Perfecting Ransomware on AWS — Using keys to the kingdom to change the locks
If someone asked me what was the best way to make money from a compromised AWS Account (assume root access even) — I would have answered “dump the data and hope that no-one notices you before you finish it up.”
This answer would have been valid until ~8 months ago when I stumbled upon a lesser known feature of AWS KMS which allows an attacker to do devastating ransomware attacks on a compromised AWS account.
Now I know that ransomware attacks using cross-account KMS keys is already known (checkout the article below)— but even then, the CMK is managed by AWS and they can just block the attackers access to the CMK and decrypt data for the victim because the key is OWNED by AWS and attacker is just given API access to it under AWS TOS. Also there’s no way to delete the CMK but only schedule the key deletion (min 7 days) which means there’s ample time for AWS to intervene.
AWS Key Management Service (KMS) for AWS KMS External Key Store allows API calls to securely communicate with your On-Prem Hardware Security Module (HSM), keeping key material securely within your HSM. This feature enables encrypting data using external keys for over 100 AWS services, like Amazon EBS and S3, without modifying existing configurations. It’s beneficial for a small portion of regulated workloads but introduces additional operational burden and risks, making it suitable only for a limited number of customers.
