S3 Ransomware through batch file deletion

Platform: AWS

MITRE ATT&CK Tactics

Impact

Description

Simulates S3 ransomware activity that empties a bucket through batch deletion, then uploads a ransom note.

Warm-up:

Create an S3 bucket, with versioning enabled
Create a number of files in the bucket, with random content and extensions

Detonation:

List all available objects and their versions in the bucket
Delete all objects in the bucket in one request, using DeleteObjects
Upload a ransom note to the bucket

Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.

References:

Instructions

Detonate with Stratus Red Team

stratus detonate aws.impact.s3-ransomware-batch-deletion

Detection

You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. In general, this can be done through CloudTrail S3 data events (DeleteObject, DeleteObjects, GetObject), CloudWatch metrics (NumberOfObjects), or GuardDuty findings (Exfiltration:S3/AnomalousBehavior, Impact:S3/AnomalousBehavior.Delete).

Sample DeleteObjects event, shortened for readability:

{
  "eventSource": "s3.amazonaws.com",
  "eventName": "DeleteObjects",
  "eventCategory": "Data"
  "managementEvent": false,
  "readOnly": false
  "requestParameters": {
    "bucketName": "target-bucket",
    "Host": "target-bucket.s3.us-east-1.amazonaws.com",
    "delete": "",
    "x-id": "DeleteObjects"
  },
  "responseElements": null,
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARNPrefix": "arn:aws:s3:::target-bucket/"
    },
    {
      "accountId": "012345678901",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::target-bucket"
    }
  ],
  "eventType": "AwsApiCall",
  "recipientAccountId": "012345678901"
}

Note that DeleteObjects does not indicate the list of files deleted, or how many files were removed (which can be up to 1'000 files per call).'