Skip to content

Fake LockBit ransomware exploits AWS targeting Windows and macOS

  • by
  • 4 min read

Photo: Sundry Photography / Shutterstock.com

A new ransomware strain, written in Go (Golang) and trying to imitate the infamous LockBit ransomware, specifically targets Amazon Web Services (AWS) infrastructure to target Windows and macOS. While this strain embeds hardcoded AWS credentials for data exfiltration, its most striking feature is the abuse of Amazon S3’s Transfer Acceleration (S3TA), designed to enhance data transfer speed.

As researchers found out, this ransomware is distinct in its use of Golang and utilises a single code base. This allows the ransomware to be deployed across different operating systems, specifically targeting both Windows and macOS environments.

Notably, most ransomware samples discovered contained hardcoded AWS credentials, signalling a direct attempt to infiltrate cloud systems. This suggests that threat actors use compromised AWS accounts or their accounts to carry out the attack.

One particularly deceptive tactic employed by the ransomware is its use of LockBit’s branding. After the attack, the victim’s wallpaper is changed to an image associated with LockBit, a notorious ransomware family. This may mislead victims into believing they are dealing with a high-profile attacker, further pressuring them to meet ransom demands.

Golang ransomware strain imitates LockBit ransomware to create a psychological advantage for threat actors. | Source: Trend Micro

However, the true perpetrators appear to be an entirely separate group, merely exploiting LockBit’s infamous reputation to increase the psychological impact on victims.

The process begins with the ransomware collecting the host machine’s UUID and importing a public encryption key hardcoded into the malware. Using the RSA public key, the ransomware encrypts a randomly generated master key, which is stored in a readme file on the victim’s system. This ensures that only the attacker, holding the private key, can decrypt the stolen data.

Once the ransomware is fully initialised, it scans the infected system for files to encrypt, deliberately bypassing specific folders in macOS systems. Document, image, and data files are among the prime targets for encryption. In contrast, files larger than 100 MiB are excluded to reduce the attackers’ costs associated with AWS storage and transfer fees.

The attack chain explained. | Source: Trend Micro

A critical aspect of this ransomware is its utilisation of AWS services, specifically creating an S3 bucket on an AWS account controlled by the attacker. Each victim’s stolen files are uploaded to this bucket using S3 Transfer Acceleration (S3TA). This feature enables faster data transfer across long distances by leveraging Amazon CloudFront’s edge locations.

By enabling S3TA, the attackers can optimise the upload process, making their malicious activities more efficient.

Files smaller than 100 MiB are uploaded to the bucket using Golang’s AWS SDK v2 library, with the static credentials (AWS Access Key ID and Secret Access Key) hardcoded into the ransomware’s code. Only scammer files are transferred to minimise costs, while larger ones are excluded.

The exfiltration process culminates in full encryption of files using AES-CTR, further complicating any attempts at data recovery without the decryption key.

Researchers recommend constantly monitoring cloud resources and enforcing strict access controls to limit potential abuse. One key measure involves rotating access keys and credentials. Additionally, organisations can implement multi-factor authentication (MFA) and deploy end-point security solutions.

In the News: Critical flaws found in boot chain of Samsung Galaxy devices

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>