The article exposes a Golang ransomware exploiting AWS S3 Transfer Acceleration to exfiltrate victim files to attacker-controlled S3 buckets. These samples included hard-coded AWS credentials leading to AWS account suspensions, and the ransomware was camouflaged as LockBit to intensify victim pressure. The attackers used AWS services not as vulnerabilities but as tools for malicious activities
The investigation revealed the ransomware's capabilities, such as encryption algorithms, file processing steps, and the exfiltration process to AWS. The tactics employed showcased how threat actors are evolving by utilizing cloud services for their nefarious operations. Additionally, the article emphasized the importance of monitoring cloud resources and identifying potential threats leveraging cloud service providers. The piece concluded with feedback from AWS Security confirming the suspension of the reported AWS access keys and account due to violation of the AWS acceptable use policy. ```https://www.trendmicro.com/en_us/research/24/j/fake-lockbit-real-damage-ransomware-samples-abuse-aws-s3-to-stea.html