Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data


From infostealer development to data exfiltration, cloud service providers are increasingly being abused by threat actors for malicious schemes. While in this case the ransomware samples we examined contained hard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers leverage other online services as part of their tactics.

In line with this, Trend Micro examined ransomware samples written in Go language (aka Golang), targeting Windows and MacOS environments. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor.

Read more…
Source: Trend Micro


Sign up for our Newsletter


Related:

  • Cyber attack on Italy’s Foreign Ministry, airports claimed by pro-Russian hacker group

    December 28, 2024

    Hackers targeted around ten official websites in Italy on Saturday, including the websites of the Foreign Ministry and Milan’s two airports, putting them out of action temporarily, the country’s cyber security agency said. The pro-Russian hacker group Noname057(16) claimed the cyber attack on Telegram, saying Italy’s “Russophobes get a well deserved cyber response”. Read more… Source: MSN News Sign ...

  • Record-breaking ransoms and breaches: A timeline of ransomware in 2024

    December 27, 2024

    It was another record-breaking year for ransomware. When file-locking malware wasn’t causing widespread disruption, like downing online services and lasting outages, ransomware was the cause of unprecedented data theft attacks affecting hundreds of millions of people, in some cases for life. While governments have struck some rare wins against ransomware hackers over the past 12 months, ...

  • Data breach at IDHS compromises 1M customers

    December 26, 2024

    On April 25, the Illinois Department of Human Services (IDHS) experienced a privacy breach. An outside entity, through a phishing campaign, gained access to multiple employee accounts, and files associated with the accounts. The files included the Social Security numbers (SSNs) of 4,701 customers and three employees. Separately, public assistance account information (name, public assistance account ...

  • Cyberattack on JAL delays some flights, disrupts operations

    December 26, 2024

    Japan Airlines announced on Dec. 26 that its computer network was hit by a cyberattack, which delayed some flights while the company worked to restore the system and resume normal operations. According to JAL, the cyberattack caused a heavy access load to the network equipment connecting internal and external offices from 7:24 a.m. that morning. The ...

  • Analyzing Malicious Intent in Python Code – A Case Study

    December 23, 2024

    Fortinet’s AI-driven OSS malware detection system recently identified two malicious packages: Zebo-0.1.0 on November 16, 2024, and Cometlogger-0.1 on November 24, 2024. Malicious software often masquerades as legitimate code, hiding its harmful features behind complex logic and obfuscation. In this analysis, Fortinet researchers examine the Python scripts behind these two packages, outline their malicious behaviors, and provide ...

  • Cloud Atlas seen using a new tool in its attacks

    December 23, 2024

    Known since 2014, Cloud Atlas targets Eastern Europe and Central Asia. We’re shedding light on a previously undocumented toolset, which the group used heavily in 2024. Victims get infected via phishing emails containing a malicious document that exploits a vulnerability in the formula editor (CVE-2018-0802) to download and execute malware code. When opened, the document downloads a ...