- A large number of S3 objects were copied in a way that may indicate the encryption phase of ransomware activity in the environment.
Possible Root Causes
- An attacker leveraging AWS APIs to encrypt S3 objects with the goal of demanding a ransom for the key to decrypt.
- Security or IT operations are manipulating and encrypting S3 objects in bulk as part of normal operations.
- Ransomware attacks directly impact access to the organization’s data and are popular among attackers due to the possibility of a quick transition from attack to monetization. • After files have been encrypted, the attacker will ask the organization to pay a ransom in return for a promise to provide the encryption key which would allow the files to be decrypted.
- Even if an organization is willing to pay the ransom, there is no guarantee that the encryption key will be provided by the attacker or that the decryption process will work.
Steps to Verify
- Investigate the account context that performed the action for other signs of malicious activity.
- Validate that any modifications are authorized, given the purpose and policies governing this resource.
- If review indicates possible malicious actions or high-risk configuration, disable credential associated with this alert then perform a comprehensive investigation.