Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

216.73.216.6

Fake LockBit Real Damage Ransomware Samples Abuse AWS S3 to Steal Data

· Published 17/10/2024 09:43 · Modified 17/10/2024 10:20

Essential information

Published: 17/10/2024 09:43
Modified: 17/10/2024 10:20
Tags: 2024-10-17 aws data exfiltration golang lockbit-imitation ransomware
Related entities: 39 observables, 16 techniques (mitre)

Description

This report discusses malicious Golang ransomware samples that exploit Amazon S3's Transfer Acceleration feature to exfiltrate victims' data and upload it to attacker-controlled S3 buckets. The samples contained hard-coded AWS credentials linked to compromised accounts, allowing the researchers to track and report malicious activity. The ransomware attempted to disguise itself as LockBit ransomware, likely to leverage its notoriety and pressurize victims, though no connection to LockBit's operators was found.

External references

https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html
https://otx.alienvault.com/pulse/6710dc2aaaa688eb015e4a1c