Attackers' Bluff Exposed in S3 Bucket Deletion Scam

An analysis shared by Stephan Berger (@malmoeb), a cybersecurity incident involving the deletion of AWS S3 buckets by attackers who then demanded a ransom was examined. The event began with reconnaissance actions traced back to January 18, 2024, where the attackers employed standard AWS commands to survey the cloud environment specifically querying AWS Simple Email Solution (SES) and Amazon Simple Storage Service (S3). These preliminary steps included listing buckets (ListBuckets) and querying service quotas (GetSendQuota). By February 5, 2024, the attackers returned running additional discovery commands, particularly gaining context on the bucket logging capabilities. Following the context discovery the attacker proceeded to escalate their campaign by deleting the S3 bucket.

The ransom note left behind, accompanied by a supposed recovery binary, was analyzed and found to be a façade by Berger, identifying the artifact as a "red herring" a psychological tactic aimed at pressuring the victim into compliance and paying the ransom. The ransom note claims to have downloaded and backed up the victim's files on the attackers' servers, threatening to sell or permanently delete them unless a ransom is paid within five days, alongside promises of data restoration upon payment. The binary, rather than facilitating any form of data recovery, proved to be a decoy, as Berger's examination revealed its operations were limited to creating directories and files locally without establishing any network connections or interacting with AWS services.

Furthermore, the incident response investigation unveiled that the attackers achieved minimal success in data exfiltration, with findings revealing that merely a small segment — 2GB of a dataset surpassing 1TB — was actually compromised. This finding, contrasted with the attackers' exaggerated claims and the misleading recovery binary, highlights the deceptive nature of the operation.