A hooded figure holding a glowing cloud icon with a lock, symbolizing cybersecurity and cloud data protection.

Overview:

Threat actors are rapidly adapting to the widespread adoption of cloud services, refining their tactics to exploit cloud-based storage, platforms and infrastructure. Ransomware operators in particular are leveraging the inherent characteristics of cloud ecosystems to enhance their encryption and extortion capabilities. The integration of cloud-native features into attack methodologies has introduced new threat vectors that pose significant challenges to traditional security measures.

In January of this year, reports surfaced of a threat actor tracked as “Codefinger” that introduced a novel method for encrypting data stored in Amazon Web Services (AWS) Simple Storage Service (S3) buckets. The attack leverages server-side encryption with customer-provided keys (SSE-C) to encrypt S3 objects. The threat actor then demands a ransom for the symmetric AES-256 keys required for decryption. Due to the nature of the SSE-C encryption model, recovery of stolen data is made impossible without the attacker-controlled encryption keys.

Attack Pattern:

The incident was first reported by Halcyon on January 13, identifying at least two confirmed victims affected by this attack. The attack sequence begins with the compromise of exposed cloud service API keys, granting initial access to the victim’s account. Once inside, the threat actors leverage valid credentials to access cloud storage, exfiltrate data and subsequently encrypt stored objects using a locally generated AES-256 key. These findings were later corroborated by the AWS Customer Incident Response Team, which reported an increase in unusual encryption activity associated with S3 buckets.

This attack does not exploit vulnerabilities in the cloud provider’s infrastructure but rather abuses legitimate security mechanisms and authorized access. This underscores the increasing risk associated with credential exposure, weak access controls and insufficient monitoring of cloud environments. Notably, cloud credential theft remains a persistent issue, with researchers recently uncovering over 15,000 cloud authentication credentials exposed in publicly accessible Git configuration files, further highlighting the ease with which attackers can obtain access to cloud environments.

These tactics also demonstrate another facet of living-off-the-land techniques, which have become increasingly prevalent in cyber campaigns. By leveraging native security features, threat actors can abuse privacy-oriented features as an effective way to extort victims.

Impact:

Cloud-based storage services have become a prime target for cyber threat groups due to their widespread adoption across critical industries and their role in securing sensitive data. According to CrowdStrike’s 2024 Global Threat Report, cloud intrusions have surged by 75%, highlighting the growing focus of adversaries on cloud environments.

Among these services, object storage solutions play a vital role in sectors such as aerospace, where they are commonly used for satellite imagery processing, sensor data storage, and communication log management. However, the misuse or exploitation of improperly secured cloud data can lead to severe consequences, including intellectual property theft, operational disruptions, and unauthorized data exposure. As adversaries increasingly integrate cloud-based assets into their attack strategies, these risks continue to escalate.

The rise of ransomware in cloud environments illustrates both the evolution of cyber extortion tactics and the growing sophistication of ransomware-as-a-service (RaaS) operations. While traditionally focused on enterprise and on-premises IT infrastructure, ransomware operators are now actively adapting their techniques to exploit cloud-native features. The attack methodology observed in this incident may inspire further adoption among other ransomware groups, broadening the scope of cloud-based extortion schemes.

To mitigate these threats, organizations must implement stringent access controls, continuous monitoring and multi-factor authentication. Additionally, to prevent unauthorized encryption of cloud data, security best practices recommend enforcing short-term credentials, monitoring for anomalous access patterns and restricting the use of certain encryption mechanisms unless explicitly required.