Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C

Halcyon RISE reports an active ransomware campaign by an actor dubbed 'Codefinger' that uses compromised AWS credentials to apply SSE-C (customer-provided AES-256 keys) to Amazon S3 objects, producing encryption that AWS cannot decrypt since only an HMAC of the key is logged; attackers then set object lifecycle policies to delete files within seven days and drop ransom notes demanding payment for the keys. Two victims have been identified, and Halcyon recommends restricting SSE-C usage, auditing and rotating keys, enabling advanced logging, and engaging AWS support to mitigate this high-impact, emerging threat.