A new ransomware gang called Codefinger focuses on locking victims’ data.
New ransomware gang Codefinger abuses AWS encryption to lock customer-enforced data. They demand a ransom for the keys needed to unlock the data again.
Encrypted data
Codefinger breaks into cloud storage buckets using public or compromised AWS keys. With these, they perform write and read authorizations. They then generate their own encryption key to lock the data. In the directory, the collective leaves a ransom bill with the attacker ‘s Bitcoin address and a client ID of the encrypted data. If they do not pay a ransom for the keys, the data is destroyed within seven days.
Security platform Halcyon noticed the group back in December last year. “This is unique because most attackers do not directly perform data destruction as part of an extortion scheme or to otherwise pressure the victim to pay the ransom demand,” Tim West, VP of Halcyon, told The Register. “Data destruction poses an additional risk to target organizations.”
read also
Hackers abuse encryption in AWS to lock victims’ data
An AWS spokesperson told The Register that affected customers will be notified and appropriate action taken quickly. The company additionally clarified what to do in the event of unauthorized activity and advised customers to follow security, identity and compliance best practices. Moreover, it is important to check AWS keys regularly, as they are an attractive target for hackers.