PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2025-11-18T00:00:00+00:00

Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses

In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments.

Ransomware

Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses

In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments.

By: Yash Verma

Nov 18, 2025

Read time: ( words)

Save to Folio

Key takeaways

  • Ransomware is shifting from traditional systems to cloud environments, redefining its impact on cloud-native data.
  • Cloud storage services like Amazon Simple Storage Service (S3) remain attractive targets due to potential customer misconfigurations on bucket settings and access controls.
  • This blog entry explores five S3 ransomware variants, combining both observed attack techniques and potential future vectors.
  • Trend Vision One™ detections provide visibility into AWS CloudTrail events to detect and respond to active ransomware activity.

Old threat, new terrain: ransomware’s move to the cloudRansomware has long been a persistent threat, traditionally targeting on-premises environments through tactics such as network intrusions, phishing emails, malicious attachments, and exploitation of outdated or vulnerable software.

However, as organizations shift to the cloud, ransomware tactics are adapting: In cloud environments, attackers are increasingly exploiting customer misconfigured storage resources and stolen credentials. Unlike traditional ransomware that relies heavily on encryption malware, cloud-focused variants often leverage native cloud features to delete or overwrite data, suspend access, or extract sensitive content – all while staying under the radar of traditional security tools.

In this blog entry, Trend™ Research examines how ransomware actors are increasingly targeting cloud-native assets, what makes these resources appealing targets for attackers, and detail different kinds of ransomware attacks that could affect AWS environments by discovering access keys that provide permissions to call various S3 APIs. ****

Potential cloud ransomware targets

Ransomware actors increasingly focus on cloud-native assets that hold or enable quick recovery of critical business data and infrastructure. The following Amazon Web Services (AWS) resources are prime targets due to their high value and potential to disrupt operations:

Compute snapshots

Compute snapshots – point-in-time copies of virtual machine disks or volumes – like Amazon Elastic Block Store (EBS) snapshots could be targeted, as organizations rely on them for rapid recovery of EC2 instances after failure or compromise. Without snapshots, rebuilding systems from scratch could take days. Mission-critical applications hosted on EC2 may remain offline, causing prolonged disruption and potential data loss unless the ransom is paid.

If an attacker gains access to snapshot management permissions, they can encrypt the original EC2 volumes and delete the snapshots, leaving no recovery option. Attackers could also delete both EC2 instances and snapshots after copying it in their own environment, ensuring compute environments can’t be restored.

Cloud static storage

Cloud static storage such as Amazon Simple Storage Service (S3) Buckets are also a potential target, because S3 is often used to store backup files, logs and analytics data, static website content, application assets, or infrastructure configs like Terraform state files.

If access is misconfigured or credentials are leaked, attackers could encrypt existing data and upload ransom notes, delete original data or overwrite it with corrupted files. This would impact business operations and services relying on that data. If the S3 bucket contained backups or historical logs, the victim loses both operational and forensic recovery options.

Cloud databases 

Another potential target are cloud databases like Amazon RDS (PostgreSQL, MySQL, etc.), Aurora, and DynamoDB. Cloud databases often contain the most sensitive and valuable data such as customer information, transactions, credentials, and telemetry. If an attacker compromises access, they can exfiltrate, encrypt, or delete database records. They may also delete automated backups and snapshots to block recovery.

Such an attack impacts the functionality of applications, compromise user data, and bring about regulatory consequences (like GDPR violations). Recovery without a functioning backup can be near-impossible, increasing pressure on victims to pay the ransom.

Container images and registries 

The likes of Amazon Elastic Container Registry (ECR) and other container images and registries could also be targeted, as containerized workloads (including microservices and apps) rely on container images stored in ECR. Attackers targeting ECR can delete images, halting application deployment pipelines, or replace images with malicious or broken versions. Compromised container images and registries could lead to the failure of CI/CD pipelines, app crashes upon redeployment, and difficulties in applying auto-scaling or container replacement strategies. Even if code is safe, without the image, it can't be redeployed, potentially crippling production environments.

Cloud backups and disaster recovery systems 

Backups are the final safety net in any ransomware scenario, so backups in S3, Glacier, or managed via AWS Backup may be an attractive target. Smart attackers know that eliminating backups ensures leverage. If they get access to backup vaults or the buckets storing backup files, they can permanently delete backups, encrypt or corrupt backup files, and modify retention settings to expire backups prematurely. Even if primary systems are restored, without clean backups, businesses can’t guarantee data integrity. In many real-world cases, companies with no backup resorted to ransom payments as their only recovery path.

Among all targets in AWS, Amazon S3 stands out as the most widely used and business critical. It serves as the backbone for storing everything from application data and media files to backups and infrastructure assets. Given its central role in data storage, S3 is also a high-value target for ransomware actors. In the sections ahead, we'll explore why S3 is so attractive to attackers and how ransomware campaigns can compromise S3 data to demand ransom.

Server-side encryptions in Amazon S3

Amazon S3 offers several options for encrypting data at rest:

  • SSE-S3: AWS handles all encryption key management on your behalf.
  • SSE-KMS: Encryption keys are managed using AWS Key Management Service (KMS), providing enhanced control through customizable key policies and access permissions.
  • SSE-C: Customers supply their own encryption keys, granting them full control over key management. This approach is typically chosen to meet strict compliance or security requirements but comes with added complexity, such as the need to securely store and manage keys. Notably, AWS does not retain SSE-C keys; instead, it logs a key’s HMAC (Hash-based Message Authentication Code) to verify access requests.

S3 ransomware blueprint: Understanding the attacker’s mindset

Target selection – Finding the ideal S3 bucket

Before executing the attack, the adversary evaluates potential S3 buckets based on the following criteria:

  • No versioning enabled - Without versioning, there’s no way to recover previous versions of overwritten files, making encryption irreversible.
  • No object lock - Buckets without object lock settings allow data to be overwritten or deleted freely, which is essential for successful ransomware execution.

[...]

Original source

Reply