Codefinger on AWS: Lessons from Amazon’s Latest Ransomware Attack 

The growing sophistication of ransomware threats targeting cloud services like Amazon Web Services (AWS) has reached a new, unsettling milestone with the emergence of the Codefinger ransomware campaign. This attack, which exploits AWS’s advanced encryption mechanisms, has raised alarms in the cybersecurity community, revealing that even the most advanced cloud platforms are not immune to the rising tide of cybercrime. This article examines the mechanics of the Codefinger attack, the broader implications for cloud security, and what businesses must do to protect themselves from similar threats in the future. 

What the Codefinger Ransomware attack reveals about cloud security vulnerabilities? 

In early 2025, a new ransomware threat, Codefinger, was identified targeting users of Amazon Web Services’ S3 storage buckets. At first glance, it seemed like just another in a long line of ransomware attacks. But what sets this campaign apart is its sophisticated use of AWS’s native encryption features, specifically the Server-Side Encryption with Customer-Provided Keys (SSE-C). Rather than encrypting files locally or in transit as most ransomware does, Codefinger uses AWS’s built-in encryption systems to lock data stored in the cloud, making it nearly impossible for the victim to recover their data without the decryption key held by the attacker. 

The real shock of the attack lies not in the use of encryption itself—after all, this is the core of how most ransomware operates—but in how it leverages cloud-native features to lock organizations out of their own data. This attack method circumvents traditional recovery solutions, which often rely on backup systems, making it a powerful and insidious tool for cybercriminals. 

Moreover, Codefinger’s strategy goes beyond merely encrypting data. The attackers manipulate AWS’s object lifecycle management tools, marking files for deletion within a short timeframe, thereby increasing the urgency of the ransom demand. In the world of ransomware, where time is always a pressure point, these tactics amplify the leverage attackers hold over their victims. 

Amazon’s statement regarding the Codefinger Ransomware Attacks 

In response to the Codefinger ransomware campaign, Amazon Web Services issued a statement underscoring the importance of the company’s shared responsibility model. AWS provides robust infrastructure and security tools, but customers must take the necessary steps to secure their own cloud resources. This model, which has long been at the core of AWS’s approach to cloud security, emphasizes that while AWS helps secure the cloud infrastructure itself, the onus is on the customer to safeguard their data and access credentials. 

An AWS spokesperson provided the following remarks and emphasized the company’s commitment to securing cloud resources through a shared responsibility model. They assured that whenever exposed keys are detected, affected customers are promptly notified. AWS also conducts thorough investigations into such incidents, swiftly implementing measures like quarantine policies to mitigate risks while avoiding disruption to IT environments. The spokesperson encouraged customers to adhere to best practices in security, identity, and compliance, and offered guidance for those suspecting credential exposure. For further assistance, AWS Support remains available to address any security concerns. 

The statement highlights AWS’s commitment to promptly addressing security vulnerabilities, yet it also reiterates that the ultimate responsibility for securing an organization’s AWS environment falls to the user. This shared responsibility model underscores the importance of businesses taking an active role in securing their cloud accounts, especially as cybercriminals become more adept at exploiting weaknesses in cloud security configurations. 

Codefinger ransomware attack flow 

The Halcyon report provides a detailed account of the Codefinger ransomware attack flow, revealing the methodical steps taken by the attackers to exploit AWS resources and encrypt critical data. The attack flow follows this sequence of steps: 

• Identifying vulnerable AWS keys: The attackers gain initial access by exploiting publicly disclosed or previously compromised AWS API keys. These keys often provide attackers with full access to critical cloud resources. 

• Encrypting files via SSE-C: Once access is obtained, the attackers leverage AWS’s Server-Side Encryption with Customer-Provided Keys (SSE-C) to encrypt files. They generate an AES-256 encryption key locally and use it to encrypt the victim’s data, preventing the organization from recovering without the decryption key. 

• Setting lifecycle policies for file deletion: To add urgency to their demands, the attackers utilize the S3 Object Lifecycle Management API to set a 7-day deletion policy for the encrypted files. This tactic ensures that the data will be permanently deleted if the ransom is not paid within the specified timeframe. 

• Depositing a ransom note: To finalize the attack, the attackers drop a ransom note in each affected directory. The note warns that any changes made to account permissions or files will lead to the termination of negotiations, leaving the victim with little room to negotiate or recover their data. 

This attack flow highlights the increasingly complex and calculated nature of ransomware campaigns, with the attackers exploiting the very cloud tools organizations rely on to secure their data. By combining encryption with lifecycle management and aggressive ransom tactics, the Codefinger campaign represents a significant evolution in ransomware attacks, underscoring the need for stronger defenses and rapid detection capabilities. 

The growing debate over ransomware payments 

As ransomware attacks like Codefinger continue to evolve, they have sparked a wider debate about the ethics and legality of paying ransoms. Governments around the world, including the U.K., have begun to consider legislation that would make ransomware payments illegal for certain organizations, particularly those in national infrastructure sectors. The rationale behind such measures is clear: by prohibiting payments, governments hope to reduce the financial incentives for cybercriminals. 

However, the situation is more complicated than simply banning ransom payments. Security experts have pointed out that paying a ransom may be the only way for some organizations to recover vital data, especially when the encrypted files are essential to business operations. Ransomware gangs, after all, are highly motivated by profit and often target victims who are most likely to pay. While paying a ransom does not guarantee that the attacker will provide the decryption key or honor the agreement, it may be seen as the only option when recovery seems otherwise impossible. 

The pressure faced by organizations in these situations cannot be understated. As ransomware attacks grow in sophistication, so too does the pressure on businesses to make difficult decisions in the face of mounting financial and operational losses. 

Best practices for robust post-compromise threat detection in AWS 

As ransomware attacks like Codefinger become more sophisticated, organizations must go beyond traditional preventative measures and implement comprehensive detection and response strategies to minimize the damage from a breach. While AWS provides strong security tools, a proactive approach to post-compromise monitoring is essential for safeguarding critical data and quickly responding to threats. The following best practices help strengthen AWS environments against advanced cyberattacks like Codefinger: 

1. Monitor early-stage behaviors 

Early detection is key to stopping attacks in their tracks. Attackers often begin their campaigns with reconnaissance activities such as enumerating S3 buckets, discovering IAM (Identity and Access Management) permissions, or identifying misconfigured resources. By monitoring these early-stage behaviors, organizations can detect suspicious activity before it escalates. Early identification can stop attackers from advancing their plans and mitigate the risk of large-scale data breaches. 

2. Behavioral-based detection 

Behavioral analytics tools are increasingly essential for identifying abnormal activities in a cloud environment. Using behavioral-based detection, organizations can flag unusual patterns such as excessive API calls, privilege escalations, or suspicious encryption events. These activities often indicate an attacker attempting to exploit a vulnerable cloud resource. Setting up machine learning algorithms to detect deviations from normal behavior helps pinpoint threats that traditional signature-based security solutions may miss. 

3. Comprehensive logging 

To respond to potential threats effectively, it is crucial to maintain visibility into cloud activities. AWS CloudTrail, when configured properly, can provide detailed logs of API calls across all services and regions. Ensure that CloudTrail is enabled for all AWS regions and services, including S3 data events, to capture detailed records of every access and modification attempt. These logs can provide valuable insights into potentially malicious actions, and ensure that every event, from data retrieval to permission changes, is tracked and available for analysis during an attack. 

4. Automated incident response 

Time is of the essence when responding to a cyberattack, particularly in the case of ransomware. Automated incident response workflows allow organizations to react quickly to suspicious activity and mitigate potential damage. When abnormal behavior is detected, organizations should have automated mechanisms in place to isolate compromised accounts or services immediately. These actions can prevent lateral movement within the network, effectively containing the breach and reducing the risk of further compromise. 

5. Post-compromise mitigation 

Once an attack is detected, organizations need to focus on post-compromise mitigation. This involves preventing lateral movement and minimizing damage. Security teams should monitor for signs of privilege escalation, unauthorized changes to lifecycle policies, or large-scale data operations that could indicate the attacker is attempting to exfiltrate or destroy valuable data. Proactively managing and mitigating these risks is key to preventing an attack from spreading further across the AWS infrastructure. 

Lessons for CTOs: Proactive cloud security is essential 

The Codefinger attack is a stark reminder that cloud security is not just about preventing traditional threats, but about understanding how attackers can exploit cloud-native tools to gain unauthorized access and control over critical data. While AWS provides a strong security infrastructure, it is ultimately up to organizations to ensure that their cloud environments are properly configured, secured, and monitored. 

Preventative measures such as multi-factor authentication, proper encryption key management, and continuous monitoring are essential to mitigating the risks posed by advanced ransomware campaigns like Codefinger. However, as this attack demonstrates, even the best-laid preventative strategies are not enough. Businesses must also focus on rapid detection, incident response, and post-compromise mitigation to minimize the damage from successful attacks. 

Cloud-native ransomware attacks like Codefinger exemplify the growing trend of cybercriminals leveraging the very tools businesses use to protect their data against them. These attacks are a wake-up call for organizations to adopt more comprehensive cloud security strategies—ones that go beyond traditional prevention to incorporate proactive threat detection, quick recovery plans, and robust incident response capabilities. 

In an era where digital infrastructure is the backbone of business operations, organizations must be prepared for the evolving nature of cyber threats. The lessons from Codefinger are clear: cloud security requires vigilance, adaptability, and a proactive approach to staying ahead of increasingly sophisticated attackers. 

In brief 

 The Codefinger ransomware attack exploits AWS vulnerabilities, using compromised keys to encrypt data via SSE-C, while setting deletion policies to add urgency to ransom demands. Organizations are urged to implement robust detection and response strategies, including early-stage behavior monitoring, behavioral analytics, and automated incident response, to safeguard against such sophisticated attacks.