How Misconfigured Amazon S3 Buckets Can Lead to a Ransomware Attack

When we think of ransomware attacks, we often assume the attacker gained access to the enterprise network via a phishing email. However, there are a variety of other attack vectors bad actors are currently leveraging to carry out ransomware attacks that can be incredibly damaging to an organization. 

Recent research from Rhino Security Labs shows that ransomware can be distributed through the cloud via Amazon Simple Storage Service (Amazon S3) buckets. While there may be a variety of ways an attacker can distribute ransomware within an S3 bucket, malicious files top the list as one of the most dangerous methods as they can easily evade detection. 

What are Amazon S3 Buckets and Who Uses Them? 

An Amazon S3 bucket is a file hosting and data storage service that is popular among financial institutions, health care organizations, and insurance companies. The service allows organizations to store and retrieve any file or dataset, at any time, from anywhere on the web. As organizations continue prioritizing rapid digital transformations, these types of services are gaining popularity—from large Fortune 500 companies to small, emerging startups. 

Is Your Information in an S3 Bucket?

More than likely it is. Have you ever uploaded a contract, insurance claim, signed lease, or tax form to a portal? If so, you have interacted with an S3 bucket, and your information is likely being stored there. As a result, S3 buckets are a prime target for hackers. Not only does entry into S3 buckets provide them with access to troves of data that they can harvest and sell on dark web marketplaces, but it also allows hackers to steal and encrypt sensitive data that they can hold for ransom. 

How Hackers Leverage Misconfigured Amazon S3 Buckets and Malicious Files

Amazon S3 buckets are accessible to the public, and the responsibility is placed on the organization to configure access and grant permissions to the bucket along with the data and files it hosts. Unfortunately, many organizations fail to configure these permissions effectively, which results in devastating consequences. In March of 2020, an Amazon S3 bucket belonging to two financial organizations made headlines after highly sensitive financial and business documents were exposed due to an S3 bucket misconfiguration. In fact, misconfigured S3 buckets are becoming extremely common. Hackers know that they are able to search the web for open S3 buckets and will find thousands that are publicly exposing extremely sensitive information—such as login credentials, security keys, and API keys.

In some circumstances, once a hacker has gained access to an organization’s S3 bucket, they are able to upload a malicious file into the bucket. When an individual engages with the malicious file, they trigger a payload that will deploy malware and/or ransomware across the network. This can be extremely dangerous because these file-borne threats can easily evade detection since traditional signature-based solutions, such as next-generation antivirus (NGAV) and sandboxing, are unable to scan and identify threats within S3 buckets. 

How Votiro Prevents Attacks Originating from Compromising S3 Buckets

Organizations need to be able to leverage their expanding cloud ecosystem without increasing their attack surface. Votiro’s Positive Selection® technology prevents cyber threats from multiple sources and vectors. Votiro goes beyond NGAV and sandboxing solutions due to its ability to understand and protect all file types — from .ppt, docs, pdfs, and image files, all the way to more complex formats. Enterprises will have peace of mind knowing that their files within containers, such as Amazon S3 buckets, have been regenerated by Votiro into a safe format that is able to be saved, edited, used, shared, and recompressed without risk. Votiro’s technology preserves the integrity and functionality of the original file while eliminating all of the malicious elements. 

Moving Forward

As ransomware attacks become more prevalent and increase in sophistication, detection-based solutions are no longer able to prevent an organization from becoming a victim. Instead of scanning for suspicious elements and blocking some malicious files, Votiro rebuilds the document, copying only the known-good, positively selected content and ensures only the safe template elements remain.

If you’d like to learn more about how to implement our proprietary technology within your organization, please feel free to schedule a demo today.