noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Eagle Point Income Company Inc.

Post Effective Amendment to Registration Statement Form POS EX
AGA - American Gastroenterological[...]

Unlock the latest clinical updates with the 2024 PG Course OnDemand
City of Jackson, MI

Loose Leaf Collection Program planned for fall 2024

Technology

Trend Micro Inc.

10/16/2024 | News release | Distributed by Public on 10/16/2024 04:38

Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data

Conclusion

Attackers are increasingly leveraging cloud services and features to further their malicious activities. In this blog, we analyzed a Golang ransomware that abuses Amazon S3's Transfer Acceleration feature to upload victim files to attacker-controlled S3 buckets. Such advanced capabilities enable attackers to efficiently exfiltrate data as they take advantage of cloud service providers.

Furthermore, account identifiers of cloud providers such as AWS Account IDs linked to malicious activities can serve as valuable IOCs. By tracking these IDs, defenders can better identify and mitigate threats within their cloud environments, underscoring the need for vigilant monitoring of cloud resources.

Threat actors might also disguise their ransomware sample as another more publicly known variant, and it is not difficult to see why: the infamy of high-profile ransomware attacks further pressures victims into doing the attacker's bidding.

To further boost security, organizations can also employ security solutions such as Vision One to detect and stop threats early and no matter where they are in the system.

AWS Security Feedback

We contacted AWS about this incident and received the following comment:

AWS can confirm that AWS services are operating as intended. The activity identified violates the AWS acceptable use policy and the reported AWS access keys and account have been suspended.

Ransomware is not specific to any computing environment in particular. However, AWS provides customers with increased visibility into and control over their security posture with respect to malware.

We recommend customers who suspect or become aware of AWS resources being used for suspicious activity to complete the abuse form or contact [email protected].

We thank Trend Micro for engaging AWS Security.

Indicators of Compromise

During our monitoring, we have seen different versions of this ransomware. All had encryption features, but only some had upload functionality and valid tokens. This, along with other differences among variants, suggests that the ransomware is still in development.

The full list of IOCs can be found here.

Sharing and Personal Tools

Please select the service you want to use: