In a significant development that has sent shockwaves through the cloud computing industry, a sophisticated ransomware campaign dubbed “Codefinger” is actively targeting Amazon Web Services (AWS) users, specifically exploiting the platform’s own encryption infrastructure to hold customer data hostage. The attack, first identified in early January 2025, represents a concerning evolution in ransomware tactics.
According to research from Halcyon’s threat intelligence team, the attackers are exploiting AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) feature, making data recovery impossible without paying the ransom. “This ransomware campaign is particularly dangerous because of SSE-C’s design,” explains the Halcyon research team, noting that the integration with AWS’s secure encryption infrastructure makes traditional recovery methods ineffective.
The campaign has already claimed at least two victims, both software developers utilizing AWS services. What makes this attack particularly concerning is its methodology. Rather than encrypting files locally or in transit, as traditional ransomware does, Codefinger weaponizes AWS’s own encryption tools against its users. The attackers, having obtained AWS credentials through various means including phishing and credential reuse, proceed to encrypt stored data and demand payment within seven days to prevent permanent deletion.
Security researcher Darren James from Specops Software warns: “Organizations without robust credential management practices remain extremely vulnerable to these types of attacks. The sophistication of this campaign demonstrates how attackers are increasingly targeting cloud infrastructure.”
The breach was discovered through a massive scanning operation that identified vulnerable endpoints across 26.8 million AWS IP addresses. The attackers employed various techniques, including exploiting misconfigured public websites and applications, resulting in the theft of over 2 TB of sensitive data.
To protect against similar attacks, AWS has recommended several immediate actions for customers:
- Implement strong authentication methods, including unique passwords and two-factor authentication
- Regularly audit access permissions to cloud resources
- Maintain offline backups of critical data
- Enable AWS CloudTrail and S3 server access logs for monitoring
“This incident represents a significant evolution in ransomware capabilities,” notes AWS’s security team. “We strongly advise customers to review their security configurations and implement recommended protection measures immediately.”
The Codefinger campaign has sparked renewed discussions about ransomware payment policies, with cybersecurity experts and government officials debating the need for stricter regulations around ransom payments. As this situation develops, organizations are advised to remain vigilant and prioritize their cloud security measures.
