A sophisticated new ransomware operation is targeting cloud infrastructure by weaponizing a native Amazon Web Services (AWS) feature to encrypt data. Dubbed “Codefinger” by researchers at Halcyon, the threat actor is abusing AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to lock victims out of their S3 buckets, rendering data irrecoverable without the attacker’s unique decryption key. This attack method represents a significant evolution in cloud-focused extortion tactics.

How the SSE-C Ransomware Attack Works

Amazon S3 (Simple Storage Service) buckets are ubiquitous cloud containers for storing everything from website assets to critical data backups. SSE-C is a legitimate security feature that allows customers to provide their own encryption key for AWS to use when encrypting data at rest. Crucially, AWS does not store this key; the customer is solely responsible for its management.

Codefinger exploits this model by first gaining access to an AWS environment through compromised credentials. The attacker scans for accounts with the s3:GetObject and s3:PutObject privileges—common permissions that allow reading from and writing to buckets.

Once inside, the attacker generates a new, strong AES-256 encryption key locally. Using the SSE-C feature, they then re-encrypt all the data in the victim’s S3 buckets with this new key, which only they possess. Because AWS has no record of this attacker-provided key, recovery through Amazon is impossible, even if the unauthorized activity is reported.

Issuing the Ultimatum and Maximizing Pressure

To compound the attack, Codefinger implements a ruthless deletion policy. Using the S3 Object Lifecycle Management API, they set a seven-day timer to automatically delete all the encrypted files. Ransom notes are dropped into every affected directory, demanding payment to a specified Bitcoin address in exchange for the decryption key.

The note includes a severe warning: any attempt by the victim to change account permissions, modify files, or interfere with the bucket will result in the attackers immediately terminating negotiations, leaving the data permanently lost.

How to Defend Against Cloud Ransomware

Halcyon has reported its findings to Amazon. In response, an Amazon spokesperson reiterated that AWS operates on a shared responsibility model, where customers are responsible for securing their own data and credentials within the cloud. AWS stated it promptly notifies customers of exposed keys and applies quarantine policies to minimize risk.

To protect your organization, security experts and AWS recommend a multi-layered defense strategy:

• Restrict SSE-C Usage: Implement strict bucket policies that explicitly block or severely restrict the use of SSE-C if it is not a business requirement.
• Practice Key Hygiene: Immediately disable unused AWS access keys, rotate active keys frequently, and adhere to the principle of least privilege by granting only the minimum permissions necessary for a task.
• Leverage AWS Security Services: Eliminate the use of long-term credentials. Instead, use IAM Roles, AWS STS for temporary credentials, and AWS Secrets Manager to handle secrets securely. These services provide short-term, automatically rotated credentials that drastically reduce the attack surface.
• Enable MFA: Protect all root and user accounts with multi-factor authentication (MFA) to prevent credential-based attacks.

This attack underscores that cloud-native features, while designed for security, can be twisted by threat actors. Proactive hardening of your cloud environment is no longer optional—it’s essential.