Fake LockBit, Real Damage: Ransomware Samples Abuse AWS S3 to Steal Data


From infostealer development to data exfiltration, cloud service providers are increasingly being abused by threat actors for malicious schemes. While in this case the ransomware samples we examined contained hard coded AWS credentials, this is specific to this single threat actor and in general, ransomware developers leverage other online services as part of their tactics.

In line with this, Trend Micro examined ransomware samples written in Go language (aka Golang), targeting Windows and MacOS environments. Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor.

Read more…
Source: Trend Micro


Sign up for our Newsletter


Related:

  • The Rise of Physical Crime in the Cybercrime Underground

    January 14, 2019

    While underground forums have long been the purview of digital or internet-enabled crimes, recent developments have shown signs of increasing synergy and interaction between traditional criminals and cybercrime actors. Given the nature of the underground, it shouldn’t be a surprise that even traditional criminals communicate and even sell their wares via these underground forums. Is it ...

  • Ryuk Ransomware Partners with TrickBot to Gain Access to Infected Networks

    January 12, 2019

    Historically, Ryuk has been considered a targeted ransomware that scopes out a target, gained access via Remote Desktop Services or other direct methods, stole credentials, and then targeted high profile data and servers to extort the highest ransom amount possible. Ryuk has been a high profile ransomware due to its wide impact on the networks it infects, high ransom ...

  • A Zebrocy Go Downloader

    January 11, 2019

    Last year at SAS2018 in Cancun, Mexico, “Masha and these Bears” included discussion of a subset of Sofacy activity and malware that we call “Zebrocy”, and predictions for the decline of SPLM/XAgent Sofacy activity coinciding with the acceleration of Zebrocy activity and innovation. Zebrocy was initially introduced as a Sofacy backdoor package in 2015, but the Zebrocy ...

  • TA505 Crime Gang Debuts Brand-New ServHelper Backdoor

    January 11, 2019

    The latest malware from TA505 has been seen targeting banks, retailers and restaurants with two different versions. A new backdoor named ServHelper has been spotted in the wild, acting as both a remote desktop agent as well as a downloader for a RAT called FlawedGrace. According to Proofpoint, the prolific cybercriminal gang known as TA505 developed ServHelper, which has ...

  • ‘Unprecedented’ DNS Hijacking Attacks Linked to Iran

    January 10, 2019

    The attacks, targeting several countries to redirect traffic and harvest credentials, have been linked to Iran. A wave of DNS hijacking attacks targeting victims in North America, Europe, Middle East and North Africa have been linked to Iran. The attacks, which have been ongoing over the past two years, have had “a high degree of success” ...

  • New tool automates phishing attacks that bypass 2FA

    January 9, 2019

    A new penetration testing tool published at the start of the year by a security researcher can automate phishing attacks with an ease never seen before and can even blow through login operations for accounts protected by two-factor authentication (2FA). Named Modlishka –the English pronunciation of the Polish word for mantis– this new tool was created ...