Living Off the Sky: A New Cloud Ransomware Attack

By Collin Miller, Structured Director of Cloud Security

A new type of ransomware attack launched by a group known as Codefinger has been causing quite a storm among cloud security professionals. Instead of using traditional malware to lock up data, they exploit compromised Amazon Web Services (AWS) credentials to encrypt data directly within the cloud. They use AWS's own Server-Side Encryption with Customer-Provided Keys (SSE-C) to do this.

The catch? AWS doesn't store these keys. So, without the attacker's key, the data remains locked.

Why Living Off the Sky Matters

This method is particularly sneaky because it uses our own cloud security tools against us. When these types of attacks -- ones that use legitimate credentials and tools instead of malware -- happen in on-premises environments, they are known as "living off the land." These attacks can be hard to detect and defend against using traditional methods.

Considering Codefinger is leveraging a novel twist on this old technique, we may refer to this new class of attacks as "living off the sky." These tactics also highlight the importance of securing our cloud environments and being hyper-vigilant about establishing and enforcing zero trust principles, i.e., carefully protecting who has access to what, as a method of cloud ransomware prevention.

Preventing Cloud Ransomware

Fortunately, there are several long-established security, identity, and compliance best practices that cloud security and other IT professionals can use to thwart cybercriminals like the Codefinger gang. And, while AWS is very transparent in its stance about cloud security being a "shared responsibility" with clients, recent company statements provided to media organizations like Forbes indicate a strong willingness to assist when they are aware of a vulnerability caused by exposed keys.

"Anytime AWS is aware of exposed keys, we notify the affected customers. We also thoroughly investigate all reports of exposed keys and quickly take any necessary actions, such as applying quarantine policies to minimize risks for customers without disrupting their IT environment," according to a recent statement from AWS in the wake of the Codefinger activity.

That said, being proactive and following best practices is definitely the best course of action to prevent ransomware in the cloud or on premises. Here, we detail three tactics in play today.

The Role of Multi-Factor Authentication (MFA)

One of the best defenses against compromised credentials attacks is enabling MFA on all cloud accounts. MFA adds an extra layer of security by requiring users to verify their identity through multiple means, significantly reducing the risk of unauthorized access, even if one factor is compromised. Since Codefinger used legitimate, stolen credentials to encrypt the data, MFA may have prevented these attacks.

The Importance of Offsite Backups

Another crucial step is maintaining offsite backups of your data. While cloud storage is convenient, this most recent attack highlights that it is not immune to threats. Having backups stored in a separate location ensures that, in the event of an attack, you can restore your data without having to pay a ransom. This strategy effectively prevents the loss of backups due to various threats and ensures business continuity.

Banning Ransomware Payments

In light of laws in North Carolina and Florida banning public entities from making ransomware payments, and the fact that several other U.S. states and foreign governments (such as the United Kingdom) are considering similar measures, it is time to take another look at the idea of making ransomware payments illegal.

The main thought here is straightforward: If public agencies and private companies stop paying ransoms, hackers motivated by profit might think twice before launching attacks. After all, there is no payday waiting for them. In addition, when ransoms are paid, that money often funds other shady -- or even dangerous -- activities. Cutting off this cash flow might help curb broader criminal operations. Finally, every dollar diverted to a ransomware payment means one fewer dollar to fund preventative measures like secure offsite backups and cybersecurity tools like MFA platforms.

It's also worth noting that paying a ransom doesn't always mean you'll get your data back or be safe from future attacks. Some victims who pay up find themselves targeted again. Banning payments could push organizations to beef up their cybersecurity and have solid backup plans -- making them tougher targets.

Of course, making ransom payments illegal isn't a magic fix. There are challenges, like enforcing such a ban and dealing with worst-case situations where not paying could lead to serious consequences. But the idea is that, over time, removing the financial rewards could lead to fewer attacks and a safer digital world for everyone.

Final Thoughts… And How Structured Can Help

Navigating these challenges can be daunting, but you don't have to do it alone. Partnering with experts like the team at Structured Communication Systems can make a world of difference. With more than 30 years of experience, we specialize in delivering secure, cloud-connected digital infrastructure and managed IT services. We can help implement advanced security measures, streamline data center operations, design secure multicloud architectures, and simplify infrastructure management to ensure your data remains safe and your business runs smoothly.

Staying ahead of cyberthreats like Codefinger’s “living off the sky” ransomware techniques requires a proactive approach. By enabling MFA, establishing recoverable offsite backups, developing and testing disaster mitigation and recovery plans, and partnering with experienced professionals, you can strengthen your defenses and keep your data secure.

Do you need assistance applying best practices to your cloud environment in order to reduce ransomware risk? If so, contact your Structured account manager or email [email protected] today! We offer professional and managed IT services to help secure cloud and on-prem environments of all sizes. We even can help with disaster recovery planning and tabletop exercises.

About the Author

Collin Miller ?has more than 20 years' experience designing secure and sustainable IT infrastructures that protect data, users, and organizational resources. As cloud computing gained traction, Collin dedicated himself to the practice of cloud security. His expertise extends to securing data and workloads in all the large public cloud providers, as well as the best practices, platforms and tools required to secure SaaS applications and the data traversing them.

With a strong background in cybersecurity, Collin brings a disciplined approach and deep knowledge of zero trust practices and secure access service edge (SASE) architectures to cloud environments. He is adept with cloud security posture management (CSPM), cloud native application protection platforms (CNAPP), cloud access security broker (CASB) platforms, and more.