S3 Ransomware through individual file deletion

Platform: AWS

MITRE ATT&CK Tactics

Impact

Description

Simulates S3 ransomware activity that empties a bucket through individual file deletion, then uploads a ransom note.

Warm-up:

Create an S3 bucket, with versioning enabled
Create a number of files in the bucket, with random content and extensions

Detonation:

List all available objects and their versions in the bucket
Delete all objects in the bucket one by one, using DeleteObject
Upload a ransom note to the bucket

Note: The attack does not need to disable versioning, which does not protect against ransomware. This attack removes all versions of the objects in the bucket.

References:

Instructions

Detonate with Stratus Red Team

stratus detonate aws.impact.s3-ransomware-individual-deletion

Detection

You can detect ransomware activity by identifying abnormal patterns of objects being downloaded or deleted in the bucket. In general, this can be done through CloudTrail S3 data events (DeleteObject, DeleteObjects, GetObject), CloudWatch metrics (NumberOfObjects), or GuardDuty findings (Exfiltration:S3/AnomalousBehavior, Impact:S3/AnomalousBehavior.Delete).

Sample CloudTrail event DeleteObject, shortened for readability:

{
  "eventSource": "s3.amazonaws.com",
  "eventName": "DeleteObject",
  "eventCategory": "Data",
  "managementEvent": false,
  "readOnly": false,
  "requestParameters": {
    "bucketName": "target-bucket",
    "Host": "target-bucket.s3.us-east-1.amazonaws.com",
    "key": "target-object-key",
    "x-id": "DeleteObject"
  },
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::target-bucket/target-object-key"
    },
    {
      "accountId": "012345678901",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::target-bucket"
    }
  ],
  "eventType": "AwsApiCall",
  "recipientAccountId": "012345678901"
}