AWS S3 Ransomware Attack In 3 Lines Of Code

5 February 2025
AWS S3 Ransomware Attack In 3 Lines Of Code

How tough is it to do a client encryption ransomware attack against AWS S3?

Not tough at all.

Yesterday on the dry run of a Cloud War Games event I setup the advanced scenario to trigger that S3 Ransomware Attack I talked about a few weeks ago.

Do you want to know how difficult it was to do?

It took me about 15 minutes to research and I was able to do the attack with only 3 lines of code. I’m not going to publish the exact code because I would basically be giving attackers the exact tools they could use to cause great harm but trust me when I say it was super simple.

To give you a rough idea of the 3 lines of bash commands I used here is a zoomed-out version.

  1. I created the key that bad people hold ransom and force people to pay for. 
  2. I copied all the files from S3 to my local.
  3. Then I copied the files back to S3 but added an option that would encrypt the files using the key.

In the end, you are stuck with an S3 bucket full of encrypted files with no way to decrypt them without paying the baddie millions of dollars of some random meme coin.

As I write this I am pretty sure I can get this down to 2 lines of code and remove the need to pull anything locally. That means the attack would be 100x faster than what I ran last night.

This is no joke.

If I can do it for 15 minutes for a training exercise imagine what a highly motivated malicious party could do with days or even weeks.

When you see this message its already too late: The object was stored using a form of Server Side Encryption. The correct parameters must be provided to retrieve the object.

The damage has been done. The only people that can decrypt those files are the ones with the key. Not you, not me, not the people at AWS, just the baddies.

What you can do before it hits the fan:

  • Cycle your creds now.
  • MFA for EVERYBODY! I don’t care who you are if you are logging into AWS you need MFA turned on.
  • Delete any key that hasn't been used in a while.
  • Tighten up IAM permissions for both your roles and your users. I can trigger this from a bastion with elevated permissions.
  • Nothing should have s3:*. NOTHING!
  • Get on IAM Identity Center now.

About IAM Identity Center:

I just migrated my rinky-dink internal accounts to it for my one-man dev consultancy that no baddies care about. It’s not that tough. In reality, it is well worth the investment.

If you need help:

  1. Check out my new On Demand Video Course coming out on O’Reilly’s Publishing Platform soon. The last module covers it in detail.
  2. Call me if you really get stuck.

 

I don’t want to be reading about you in the news for having to pay a ransom fee.

Best of luck ~Matt

PS: There is still space in Friday’s CloudWatchGames.com event for those interested in sharpening and showcasing your skills.