Ransomware crew abuses AWS native encryption, sets data-destruct timer for 7 days A new ransomware crew dubbed Codefinger targets AWS S3 buckets and uses the cloud giant's own server-side encryption with customer provided keys (SSE-C) to lock up victims' data before demanding a ransom payment for the symmetric AES-256 keys required to decrypt it. Halcyon threat hunters say they first spotted this criminal …
Quote: "...customer provided keys (SSE-C)..."
Quote: "...AWS's native secure encryption infrastructure.."
Hah...."keys", "secure".......Really?
Once upon a time (1976) two guys (Diffie and Hellman) invented a scheme where THERE WAS NO NEED to share or publish ACTUAL KEYS.
The basic idea was that two people would share D/H tokens....and then the secret key(s) would be CALCULATED when needed....and then the secret key(s) would always be DESTROYED.
So.....transient keys (i.e. VERY transient!)...nothing published or "managed".
Yup....1976!
What is this old f**t missing in 2025?
Yup....looking at the book "Cryptography Engineering" (Ferguson, Schneier, Kohno, 2010) they say this about Diffie/Hellman: "Implementing the D/H protocol can be a bit tricky".
There follows eight pages of advice about implementation.
Does Amazon (Jeff Bezos) have a few dollars (and fifteen years) to get the "key problem" fixed???? Obviously not!
(Sorry....1976 to 2025 is nearly fifty years....but the time from the quoted book is only (!) fifteen years.)
i.e. versioning + object lock, configured with a fixed minimum retention, say 3 months. Then if anyone deletes or overwrites your object, you have 3 months to retrieve the previous version.
Mind you: if an attacker has somehow gained the ability to re-encrypt files in your bucket, then they could instead do it a million times and bankrupt you in AWS storage fees.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
