New Amazon Ransomware AttackRecovery Impossible Without Payment

pNew Codefinger ransomware poses high danger to datappUpdate Jan 15 2025 This story originally published Jan 13 now includes analysis from security experts as the nature of the Amazon threat has fully emerged on how new UK government plans to make ransomware payments illegal could impact victims of such cybercrimes plus further mitigation advice for victims of these attacksppRansomware is a cybersecurity threat that just wont go away Be it from groups such as those behind the ongoing Play attacks or kingpins such as LockBit returning from the dead the consequences of falling victim to an attack are laid bare in reports exposing the reach of ransomware across 2024 A new ransomware threat known as Codefinger targeting users of Amazon Web Services S3 buckets has now been confirmed Heres what you need to knowppA new ransomware campaign targeting Amazon Web Services users by a threat actor known as Codefinger has been confirmed in a Jan 13 threat intelligence report from Halcyon threat research and intelligence team The Codefinger attack leverages AWSs serverside encryption with customerprovided keys thankfully usually shortened to SSEC in order to encrypt data and then demand payment for the symmetric AES256 keys that are required for it to be successfully decrypted This ransomware campaign is particularly dangerous because of SSECs design the Halcyon researchers warned by integrating directly with AWSs secure encryption infrastructure and encrypting the data recovery is impossible without the attackers keyppHalcyon has gone as far as suggesting that Codefinger represents a significant evolution in ransomware capabilities adding that If this spreads quickly it could pose a systemic threat to organizations using AWS S3 for critical data storage Im not sure I can quite agree that not being able to decrypt data without paying for a key is evolutionary its the basis upon which all ransomware operates after all but the use of SSEC is certainly a novel approach Unlike traditional ransomware that encrypts files locally or in transit this attack integrates directly with AWSs secure encryption infrastructure the researchers said once encrypted recovery is impossible without the attackers keyppAll of that said the attack campaign doesnt exploit any AWS vulnerability instead relying upon the ageold tactic of obtaining an AWS customers account credentials by hook or by crookppThis is a great example of where password reuse or sticking with easytoguess passwords along with no twofactor authentication will come back to bite admin Darren James a senior product manager at Specops Software said If people had ensured that they were using different passwords for all systems as well as enabling strong phishingresistant 2FA wherever possible James said this latest ransomware attack could have been avoided On the upside at least SSEC is a strong encryption method but it is not good to see it used against the good guys rather than for themppThe Halcyon report reported that the attack flow used by Codefinger is as followsppAs news of plans by the UK Home Office to make ransomware payments illegal for some victims specifically national infrastructure companies and services security experts have come forward with their opinions on such a move Given that the Amazon attack brings the impossible to recover without paying a ransom issue to the incident response table such laws are far from straightforward The topic of ransomware payments is one which is fiercely debated Javvad Malik lead security awareness advocate at KnowBe4 said while almost everyone agrees that paying ransomware is not desirable and organizations dont want to contribute towards cybercrime or statesponsored activities But mandating by law that ransoms are illegal is quite the thing People will typically want to do the right thing Malik said no executives willingly set up their organization to become a victim of ransomware but when it does strike and pressure begins to mount from shareholders customers and the government the temptation of paying the ransom continues to grow unless alternative ways out are provided This is where the government should be working alongside organizations to minimize the disruption from ransomware Malik concluded or at the very least offering extensive guidance on how to prevent detect respond and recover from ransomware attacksppDr Darren Williams CEO and founder of BlackFog pointed out that ransomware gangs like most criminals are highly motivated by profit and tend to gravitate towards targets that are more likely to pay up Not that paying up is any guarantee as Williams said At the end of the day you are negotiating with criminals who are unlikely to uphold their end of the deal and in many cases they go further than leaking stolen data by targeting the same victim a short time laterppJochen Michels is the European head of public affairs at Kaspersky and argued that though paying ransoms does perpetuate the cycle of crime there are numerous nowin scenarios to consider Paying ransoms to cybercriminals perpetuates the cycle of crime and offers no guarantee of resolution which is why we advise against it Michels said adding that there are safeguarding industry initiatives in place like the Kaspersky No Ransom initiative which aim to provide victims with solutions to recover their data without giving in to criminal demands Unfortunately these initiatives that provide free ransomware decryptors would be of little use to victims of the Amazon recovery impossible ransomware attack due to the use of SSEC keys No wonder then that Michels said In certain highstakes scenarios the decision to pay or not to pay becomes far more complex This highlights the urgent need for government safeguards to support victims who face nowin situations Michels said such measures could include financial assistance for recovery efforts access to decryption tools or even indemnities in cases where paying the ransom is deemed the only viable optionppMeanwhile Jamie Akhtar cofounder and CEO of CyberSmart also said that while the sentiment of the proposed UK government policy should be applauded a note of caution needs to be sounded This approach will only work if organizations have the cybersecurity measures in place such as regular backups and properly siloed data to get back on their feet quickly even if a ransom isnt paid Akhtar warned Many organizations of course dont have these measures in place or at least not to the degree needed and as a result have little choice but to pay the ransom or face reputational or financial ruin A step like this needs to be taken in conjunction with a broader commitment to improve cybersecurity practice Akhtar concluded otherwise it risks causing a lot of collateral damage particularly to the small businesses who make up the backbone of our economyppMike Kiser director of strategy and standards at SailPoint however was much clearer when he said ransom payments should be banned increasing payouts mean a corresponding rise in malicious activity Yet all is not as straightforward as that may sound as Kiser admitted As soon as laws are passed to ban ransom payments an underground market is likely to arrive resulting in a hidden economic system Who is then held responsible for violating laws Kiser questioned is it the corporate entity or the fault of the security executiveppAn Amazon Web Services spokesperson provided the following statement AWS helps customers secure their cloud resources through a shared responsibility model Anytime AWS is aware of exposed keys we notify the affected customers We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions such as applying quarantine policies to minimize risks for customers without disrupting their IT environment We encourage all customers to follow security identity and compliance best practices In the event a customer suspects they may have exposed their credentials they can start by following the steps listed in this post As always customers can contact AWS Support with any questions or concerns about the security of their accountppppOne Community Many Voices Create a free account to share your thoughts ppOur community is about connecting people through open and thoughtful conversations We want our readers to share their views and exchange ideas and facts in a safe spaceppIn order to do so please follow the posting rules in our sites Terms of Service  Weve summarized some of those key rules below Simply put keep it civilppYour post will be rejected if we notice that it seems to containppUser accounts will be blocked if we notice or believe that users are engaged inppSo how can you be a power userppThanks for reading our community guidelines Please read the full list of posting rules found in our sites Terms of Servicep