The attacker leverages AWS’s Server-Side Encryption with Customer Provided Keys (SSE-C) to encrypt data, demanding ransom payments if the victim firm wants the symmetric AES-256 keys required for decryption. While SSE-C has been available since 2014, say the researchers, this appears to be a novel use of the feature by ransomware operators.
To pressure victims, the encrypted files are marked for deletion within seven days.
The report doesn’t detail how the stolen AWS keys are obtained. But in response to emailed questions, Halcyon said keys can be exposed in a variety of ways, including through compromised IT networks and phishing. Keys often get leaked publicly by developers or employees who embed them in code repos such as GitHub or GitLab.
