By rssfeeds-admin 
Researchers from Trend Micro warn that Amazon Simple Storage Service (S3) has become a high-value target due to frequent misconfigurations, leaked access keys, and weak encryption policies.
Their latest research highlights five distinct ransomware variants exploiting S3 through encryption abuse, data exfiltration, and deletion tactics designed to render cloud data inaccessible or unrecoverable.
S3 Becomes the New Ransomware Battleground
Unlike traditional ransomware that relies on file encryption malware, S3-based attacks often weaponize AWS-native features such as the Key Management Service (KMS) or Server-Side Encryption (SSE).
Among the identified variants, one leverages default AWS KMS keys (SSE-KMS) to encrypt bucket data and schedule key deletion, giving victims a limited recovery window.
Another uses SSE-C (Server-Side Encryption with Customer-Provided Keys), a method that allows attackers to encrypt objects with locally stored keys that AWS does not retain. Once encrypted, neither the customer nor AWS can decrypt the data, making this variant particularly destructive.
Trend Micro also notes cases where adversaries like Bling Libra used stolen AWS credentials to access, exfiltrate, and delete S3 data before leaving ransom notes or threatening data leaks.
Two additional emerging vectors using AWS KMS external key material and the newer External Key Store (XKS) enable attackers to import or remotely manage encryption keys beyond AWS’s visibility.
These keys can be revoked or destroyed on demand, ensuring that encrypted S3 objects remain permanently inaccessible.
Trend Vision One Provides a Detection and Defense Layer
Trend Vision One
, Trend Micro’s AI-powered cybersecurity platform, now incorporates dedicated detections for S3 ransomware behaviors through AWS CloudTrail event monitoring.
These detections highlight key ransomware indicators, such as mass encryption, bulk download-and-delete operations, ransom note creation, and suspicious key deletions in KMS.
Additional rules within its Cloud Risk Management module monitor over 28 specific S3 configuration parameters, including MFA Delete, Object Lock, and public access policies.
Trend Micro recommends several defensive measures: enforce least-privilege access for S3 and KMS operations, enable versioning and Object Lock, restrict the use of SSE-C, and segregate backup accounts with independent CMKs.
Continuous monitoring of CloudTrail and KMS logs is also critical for early detection. AWS, in its statement, reaffirmed its shared responsibility model, emphasizing that security configurations remain the customer’s responsibility while AWS maintains the integrity of the infrastructure.
As ransomware adapts to exploit misconfigured cloud environments, organizations must shift toward proactive cloud-native defenses and automated threat response workflows to mitigate data loss and operational disruption.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Emerging Ransomware Variants Exploit Amazon S3 Misconfigurations and Weak Access Controls appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.