In order to profit effectively from a ransomware attack, a threat actor needs to have something to offer in return for payment. This blog post outlines a process to encrypt AWS resources and then revoke access to the secret material until the ransom is paid.
Apparently, this post caused some consternation at AWS, and perhaps I should have given them a heads up. So I’m unpublishing it for the time being and giving AWS some time to digest and see if they want to add any mitigations.
tl;dr
There are two AWS KMS Actions for ImportKeyMaterial
and DeleteImportedKeyMaterial
and threat actors can abuse that. Also GenAI has no guard rails and happily create a bunch of scripts that cause folks to freak out.