News
Massive ransomware campaign targets AWS S3 storage: attackers have thousands of keys
April 2025 by CyberNews
Cybernews researchers report a massive database of over 1,200 unique Amazon Web Services (AWS) access keys has been amassed and exploited in a ransomware campaign. Administrators of exposed AWS S3 buckets are finding their files encrypted except for a ransom note demanding payment in bitcoin.
“This is a rare and potentially unprecedented case of a coordinated extortion campaign leveraging leaked AWS credentials to apply server-side encryption (SSE-C) on data stored in S3 buckets, without owner interaction or realization,” Bob Diachenko, a cybersecurity researcher and owner of SecurityDiscovery.com said.
Key Takeaways
• 158M+ leaked AWS key records were found, pointing to 1,229 unique credentials. Working AWS keys allowed S3 bucket listing and retrieval of ransom demands.
• Ransom notes indicate files were encrypted using Server Side Encryption with Customer Provided Keys (SSE-C).
• The extortion amount was 0.3 BTC ( $25,000) per victim.
• An unknown threat actor is abusing native AWS’s server-side encryption to remain hidden.
Cybersecurity researcher Bob Diachenko, who works with Cybernews research team, made this discovery.
“This incident marks a significant escalation in cloud ransomware tactics. Its simplicity makes it particularly dangerous: attackers only need stolen keys – no fancy exploits,” Diachenko added.
