Silent Ransomware Attack Exploits AWS Native Features to Encrypt Cloud Storage

A concerning ransomware campaign is actively exploiting Amazon Web Services (AWS) credentials to encrypt S3 bucket contents without requiring direct system exploitation. The latest reporting from cybersecurity researcher Bob Diachenko and CyberNews confirmed that the campaign has impacted S3 bucket owners using 1,229 unique credential pairs identified within a publicly accessible dataset containing over 158 million AWS records. Victims receive ransom demands through files labeled “warning.txt,” referencing the contact email "awsdecrypt[@]techie[.]com" and requesting payments of 0.3 BTC per incident. This activity builds on reporting from Halcyon, which initially tracked the incident in January 2025 and attributed it to the threat actor “Codefinger.” The scale and prominence of the campaign are concerning, given its automated features and the outcome of the attack. "This attack pattern allows for 'silent compromise,' with no alerts or reports issued to the victims when the breach occurs and no file deletion logs. The threat actor leaves the bucket structure intact. It also seems that the hackers don’t even bother to exfiltrate data for double extortion," reports CyberNews. Data is not exfiltrated or deleted in these operations—only encrypted—resulting in locked access with no indication unless files are accessed directly.

The attack chain involves the identification of exposed or compromised AWS access keys, although the exact source remains unconfirmed. CyberNews researchers propose likely methods, including leaked keys from public code repositories, misconfigured CI/CD pipelines, exposed configuration files, or credentials harvested from earlier breaches. Once valid keys are found, attackers issue “s3:PutObject” API calls, using the “x-amz-server-side-encryption-customer-algorithm” header to apply AES-256 encryption via SSE-C. Because AWS does not store customer-provided keys, decryption becomes impossible without the attacker’s cooperation. Halcyon noted that lifecycle policies are sometimes used to mark files for deletion after seven days, adding urgency to the ransom demand. This tactic poses an operational risk, as the underlying infrastructure—AWS S3—is not compromised through vulnerability exploitation but misused through credential abuse, allowing native AWS mechanisms to work against their intended security purpose.

Due to the design of SSE-C, forensic recovery of affected files is not possible since only the hash of the key is stored in AWS CloudTrail, not the key itself. In multiple observed cases, AWS environments remained functional and unaware of compromise due to the absence of alerts or file deletion logs. CyberNews warns that affected data may belong to backup systems or rarely accessed assets, leading to delayed detection. Mitigations recommended by Halcyon include auditing all active IAM credentials, rotating exposed keys, restricting SSE-C permissions in IAM policies, and monitoring for unusual S3 activity.