Skip to content

S3 Ransomware through batch file deletion

Platform: AWS


  • Impact


Simulates S3 ransomware activity that empties a bucket through batch deletion, then uploads a ransom note.


  • Create an S3 bucket, with versioning enabled
  • Create a number of files in the bucket, with random content and extensions


  • List all available objects and their versions in the bucket
  • Delete all objects in the bucket in one request, using DeleteObjects
  • Upload a ransom note to the bucket

Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.



Detonate with Stratus Red Team
stratus detonate aws.impact.s3-ransomware-batch-deletion


You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. In general, this can be done through CloudTrail S3 data events (DeleteObject, DeleteObjects, GetObject), CloudWatch metrics (NumberOfObjects), or GuardDuty findings (Exfiltration:S3/AnomalousBehavior, Impact:S3/AnomalousBehavior.Delete).

Sample DeleteObjects event, shortened for readability:

  "eventSource": "",
  "eventName": "DeleteObjects",
  "eventCategory": "Data"
  "managementEvent": false,
  "readOnly": false
  "requestParameters": {
    "bucketName": "target-bucket",
    "Host": "",
    "delete": "",
    "x-id": "DeleteObjects"
  "responseElements": null,
  "resources": [
      "type": "AWS::S3::Object",
      "ARNPrefix": "arn:aws:s3:::target-bucket/"
      "accountId": "012345678901",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::target-bucket"
  "eventType": "AwsApiCall",
  "recipientAccountId": "012345678901"

Note that DeleteObjects does not indicate the list of files deleted, or how many files were removed (which can be up to 1'000 files per call).'