Recovery from the Amazon Ransomware attack is impossible unless the perpetrators receive ransom payment | Tracer Tecz

Update, Jan. 15, 2025: Experts now contribute analysis to this report which originally appeared on January 13 to examine how United Kingdom proposals to outlaw ransomware payments will affect cyberattack victims while offering additional protection strategies. The cybersecurity threat known as ransomware persists without any sign of disappearing.

Ransomware attacks from Play groups together with the return of LockBit reveal the destructive aftermath which reporting reveals through ransomware impact statistics across 2024. The new Codefinger ransomware objective has been verified to target Amazon Web Services S3 bucket users.

The Codefinger Ransomware continues its assault against users employed in the Amazon Cloud environment

Threatagnostic Codefinger launched a new ransomware assault against Amazon Web Services customers as documented by Halcyon threat research and intelligence team in their January 13 report. Programs that implement AWS's SSE-C encryption method suffer a Codefinger attack which requires payment from victims to obtain their AES-256 keys needed for successful decryption.

According to Halcyon researchers the underlying ransomware design leads to extreme danger because it integrates with AWS's secure encryption infrastructure to perform data encryption and reveals that key recovery is accessible only via attacker possession. Halcyon has gone as far as suggesting that Codefinger represents a significant evolution in ransomware capabilities, adding that: Frequent proliferation of this security threat threatens essential data storage systems based on AWS S3 platforms throughout organizations.

The integration of SSE-C into ransomware operations represents a unique strategy although traditional ransomware practices have the same requirement of payment for decryption keys. The attack integrates directly into the secure encryption infrastructure of AWS which means encrypted files become unrecoverable without the attacker's key according to the researchers. While the attack utilizes stolen credentials the AWS vulnerability remains unexploited in this campaign.

Darren James from Specops Software explains how admin suffered an attack because users reused passwords and avoided MFA as well as selecting weak security options. According to James people could have prevented the recent ransomware attack if they applied different passwords to their systems and activated robust version two authentication at every opportunity. The security strength of SSE-C encryption is positive although the practice of this technology to fight criminals rather than supporting the good side is unfortunate.

Amazon Cloud Codefinger Ransomware Attack Flow

The Halcyon investigation discovered that Codefinger executes their attack technique through this sequence Track AWS keys that technicians uncovered prior to victims releasing them into the public domain. Secure file encryption occurs through SSE-C which generates and saves locally an AES-256 encryption key.

An S3 application programming interface enables lifecycle policy management for file deletion through seven-day markings which intensify the urgency of ransom demands. Drop ransom notes into every compromised directory along with statements warning about how performing any permissions or file changes will make negotiations cease.

The Amazon Ransomware incident demonstrates the tough process of making illegal ransom payments since full recovery appears impossible. The U.K. Home Office plans to outlaw ransomware payments yet the security experts warn against this potential restriction mainly targeting critical national infrastructure providers.

The Amazon ransomware attack demonstrates how data recovery becomes impossible unless victims pay ransom which raises substantial obstacles for incident response frameworks. The practice of forfeiting ransomware payments creates intense debate among analysts” Javvad Malik, lead security awareness advocate at KnowBe4, explains. Legally prohibiting ransom payments stands as a total violation of policy.

According to Malik people naturally strive to act right; no executive purposefully constructs their association as a ransomware target yet heightened stakeholder pressure alongside regulatory scrutiny encourages scriveners to consider ransom payments unless offered alternate solutions. According to Malik the government should partner with organizations to reduce ransomware disruption but must provide serious guidance on preventing and identifying attacks as well as reacting to them and recovering from them.

Dr. Darren Williams who leads BlackFog pointing out ransomware gangs follow standard criminal principles of pursuing lucrative payouts from promising targets. Not that paying up is any guarantee, as Williams said: Throughout ransom negotiations you deal with criminals who tend to break their promises and frequently choose to harm their victims twice by leaking data and retargeting immediately after.

According to Jochen Michels who leads public affairs at Kaspersky Europe he believes ransom payment continuation of criminal cycles but organizations face undesirable outcomes now and then. Michels explained that paying cybercriminals only perpetuates criminal activities while providing no actual conclusion so the company advises against ransom payments.

Victims of the Amazon "recovery impossible" ransomware attack cannot benefit from free ransomware decryptors because criminals employed SSE-C keys in their attack. The complexity of payment decisions grows significant because of high-stakes situations according to Michels. The situation requires government-backed safeguards according to Michels which should provide assistance or access to decryption tools and indemnities for victims solving no-win ransom payments.

According to Jamie Akhtar who co-founded CyberSmart while praising the U.K. government's proposed policy he emphasizes multiple reasons for caution. The proposed U.K. government policy requires organizations to maintain proper backups alongside appropriate data segregation because their recovery capability stands as their main defense against ransom demands, according to Akhtar.

Without properly implemented cybersecurity measures or sufficient protections most organizations must choose between paying the ransom or endure financial destruction or reputation damage. Accompanying this law to ban ransom payments needs to be substantial efforts to better cybersecurity standards because otherwise it will destroy numerous small businesses which drive our economy's foundation. Mike Kiser, director of strategy and standards at SailPoint, however, was much clearer when he said, “ransom payments should be banned:

A rise in ransom payments results in predictable escalation of cybercriminal activities. Yet all is not as straightforward as that may sound, as Kiser admitted: The enforcement of bans on ransom payments would create an illicit economy in concealed economic systems. The issue becomes unclear because Kiser asks whether corporate entities or security executives should face legal consequences.

AWS representatives issued this announcement about the Codefinger Ransomware Events

An Amazon Web Services spokesperson provided the following statement:

The shared responsibility model which AWS uses helps customers secure their cloud resources. The company must warn our customers as soon as we learn they have exposed keys. When our team receives reports of exposed keys we immediately establish quarantine procedures to secure customers without interrupting their IT operations.

All customers must follow established security, identity, and compliance best practices according to our recommendation. If a customer believes their credentials have become exposed they can begin resolving the issue by implementing the guidance provided in this post. Customers should reach out to AWS Support anytime they need help understanding the security of their account.