TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Trend Micro Research

Breaking Down S3 Ransomware: Variants, Attack Paths and Trend Vision One™ Defenses

Yash Verma · 2025-11-18 · Read original ↗

ATT&CK techniques detected

33 predictions
T1486Data Encrypted for Impact
95%
“inaccessible to the target aws users to encrypt s3 objects. this prevents the victim, including the root user, from decrypting any s3 files. - make or use encryption keys that are inaccessible to aws. the attacker uses encryption keys technically inaccessible to the aws as well. …”
T1486Data Encrypted for Impact
94%
“. 6. after encryption is completed, a file named ' ransom - note. txt ' is uploaded, and the kms key is scheduled for deletion in seven days. once the cmk is deleted, the encrypted data becomes permanently inaccessible. this variant is most likely to occur as a cross - account at…”
T1486Data Encrypted for Impact
94%
“breaking down s3 ransomware : variants, attack paths and trend vision one™ defenses ransomware breaking down s3 ransomware : variants, attack paths and trend vision one™ defenses in this blog entry, trend™ research explores how ransomware actors are shifting their focus to cloud …”
T1485Data Destruction
92%
“them full control over key management. this approach is typically chosen to meet strict compliance or security requirements but comes with added complexity, such as the need to securely store and manage keys. notably, aws does not retain sse - c keys ; instead, it logs a key ’ s …”
T1486Data Encrypted for Impact
88%
“the key is not accessible to either customers or aws. proactive security with trend vision one™ trend vision one™ is the only ai - powered enterprise cybersecurity platform that centralizes cyber risk exposure management and security operations, delivering robust layered protecti…”
T1486Data Encrypted for Impact
88%
“4, 5 ) detected possible ransomware activity on a s3 bucket which can lead to important data encryption, loss or corruption, operational disruption, financial losses and much more. aws s3 object upload using custom encryption ( variant 2 ) this detection identifies objects upload…”
T1486Data Encrypted for Impact
85%
“maintain control over the key ' s origin, durability, and lifecycle while aws kms manages its usage within aws services. in imported external key material, expiration can be set to any duration, making it an attractive feature for attackers in ransomware scenarios, in which they …”
T1486Data Encrypted for Impact
84%
“without clean backups, businesses can ’ t guarantee data integrity. in many real - world cases, companies with no backup resorted to ransom payments as their only recovery path. among all targets in aws, amazon s3 stands out as the most widely used and business critical. it serve…”
T1486Data Encrypted for Impact
79%
“, malicious attachments, and exploitation of outdated or vulnerable software. however, as organizations shift to the cloud, ransomware tactics are adapting : in cloud environments, attackers are increasingly exploiting customer misconfigured storage resources and stolen credentia…”
T1530Data from Cloud Storage
77%
“- attack phases ) while the above detections tie to specific ransomware variants, several generic detections help identify precursor and aftermath activities that often accompany ransomware campaigns : aws s3 successful resource enumeration attempt detected possible successful en…”
T1098.001Additional Cloud Credentials
77%
“user the creation or an update of a policy with full administrative privilege attached to a user, giving full administrator access to the aws environment, was observed. aws iam create / update full administrative privileged inline policy for a role the creation or an update of a …”
T1485Data Destruction
72%
“##3 : : : your _ bucket _ arn _ here / * ", " condition " : { " null " : { " s3 : x - amz - server - side - encryption - customer - algorithm " : " false " } } } ] } variant 3 ( s3 exfiltration and deletion ) last year, it was reported that the threat actor bling libra used stole…”
T1486Data Encrypted for Impact
69%
“leaves ransom notes in the original bucket ( if it still exists ) or creates new buckets with ransom - related names, as seen in the bling libra case. this variant is also more likely to occur as it ’ s a simple two - step process of exfiltration and deletion, and it makes data i…”
T1530Data from Cloud Storage
68%
“##tories for potential data exfiltration attacks. aws s3 bucket encryption configuration modified modification of an s3 bucket ' s encryption settings was detected, which may impact data security. improper changes can disable encryption or weaken protection, increasing the risk o…”
T1486Data Encrypted for Impact
68%
“encrypt the target aws account ’ s s3 bucket. customers can prevent this by creating the policy below to protect against scenarios 4 and 5 : { " sid " : " denykmsoperationsvias3onexternalkeys ", " effect " : " deny ", " action " : [ " kms : generatedatakey ", " kms : decrypt " ],…”
T1485Data Destruction
66%
“time copies of virtual machine disks or volumes – like amazon elastic block store ( ebs ) snapshots could be targeted, as organizations rely on them for rapid recovery of ec2 instances after failure or compromise. without snapshots, rebuilding systems from scratch could take days…”
T1486Data Encrypted for Impact
64%
“1. the attacker gains write - level access to the victim ’ s s3 bucket / s ( for example, via leaked iam role credentials from public source code on github or by compromising the aws account ). 2. they create a customer - managed symmetric customer master key ( cmk ) using kms in…”
T1078.004Cloud Accounts
63%
“removal of resources. aws s3 server access logging disabled for a bucket detects instances where server access logging is disabled for an amazon s3 bucket. indicates a potential security misconfiguration or an attempt to conceal access activities. attacker can compromise visibili…”
T1078.004Cloud Accounts
62%
“##ities of cloud environments, defending cloud - based resources demands proactive and adaptive security strategies. organizations must move beyond legacy perimeter defenses and adopt layered controls tailored to cloud infrastructure if they are to counter such threats. to effect…”
T1098.001Additional Cloud Credentials
57%
“actor : aws iam policy attached to user or role or group an attachment of an aws iam policy to user or group or role was detected which might indicate an attacker trying to escalate his privileges to compromise the aws account. aws iam administrator access policy attached to a ro…”
T1098Account Manipulation
54%
“actor : aws iam policy attached to user or role or group an attachment of an aws iam policy to user or group or role was detected which might indicate an attacker trying to escalate his privileges to compromise the aws account. aws iam administrator access policy attached to a ro…”
T1486Data Encrypted for Impact
52%
“them full control over key management. this approach is typically chosen to meet strict compliance or security requirements but comes with added complexity, such as the need to securely store and manage keys. notably, aws does not retain sse - c keys ; instead, it logs a key ’ s …”
T1486Data Encrypted for Impact
49%
“{ " kms : keyorigin " : [ " external ", " external _ key _ store " ], " kms : viaservice " : " s3. < region >. amazonaws. com " } } } this variant could also be carried out from the victim ’ s aws account. this means that if attackers have sufficient access, they can create a kms…”
T1530Data from Cloud Storage
43%
“##3 : : : your _ bucket _ arn _ here / * ", " condition " : { " null " : { " s3 : x - amz - server - side - encryption - customer - algorithm " : " false " } } } ] } variant 3 ( s3 exfiltration and deletion ) last year, it was reported that the threat actor bling libra used stole…”
T1490Inhibit System Recovery
43%
“##tries could also be targeted, as containerized workloads ( including microservices and apps ) rely on container images stored in ecr. attackers targeting ecr can delete images, halting application deployment pipelines, or replace images with malicious or broken versions. compro…”
T1485Data Destruction
42%
“leaves ransom notes in the original bucket ( if it still exists ) or creates new buckets with ransom - related names, as seen in the bling libra case. this variant is also more likely to occur as it ’ s a simple two - step process of exfiltration and deletion, and it makes data i…”
T1573.002Asymmetric Cryptography
39%
“figures 9 and 10 ). 5. they select the wrapping key and algorithm, as shown in figure 11. 6. they download a wrapping public key and import a token on a local machine and wrap their own newly created key with the wrapper public key : openssl rand - out mycustomkeymaterial. bin 32…”
T1090Proxy
38%
“configuration file of using softhsmv2 with pkcs11 - logger disabled in a docker environment. [ server ] region = " eu - west - 1 " 3. builds and runs the xks proxy on attacker ’ s environment. the repository includes a docker file to build the proxy : docker build - t xks - proxy…”
T1525Implant Internal Image
38%
“customers to contact aws support6 for any questions or concerns about the security of their account. ” 1 https : / / aws. amazon. com / compliance / shared - responsibility - model / 2 https : / / docs. aws. amazon. com / aws - managed - policy / latest / reference / awscompromis…”
T1080Taint Shared Content
37%
“breaking down s3 ransomware : variants, attack paths and trend vision one™ defenses ransomware breaking down s3 ransomware : variants, attack paths and trend vision one™ defenses in this blog entry, trend™ research explores how ransomware actors are shifting their focus to cloud …”
T1525Implant Internal Image
36%
“resources quickly. in a public statement, aws said, " aws services and infrastructure are operating as expected. aws helps customers secure their cloud resources through a shared responsibility model. 1 we thoroughly investigate all reports of exposed keys and quickly take any ne…”
T1485Data Destruction
35%
“4, 5 ) detected possible ransomware activity on a s3 bucket which can lead to important data encryption, loss or corruption, operational disruption, financial losses and much more. aws s3 object upload using custom encryption ( variant 2 ) this detection identifies objects upload…”
T1552.005Cloud Instance Metadata API
35%
“leaked iam role credentials from public source code on github or by compromising the aws account, for example ). 2. attacker enumerates s3 buckets to find an ideal target. 3. the attacker initiates server - side encryption by providing a locally stored aes - 256 key using the x -…”

Summary

In this blog entry, Trend™ Research explores how ransomware actors are shifting their focus to cloud-based assets, including the tactics used to compromise business-critical data in AWS environments.