The attacker uses AWS’s Server-Side Encryption With Custom Provided Keys (SSE-C) to encrypt data, demanding ransom payments if the victim’s company demands the matching AES-256 keys needed for decryption. While SSE-C has been around since 2014, the researchers said, this appears to be a novel use of the feature by ransomware operators.
To pressure victims, encrypted files are marked to be deleted within seven days.
The report does not provide details on how the stolen AWS keys were obtained. But in response to emailed questions, Halcyon said keys can be exposed in a variety of ways, including compromised IT networks and phishing. Keys are often publicly rewarded by developers or staff who embed them in code repositories like GitHub or GitLab.
Source link