How to Recognize and Fight It

Oct 25, 2023The Hacker NewsRansomware/ Malware Army


In today’s digital landscape, all around 60% of corporate data now lives in the cloud, with Amazon S3 standing as the backbone of data storage for many large corporations.

Although S3 is a secure service from a reputable provider, its important role in managing a lot of sensitive data (customer personal information, financial data, intellectual property, etc.) , provides a juicy target for threat actors. It remains vulnerable to ransomware attacks that are often launched using leaked access keys that are accidentally exposed to human error and have access to organizational buckets.

To effectively combat these emerging threats, it is important to ensure that your organization has visibility into your S3 environment, that you know how threat actors can compromise data for ransom and most importantly, best practices to mitigate the risk of cyber criminals successfully implemented. such an attack.

Ensuring Visibility: CloudTrail and Server Access Logs

Visibility serves as the foundation for any effective recognition strategy. In Amazon S3, almost every action is translated into an API call, which is meticulously recorded in CloudTrail and documented in AWS documentation.

The two main options for activity logging in S3 buckets – CloudTrail Data Events and Server Access Logs – contain a wealth of information that security practitioners should use to anticipate and detect suspicious activity. Each offers distinct advantages and trade-offs:

  • Cloud Trail Data Events: offers visibility into resource operations performed on or within a resource in real time, but has potential cost implications due to high API call volume
  • Server Access Logs: free access to records for every request made to your S3 bucket, but with potential delays in log availability and potential logging with less integrity .
The advantages and trade-offs between Server Access Logs and AWS CloudTrial logs.

Mitigate Risk by Understanding Attack Scenarios

Using the above logs to ensure sufficient visibility, it is possible to watch out for potential attack scenarios to effectively reduce risks. There are three main attack scenarios we have observed in S3 ransomware attacks, all of which can prevent an organization from accessing its data. Below are attack scenarios, along with links to hunting questions that the expert threat hunting team from Hunters’ Team Axon shared publicly that allows anyone to find these attack scenarios within their own environments:

  1. Object Encryption: Ransomware typically involves file encryption to deny an organization access to their files, disrupt business operations and demand a ransom to return the files.
    1. Hunting question:
  2. Object Removal – Operations Removal: removing all objects from a bucket is an easy way for threat actors to have a big impact on business operations, improving the chances of victims to pay ransoms.
    1. Hunting question:
  3. Object Deletion – Lifecycle Policy: a less straightforward but quieter way to delete Cloudtrail files that still offers multiple chances of a paid ransom
    1. Hunting question:

*Note: Object Encryption and Object Deletion – Deletion Operations require enabling Cloudtrail Data Events for the appropriate buckets.

Each scenario causes major disruptions, potentially preventing organizations from accessing critical data. By analyzing required permissions, attacker views, and detection methods for each scenario, organizations can proactively prepare for potential threats.

Protection and Best Practices

Understanding attack scenarios helps provide context for how to implement proactive measures to reduce the attack surface. There are many things that can be done to improve the security of S3 buckets from the threat of ransomware.

  • Use IAM roles for short credentials: avoid using static IAM access keys. If you are using IAM users, make sure to enable Multi-Factor Authentication (MFA) for them.
  • Follow the principle of least privilege: this ensures that users and roles have the permissions required for their tasks. Additionally, use bucket policies to restrict access to these important resources.
  • Enable S3 Versioning: this means keeping a record of every version of every object stored in your bucket instead of changing it directly. It is very effective against unauthorized override or deletion.
  • Enable S3 Object Lock: works in a write-once, read-many (WORM) model, meaning that your data cannot be deleted by anyone (the data is “locked”) which protects against changes -o for specified periods of time.
  • Set up AWS Backup/Bucket Replication: this can be any form of backup that is separate in location and access control from your actual bucket.
  • Implement server-side encryption using AWS KMS keys: this gives your organization specific control over who can access bucket items. This provides another level of protection against who can encrypt and decrypt the contents of your bucket.


As data volumes continue to grow, securing Amazon S3 is paramount to protecting millions of organizations against ransomware attacks and evolving cyber threats.

Prioritizing threats, ensuring visibility through CloudTrail and Server Access Logs, and implementing proactive measures are important risk mitigation steps. By adopting these strategies, organizations can strengthen their S3 buckets’ protection and ensure the integrity and security of their critical data.

For a more in-depth breakdown of common attack scenarios and best practices, see a video deep dive from Team Axon. Team Axon is the expert threat hunting arm of the popular SIEM replacement Huntersand offers rapid response to emerging cyber threats, on-demand cyber expertise and proactive threat hunting across customers’ environments. Follow Team Axon on X for timely updates on emerging cyber threats and premiere cyber content.

Additional S3 Resources:

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Leave a comment