A new ransomware threat called Codefinger is targeting Amazon Web Services (AWS) S3 users, leveraging AWS’s server-side encryption with customer-provided keys (SSE-C). Once attackers gain account credentials—often through reused or weak passwords—they encrypt user data with AES-256 keys that are not stored on AWS, making recovery impossible without the attacker’s key. This method does not exploit AWS vulnerabilities directly but abuses legitimate encryption features.

Security experts highlight the severity of this attack, as the use of SSE-C means even AWS cannot help recover the data. Codefinger sets 7-day deletion lifecycles for urgency and leaves ransom notes warning victims against changing settings. The attack revives debate over potential U.K. legislation to ban ransom payments, particularly for national infrastructure, raising concerns about legal and ethical dilemmas for affected companies.

Experts argue that while paying ransoms funds cybercrime and offers no guarantee of recovery, organizations may have no viable alternative without robust security measures in place. They stress the need for better prevention, detection, and recovery practices, and call for more government support to assist victims.

AWS responded by reiterating its shared responsibility model and urging users to follow best security practices, including strong passwords and multi-factor authentication.