    While SSE-C provides robust encryption by allowing customers to manage their own keys, this feature is exploited by the attackers to hold data hostage.

  • Limited Recovery Options:
    Traditional recovery methods, such as snapshots or backups, are ineffective without the original keys.

  • Growing Cloud Threats:
    This campaign highlights the increasing sophistication of ransomware targeting cloud services, which are critical for many businesses.

Recommendations for AWS Users

To mitigate risks associated with this ransomware campaign, AWS users should adopt the following practices:

1. Key Management Practices

  • Use a secure, segregated system for managing encryption keys.
  • Regularly rotate keys and maintain offline backups.
  • Avoid reusing keys for multiple datasets or environments.

2. Enhanced Monitoring

  • Monitor access logs and key usage patterns for anomalies.
  • Implement real-time alerts for changes to encryption configurations.

3. Data Protection Measures

  • Maintain offline backups of critical data that are not encrypted using SSE-C.
  • Consider using AWS Key Management Service (AWS KMS) to reduce risks associated with customer-provided keys.

4. Incident Response Planning

  • Develop a ransomware-specific response plan that includes coordination with cybersecurity experts and AWS support.
  • Test recovery scenarios to ensure backups and key rotations align with business continuity objectives.

5. Security Training

  • Educate teams on the risks associated with SSE-C and ransomware threats targeting cloud environments.

Conclusion

The Codefinger ransomware campaign demonstrates the potential vulnerabilities of even the most secure cloud services when mismanaged. By exploiting SSE-C, attackers have created a dangerous new threat that requires proactive defenses and robust key management strategies. AWS users must take immediate steps to secure their data and protect their encryption keys to mitigate the impact of such attacks.