Intel Name: Fake lockbit, real damage: ransomware samples abuse aws s3 to steal data
Date of Scan: October 17, 2024
Impact: High
Summary: Threat actors are increasingly exploiting cloud service providers for various malicious activities, including infostealer development and data exfiltration. In this instance, the ransomware samples we analyzed included hard-coded AWS credentials, specific to one threat actor, while generally, ransomware developers use various online services. We also examined Go (Golang) ransomware samples targeting Windows and macOS environments. Most samples featured hard-coded AWS credentials, with stolen data uploaded to an Amazon S3 bucket controlled by the attackers.
