ADVERTISEMENT

Huge ransomware campaign targets AWS S3 storage: attackers have thousands of keys

A massive database of over 1,200 unique Amazon Web Services (AWS) access keys has been amassed and exploited in a ransomware campaign. Administrators of exposed AWS S3 buckets are finding their files encrypted except for a ransom note demanding payment in bitcoin.

AWS S3 buckets, storage under attack

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Apr 16, 2025 Updated: 28 July 2025 4 min read

Key Takeaways

  • 158M+ leaked AWS key records were found, pointing to 1,229 unique credentials. Working AWS keys allowed S3 bucket listing and retrieval of ransom demands.
  • Ransom notes indicate files were encrypted using Server Side Encryption with Customer Provided Keys (SSE-C).
  • The extortion amount was 0.3 BTC (~$25,000) per victim.

Some victims are still unaware

exposed-aws-keys
ADVERTISEMENT

How did the hackers collect the AWS keys?

  1. AWS keys leaking from public code repositories: secret credentials are often mistakenly committed to GitHub, Bitbucket, and similar platforms. Attackers then use tools like TruffleHog, Gitleaks, and others to scrape these repositories for secrets.
  2. Insecure CI/CD (Continuous Integration and Continuous Deployment) tools: Jenkins or GitLab runners often store AWS keys. These keys might have been exposed due to misconfigured deployments or weak credentials.
  3. Misconfigured .env and config.php or JSON config files in Web Apps: these files are supposed to be secret, but due to misconfigurations, they might leak credentials.
  4. Leaks and breaches: compromised developer tools, cloud dashboards, or password managers could be a source. Hackers can harvest credentials from illicit marketplaces.
  5. Old or forgotten Identity and Access Management (IAM) users: rarely rotated and long-lived credentials for inactive IAM users are too common in many cloud environments. They are prime targets for silent attacks.
Paulina Okunyte Niamh Ancell BW Konstancija Gasaityte profile Stefanie
Get our latest stories today on Google News
Add us as your Preferred Source on Google.

Protect your cloud storage buckets

  • Audit all IAM credentials immediately. Disable unused keys and rotate active ones.
  • Implement AWS Config and GuardDuty to detect suspicious access patterns.
  • Use automated tools to scan public repos for leaked secrets.
  • Enforce short-lived tokens and remove hardcoded credentials from apps.
  • Apply least privilege principles for all IAM roles.
  • Monitor for new or unknown files like warning.txt in buckets.
  • Configure policies to restrict SSE-C usage and enable detailed logging to detect unusual activity.
ADVERTISEMENT