Potential ransomware note uploaded to an AWS S3 bucket
Description
AlphaSOC detected an object with a suspicious name uploaded to an AWS S3 bucket, potentially containing a ransomware note. Adversaries may leave ransom notes in affected systems to communicate their demands.
Impact
The presence of a potential ransomware note in an AWS S3 bucket may indicate a compromise of the AWS environment. Ransomware may result in data encryption, exfiltration, or destruction across AWS services.
Severity
Severity | Condition |
---|---|
Medium | Potential ransomware note uploaded to an AWS S3 bucket |
Investigation and Remediation
Review the suspicious object in the S3 bucket. Examine its contents, creation timestamp, and the user or role responsible for its upload. Analyze AWS CloudTrail logs for unusual activity. If ransomware is confirmed, isolate the affected resources and revoke any compromised credentials.