S3 Ransomware through client-side encryption
Platform: AWS
MITRE ATT&CK Tactics
- Impact
Description
Simulates S3 ransomware activity that encrypts files in a bucket with a static key, through S3 client-side encryption feature. Warm-up:
- Create an S3 bucket
- Create a number of files in the bucket, with random content and extensions
Detonation:
- List all objects in the bucket
- Overwrite every file in the bucket with an encrypted version, using S3 client-side encryption
- Upload a ransom note to the bucket
References:
- https://www.firemon.com/what-you-need-to-know-about-ransomware-in-aws/
- https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/
Instructions
Detection
You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket.
In general, this can be done through CloudTrail S3 data events (DeleteObject, DeleteObjects, GetObject, CopyObject),
CloudWatch metrics (NumberOfObjects),
or GuardDuty findings (Exfiltration:S3/AnomalousBehavior, Impact:S3/AnomalousBehavior.Delete).
Sample CloudTrail event CopyObject, when a file is encrypted with a client-side key:
{
"eventSource": "s3.amazonaws.com",
"eventName": "CopyObject",
"eventType": "AwsApiCall",
"eventCategory": "Data",
"managementEvent": false,
"readOnly": false,
"requestParameters": {
"bucketName": "target bucket",
"Host": "target bucket.s3.us-east-1.amazonaws.com",
"x-amz-server-side-encryption-customer-algorithm": "AES256",
"x-amz-copy-source": "target bucket/target file.txt",
"key": "target file.txt",
"x-id": "CopyObject"
},
"responseElements": {
"x-amz-server-side-encryption-customer-algorithm": "AES256"
},
"resources": [
{
"type": "AWS::S3::Object",
"ARN": "arn:aws:s3:::target bucket/target file.txt"
},
{
"accountId": "012345678901",
"type": "AWS::S3::Bucket",
"ARN": "arn:aws:s3:::target bucket"
}
]
}