Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data


From infostealer development to data exfiltration, cloud service providers are increasingly being abused by threat actors for malicious schemes. While in this case the ransomware samples we examined contained hard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers leverage other online services as part of their tactics.

In line with this, Trend Micro examined ransomware samples written in Go language (aka Golang), targeting Windows and MacOS environments. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor.

Read more…
Source: Trend Micro


Sign up for our Newsletter


Related:

  • Shin Bet finds 200 Iranian cyberattacks on Israeli personalities

    December 2, 2024

    In recent months, the Shin Bet (Israel Security Agency) has uncovered some 200 efforts made by Iranian hackers to target Israeli civilians, the Shin Bet stated on Monday. The hacking was conducted via phishing attempts against various individuals, including Israeli politicians, academics, and media personalities, the security agency added. The hackers reportedly looked to gain access ...

  • No company too small for Phobos ransomware gang, indictment reveals

    December 2, 2024

    The US Department of Justice has charged a Russian national named Evgenii Ptitsyn with selling, operating, and distributing a ransomware variant known as “Phobos” during a four-year cybercriminal campaign that extorted at least $16 million from victims across the world. The government’s indictment against Ptitsyn should dispel any notion that ransomware gangs only target the largest, ...

  • RansomHub claims to net data hat-trick against Bologna FC

    November 30, 2024

    Italian professional football club Bologna FC is allegedly a recent victim of the RansomHub cybercrime gang, according to the group’s dark web postings. The ransomware crims responsible for attacks on organizations including Planned Parenthood and Christie’s – the same crew thought to have picked up LockBit’s top talent post-disruption – posted an extensive collection of data ...

  • Some London commuters may never be refunded after TfL cyber attack

    November 30, 2024

    Sadiq Khan has admitted victims of a Transport for London (TfL) cyber attack may never get their money back. Tens of thousands of Londoners are feared to have been left out of pocket after hackers gained access to the travel authority’s systems in September. The aftermath of the hack meant over-60s, children and students were unable to ...

  • Pakistan: Severe Cyber Attack at Dewan Farooque Motors Corrupts Data and Crashes Servers

    November 30, 2024

    A  cyber-attack crippled Dewan Farooque Motors Limited (DFML), corrupting key corporate data and crashing servers. The Pakistan Stock Exchange (PSX) received notice of the incident on Friday. DFML told stakeholders that restoring its information systems and financial data, including information from the first quarter ending September 30, 2024, will be a lengthy process. Read more… Source: ProPakistan News Sign ...

  • Another background check company suffered data breach with over 600,000 people details exposed

    November 29, 2024

    Another background check company suffered a data breach; this time, more than 600,000 people were affected. It’s a minor breach compared with the 2.9 billion people hit by the National Public Data hack, but it’s still scary. The company in question, SL Data Services, was discovered online. It was publicly exposed and not password-protected or encrypted. ...