The attacker leverages AWS’s Server-Aspect Encryption with Buyer Offered Keys (SSE-C) to encrypt knowledge, demanding ransom funds if the sufferer agency desires the symmetric AES-256 keys required for decryption. Whereas SSE-C has been obtainable since 2014, say the researchers, this seems to be a novel use of the function by ransomware operators.
To strain victims, the encrypted information are marked for deletion inside seven days.
The report doesn’t element how the stolen AWS keys are obtained. However in response to emailed questions, Halcyon stated keys will be uncovered in quite a lot of methods, together with via compromised IT networks and phishing. Keys usually get leaked publicly by builders or workers who embed them in code repos reminiscent of GitHub or GitLab.