Threat actors have been seen exploiting Amazon S3’s Transfer Acceleration feature in ransomware attacks, using it to exfiltrate victim data and store it in S3 buckets they control.
According to Trend Micro researchers Jaromir Horejsi and Nitesh Surana, attempts were made to pass off the Golang ransomware as the infamous LockBit ransomware. However, the attackers appear to be leveraging LockBit’s notoriety to apply additional pressure on their victims, rather than actually using it.
The ransomware was found to contain embedded, hard-coded AWS credentials, enabling data exfiltration to the cloud. This signals that adversaries are increasingly turning to popular cloud services like AWS to carry out malicious operations.
The AWS account used in the campaign may belong to the attackers themselves or could have been compromised. After responsible disclosure to AWS, the access keys and accounts identified were promptly suspended.
Trend Micro uncovered over 30 ransomware samples containing AWS Access Key IDs and Secret Access Keys, indicating ongoing development. The ransomware targets both Windows and macOS systems.
Although it’s unclear how the cross-platform ransomware is initially delivered, once executed, it retrieves the machine’s unique identifier (UUID) and performs a series of actions to create the master key required to encrypt files.
Before encrypting files, the attackers exfiltrate them to AWS using S3 Transfer Acceleration (S3TA) for faster data transfer. The encryption process involves renaming the files with an appended initialization vector and a unique “.abcd” extension—for example, the file “text.txt” becomes “text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd.”
In its final stage, the ransomware changes the device’s wallpaper, displaying a message mentioning LockBit 2.0 in an effort to coerce victims into paying the ransom.
Trend Micro researchers highlighted that attackers may disguise ransomware as a more notorious variant to intimidate victims, making them more likely to comply with ransom demands. The notoriety of prominent ransomware campaigns amplifies the pressure on victims to act.
Meanwhile, Gen Digital recently released a decryptor for a Mallox ransomware variant, exploiting a flaw in its cryptographic structure. This variant was observed in attacks from January 2023 to February 2024.
Victims attacked by this particular variant of Mallox ransomware may have the chance to recover their files for free, according to researcher Ladislav Zezula. He noted that the flaw in the encryption scheme was patched in March 2024, meaning that files encrypted by later Mallox versions can no longer be decrypted using the flaw.
Additionally, an affiliate of the Mallox operation, also referred to as TargetCompany, has been found using a modified version of the Kryptina ransomware—dubbed Mallox v1.0—to compromise Linux systems.
SentinelOne researcher Jim Walter remarked that these Kryptina-based variants of Mallox are affiliate-specific, distinct from other Linux Mallox versions, which reflects the complexity of today’s ransomware landscape. He emphasized that the ecosystem has become a “menagerie of cross-pollinated toolsets and non-linear codebases.”
Ransomware continues to pose a significant threat, with 1,255 attacks recorded in the third quarter of 2024—down from 1,325 in the previous quarter, according to Symantec‘s analysis of ransomware leak site data.
Microsoft’s Digital Defense Report, covering June 2023 to June 2024, noted a 2.75x increase in human-operated ransomware encounters year-over-year. Interestingly, the percentage of attacks reaching the encryption phase has dropped threefold over the past two years.
LockBit’s decline following a law enforcement takedown in February 2024 has allowed other groups, such as RansomHub, Qilin (also known as Agenda), and Akira, to rise in prominence. Notably, Akira reverted to its double extortion tactics after briefly experimenting with only data exfiltration and extortion in early 2024.
During this time, Talos observed Akira ransomware-as-a-service (RaaS) operators developing a Rust variant of their ESXi encryptor, steadily improving its functionality while moving away from C++ and experimenting with different coding approaches.
Akira attacks have increasingly relied on compromised VPN credentials and newly disclosed security flaws to infiltrate networks, escalate privileges, and move laterally to strengthen their foothold in compromised environments.
Among the vulnerabilities exploited by Akira affiliates are the following:
- CVE-2020-3259
- CVE-2023-20263
- CVE-2023-20269
- CVE-2023-27532
- CVE-2023-48788
- CVE-2024-37085
- CVE-2024-40711
- CVE-2024-40766
According to Talos researchers James Nutland and Michael Szeliga, Akira has targeted numerous organizations in 2024, particularly those in the manufacturing, professional, scientific, and technical services sectors.
They also suggested that Akira might be shifting away from its Rust-based Akira v2 variant and reverting to previous tactics, including the use of C++ for its Windows and Linux encryptors.
Source: TheHackerNews
