Potential AWS S3 Bucket Ransomware Note Upload
An adversary may upload a ransomware note to an AWS S3 bucket by abusing compromised credentials or overly permissive bucket policies, potentially leading to data encryption or exfiltration.
This detection identifies the potential upload of ransomware notes to an AWS S3 bucket, indicating a possible ransomware attack targeting cloud storage. The alert triggers on PutObject API calls where the object key (filename) matches patterns commonly associated with ransomware notes (e.g., "readme", "decrypt"). Attackers might gain unauthorized access to S3 buckets through compromised credentials or misconfigured bucket policies, enabling them to delete, encrypt, or replace existing objects with ransom notes, threatening data exfiltration or destruction if demands are unmet. The scope includes organizations utilizing AWS S3 for data storage, especially those with publicly accessible or poorly secured buckets. This activity was observed being tested by red teams to emulate ransomware activity as recent as April 2024.
Attack Chain
- Initial Access: An attacker gains access to AWS credentials through phishing, credential stuffing, or exploiting vulnerabilities in applications with AWS access.
- Privilege Escalation (Optional): The attacker escalates privileges within the AWS environment to gain access to S3 buckets.
- Bucket Discovery: The attacker identifies accessible S3 buckets through reconnaissance and enumeration techniques.
- Data Exfiltration/Encryption (Optional): Prior to the ransom note, the attacker may exfiltrate sensitive data or encrypt objects within the S3 bucket using tools like
awscli. - Ransom Note Upload: The attacker uploads a ransom note to the S3 bucket using the
PutObjectAPI call. The object key (filename) contains keywords like "readme", "decrypt", or "ransom". - Bucket Policy Modification (Optional): The attacker may modify the bucket policy using
PutBucketPolicyto restrict access or make the ransom note publicly accessible. - Impact: The organization discovers the ransom note, indicating a potential ransomware attack. Data exfiltration, encryption, or deletion may have occurred, leading to business disruption and financial losses.
Impact
A successful attack can lead to significant data loss, business interruption, and reputational damage. While there are no specific victim numbers available, organizations across various sectors using AWS S3 are potentially vulnerable. The impact ranges from temporary service outages due to encrypted or deleted data to long-term financial losses associated with data recovery and ransom payments. The criticality depends on the sensitivity and importance of the data stored within the compromised S3 bucket.
Recommendation
- Deploy the Sigma rule "Detect AWS S3 Ransom Note Upload" to your SIEM to identify potential ransomware attacks targeting S3 buckets. Tune the rule for your environment to reduce false positives.
- Enable AWS CloudTrail data events for S3 buckets to capture
PutObjectAPI calls and other relevant activities as required by the Sigma rule. - Review S3 bucket policies to ensure least privilege access and restrict public access where possible.
- Implement multi-factor authentication (MFA) for all AWS accounts and users to protect against credential compromise.
- Enable S3 Versioning and Object Lock to protect data from deletion or modification and facilitate recovery as described in the overview.
- Monitor for suspicious IAM activity, such as new access keys or policy changes, to detect potential privilege escalation or lateral movement.
Detection coverage 3
Detect AWS S3 Ransom Note Upload
mediumDetects the upload of a file to an AWS S3 bucket with a name commonly associated with ransomware notes.
Detect AWS S3 Bucket Policy Modification
lowDetects changes to S3 bucket policies, which could be indicative of an attacker attempting to make the ransom note public.
Detect AWS S3 DeleteObject
mediumDetects deletion of objects in AWS S3 bucket, which could be indicative of data destruction before the ransom note.
Detection queries are available on the platform. Get full rules →