Blog Cloud Security

Unlocking the Secrets: Ransomware in AWS S3 with SSE-C Encryption 

Uncover the secrets of ransomware attacks on AWS S3 with SSE-C encryption. Learn how to safeguard your cloud data from emerging threats.
Daniel Miller
4 min read
Last updated April 25, 2025

Contents

    Ransomware attacks have become increasingly sophisticated in targeting various cloud services, including AWS S3 buckets. One emerging threat involves the use of AWS S3's Server-Side Encryption with Customer Provided Keys (SSE-C).  

    Understanding how ransomware exploits AWS S3 with SSE-C encryption is crucial not only to protect sensitive data but also to address the alarming rise of sophisticated attacks like Codefinger, which expose gaps in cloud security practices. The stakes are high—without action, organizations risk losing access to critical data and paying steep ransoms. 

    This blog will delve into how ransomware attacks exploit SSE-C encryption, the technical details behind these attacks, insights from the recent Codefinger ransomware attack, and how Varonis can help secure your sensitive data from these threats. 

    How ransomware exploits AWS S3 with SSE-C 

    Ransomware attacks on AWS S3 buckets typically begin with attackers gaining access to compromised AWS credentials. Once inside, they leverage SSE-C encryption to encrypt the data stored in S3 buckets.  

    SSE-C allows users to manage their own encryption keys, providing an additional layer of security. However, this feature can be exploited by attackers who use their own encryption keys to lock the data, making it inaccessible to the legitimate owners. 

    Here's a step-by-step breakdown of how these attacks unfold: 

    1. Credential compromise: Attackers obtain AWS credentials through phishing, brute force attacks, or exploiting vulnerabilities in applications. 
    2. Access to S3 Buckets: With the compromised credentials, attackers gain access to the target's S3 buckets. 
    3. Encryption with SSE-C: Attackers use SSE-C to encrypt the data with their own AES-256 keys. Since these keys are not stored in AWS, only the attackers can decrypt the data. 
    4. Ransom demand: The attackers then demand a ransom from the victim in exchange for the decryption keys. 

    Codefinger: A new era of ransomware 

    The Codefinger ransomware attack targeted key credentials for storage buckets on Amazon S3, exploiting poor key management practices. It represents a new stage in the evolution of ransomware. Attackers used compromised AWS keys to encrypt data stored in S3 buckets and demanded a ransom for the decryption keys. 

    Several aspects of the Codefinger attack make it stand out: 

    • Attack vector: Unlike traditional ransomware attacks that involve planting malicious code, Codefinger leveraged access credentials to encrypt data. 
    • Changing role of backups: Off-site backups might not protect organizations if the backups are based on S3 buckets that have already been encrypted. 

    Read our full breakdown on the Codefinger attack on our blog. 

    The technical lowdown: Unpacking SSE-C Encryption 

    To understand the functionality and risks associated with SSE-C encryption, it’s important to examine its key processes and how they contribute to both security and potential vulnerabilities: 

    • Client-side key management: Users generate and manage their own encryption keys. This means that the keys are not stored in AWS, but rather managed by the user. This provides an additional layer of security, as the keys are not accessible through AWS's infrastructure. 
    • Data encryption process: When data is uploaded to an S3 bucket, AWS uses the provided key to encrypt the data using AES-256 encryption. AES-256 is a symmetric encryption algorithm that is widely regarded for its security and efficiency. The encryption process involves converting plaintext data into ciphertext using the encryption key, ensuring that the data cannot be read without the corresponding decryption key. 
    • Data decryption process: To retrieve the data, the same key must be provided to decrypt it. The decryption process involves converting the ciphertext back into plaintext using the decryption key. Since the keys are managed by the user, AWS does not store or manage these keys, making it crucial for users to securely manage and store their encryption keys. 

    While SSE-C provides robust security by allowing users to control their encryption keys, it also introduces risks if those keys fall into the wrong hands.  

    If an attacker gains access to the encryption keys, they can encrypt the data with their own keys, effectively locking out the legitimate owners and making the data inaccessible without the attacker's decryption keys. 

    Shielding your S3: Best practices for security 

    In addition to leveraging Varonis, here are some best practices to secure your AWS S3 buckets: 

    • Use multifactor authentication (MFA): Enable MFA for all AWS accounts to add an extra layer of security 
    • Implement least privilege access: Grant the minimum permissions necessary for users to perform the tasks needed for their role 
    • Regularly rotate keys: Regularly rotate encryption keys and AWS credentials to minimize the risk of compromise 
    • Audit and monitor: Continuously audit and monitor S3 bucket activities to detect and respond to suspicious behavior 

    For more tips on securing your AWS environment, read our blog on preventing S3 bucket namesquatting

    Get started with our world-famous Data Risk Assessment.
    Get your assessment
    inline-cp

    Defending against ransomware 

    Varonis offers a comprehensive solution to detect and prevent ransomware attacks on AWS S3 buckets. With complex identity management, permissions, and access controls, it’s extremely difficult to secure AWS resources at scale.

    Varonis gives you a comprehensive solution to protect AWS identity, storage, databases, warehouses, compute resources, and data from insider threats, cyberattacks, and exposure. Here’s how we can help: 

    1. Monitoring and alerting: Varonis continuously monitors AWS S3 bucket activities to identify unusual access patterns and potential threats. If an unfamiliar IP address attempts to access your S3 buckets, Varonis alerts you immediately 
    2. Behavioral analytics: By analyzing user behavior, Varonis can detect anomalies that may indicate a ransomware attack. This includes unusual file access patterns, such as a sudden spike in read/write operations 
    3. Automated response: Varonis can automatically respond to detected threats by blocking suspicious activities and isolating affected resources to prevent further damage 
    4. Detailed forensics: In the event of an attack, Varonis provides detailed forensic analysis to help you understand the scope of the breach and take corrective actions If your organization has suffered a breach, please contact the Varonis IR Team for immediate assistance. 

    Stay ahead of the threat 

    Ransomware attacks on AWS S3 buckets using SSE-C encryption are a growing threat.  

    By understanding the mechanics of these attacks and implementing robust security measures, you can protect your data from being held hostage. Varonis provides the tools and expertise needed to detect, prevent, and respond to these threats, ensuring your cloud environment remains secure. 

    Find the Varonis Data Security Platform on the AWS Marketplace today. 

    What should I do now?

    Below are three ways you can continue your journey to reduce data risk at your company:

    1

    Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

    2

    See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

    3

    Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

    Daniel Miller
    Daniel Miller Daniel Miller is a Technical Content Manager for Varonis. He has a passion for amplifying the voices of both users and developers. When he's not learning about new tech, you could find him at a concert, trying a new recipe, or reading.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    ransomware-targets-aws-s3-buckets:-how-to-prevent-encryption-without-recovery
    Ransomware Targets AWS S3 Buckets: How to Prevent Encryption Without Recovery
    ransomware-targets-aws-s3-buckets:-how-to-prevent-encryption-without-recovery
    Daniel Miller
    January 28, 2025
    A new ransomware threat is targeting users of AWS S3 Buckets, which could be a lose-lose scenario for unprotected organizations.
    what-is-cloud-security?
    What is Cloud Security?
    what-is-cloud-security?
    Daniel Miller
    February 24, 2025
    The risks associated with cloud environments are only growing. This blog highlights the basics of cloud security to secure data in the cloud.
    why-cloud-security-programs-fail
    Why Cloud Security Programs Fail
    why-cloud-security-programs-fail
    Daniel Miller
    March 20, 2025
    Unlock the secrets to robust cloud security. Learn how to tackle common challenges and protect your organization from data breaches and cyber threats.
    how-to-create-s3-buckets-in-aws-with-cloudformation:-step-by-step-guide
    How to Create S3 Buckets in AWS with CloudFormation: Step-by-Step Guide
    how-to-create-s3-buckets-in-aws-with-cloudformation:-step-by-step-guide
    Daniel Miller
    July 22, 2022
    Use AWS CloudFormation to create resources such as S3 buckets. Infrastructure as code enables a repeatable, reliable deployment process. Learn more here.