Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control.
"Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is not the case, and the attacker only seems to be capitalizing on LockBit's notoriety to further tighten the noose on their victims."
The ransomware artifacts have been found to embed hard-coded Amazon Web Services (AWS) credentials to facilitate data exfiltration to the cloud, a sign that adversaries are increasingly weaponizing popular cloud service providers for malicious schemes.
The AWS account used in the campaign is presumed to be either their own or compromised. Following responsible disclosure to the AWS security team, the identified AWS access keys and accounts have been suspended.
Trend Micro said it detected more than 30 samples with the AWS Access Key IDs and the Secret Access Keys embedded, signaling active development. The ransomware is capable of targeting both Windows and macOS systems.
It's not exactly known how the cross-platform ransomware is delivered to a target host, but once it's executed, it obtains the machine's universal unique identifier (UUID) and carries out a series of steps to generate the master key required for encrypting the files.
The initialization step is followed by the attacker enumerating the root directories and encrypting files matching a specified list of extensions, but not before exfiltrating them to AWS via S3 Transfer Acceleration (S3TA) for faster data transfer.
"After the encryption, the file is renamed according to the following format: <original file name>.<initialization vector>.abcd," the researchers said. "For instance, the file text.txt was renamed to text.txt.e5c331611dd7462f42a5e9776d2281d3.abcd."
In the final stage, the ransomware changes the device's wallpaper to display an image that mentions LockBit 2.0 in a likely attempt to compel victims into paying up.
"Threat actors might also disguise their ransomware sample as another more publicly known variant, and it is not difficult to see why: the infamy of high-profile ransomware attacks further pressures victims into doing the attacker's bidding," the researchers said.
The development comes as Gen Digital released a decryptor for a Mallox ransomware variant that was spotted in the wild from January 2023 through February 2024 by taking advantage of a flaw in the cryptographic schema.
"Victims of the ransomware may be able to restore their files for free if they were attacked by this particular Mallox variant," researcher Ladislav Zezula said. "The crypto-flaw was fixed around March 2024, so it is no longer possible to decrypt data encrypted by the later versions of Mallox ransomware."
It should be mentioned that an affiliate of the Mallox operation, also known as TargetCompany, has been discovered using a slightly modified version of the Kryptina ransomware – codenamed Mallox v1.0 – to breach Linux systems.
"The Kryptina-derived variants of Mallox are affiliate-specific and separate from other Linux variants of Mallox that have since emerged, an indication of how the ransomware landscape has evolved into a complex menagerie of cross-pollinated toolsets and non-linear codebases," SentinelOne researcher Jim Walter noted late last month.
Ransomware continues to be a major threat, with 1,255 attacks claimed in the third quarter of 2024, down from 1,325 in the previous quarter, according to Symantec's analysis of data pulled from ransomware leak sites.
Microsoft, in its Digital Defense Report for the one-year period from June 2023 to June 2024, said it observed a 2.75x increase year-over-year in human-operated ransomware-linked encounters, while the percentage of attacks reaching the actual encryption phase has decreased over the past two years by threefold.
Some of the major beneficiaries of LockBit's decline following an international law enforcement operation targeting its infrastructure in February 2024 have been RansomHub, Qilin (aka Agenda), and Akira, the last of which has shifted back to double extortion tactics after briefly flirting with data exfiltration and extortion attacks alone in early 2024.
"During this period, we began to see Akira ransomware-as-a-service (RaaS) operators developing a Rust variant of their ESXi encryptor, iteratively building on the payload's functions while moving away from C++ and experimenting with different programming techniques," Talos said.
Attacks involving Akira have also leveraged compromised VPN credentials and newly disclosed security flaws to infiltrate networks, as well as escalate privileges and move laterally within compromised environments as part of efforts designed to establish a deeper foothold.
Some of the vulnerabilities exploited by Akira affiliates are listed below -
- CVE-2020-3259
- CVE-2023-20263
- CVE-2023-20269
- CVE-2023-27532
- CVE-2023-48788
- CVE-2024-37085
- CVE-2024-40711, and
- CVE-2024-40766
"Throughout 2024, Akira has targeted a significant number of victims, with a clear preference for organizations in the manufacturing and professional, scientific, and technical services sectors," Talos researchers James Nutland and Michael Szeliga said.
"Akira may be transitioning from the use of the Rust-based Akira v2 variant and returning to previous TTPs using Windows and Linux encryptors written in C++."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.