LockBit Imposter: New Ransomware Leverages AWS for Attacks

AWS S3
The sample’s attack flow | Image: Trend Micro

In a detailed report by Trend Micro, cybersecurity researchers uncovered a sophisticated ransomware operation abusing Amazon Web Services (AWS) infrastructure to steal sensitive data. The ransomware, while mimicking the notorious LockBit ransomware family, is an entirely different entity that leverages AWS services to carry out its nefarious activities.

According to the Trend Micro report, this new ransomware appears to imitate LockBit, a well-known name in the ransomware ecosystem, to mislead victims into believing they are being attacked by a more prominent group. “By the tail end of the attack, the device’s wallpaper is changed into an image mentioning LockBit,” states the report. This tactic increases pressure on victims to comply with ransom demands, given LockBit’s notorious reputation.

LockBit Ransomware - Golang ransomware

Image: Trend Micro

However, Trend Micro’s analysis shows that this ransomware is not LockBit but rather a new strain that uses Amazon S3 to exfiltrate data. The attackers take advantage of AWS features such as S3 Transfer Acceleration (S3TA) to upload victim data to S3 buckets under their control, allowing for faster data transfers over long distances. The report explains, “S3TA enables users to achieve faster data transfer over long distancesThe ransomware creates an Amazon S3 bucket on the attacker-controlled AWS account using the hard-coded pair of credentials.”

One of the most alarming findings of this ransomware campaign is the use of hard-coded AWS credentials within the ransomware code itself. Trend Micro found that these credentials are being used to create S3 buckets and exfiltrate stolen data. “Most of the samples contained hard-coded AWS credentials, and the stolen data were uploaded to an Amazon S3 bucket controlled by the threat actor,” the report notes.

This technique enables attackers to bypass traditional network defenses and use legitimate cloud services to facilitate data theft. As cloud infrastructure becomes more integral to businesses, it also provides attackers with new avenues to exploit. The ransomware not only encrypts files but also uploads them to the cloud, making recovery more difficult for victims.

What sets this ransomware apart is its multiplatform nature. Written in the Go programming language (Golang), it is capable of targeting both Windows and macOS environments. Golang’s cross-platform capabilities allow threat actors to develop ransomware that can infect a wide range of systems. The Trend Micro analysis highlights this, stating, “Golang provides developers with a single code base that can compile with dependencies for multiple different platforms.”

This makes the ransomware extremely versatile and difficult to contain, as it can easily spread across different operating systems and network environments.

While AWS has suspended the access keys used by this ransomware, Trend Micro advises organizations to remain vigilant. Beyond updating software, organizations should also review remote access policies, ensuring that only trusted users have access to critical systems.

Additionally, tracking AWS Account IDs linked to malicious activities can be a valuable indicator of compromise (IOC). By monitoring these account identifiers, organizations can better detect and respond to potential cloud-based threats.

Related Posts: