Skip to main content

Potential ransomware note uploaded to an AWS S3 bucket

ID:aws_s3_ransom_note_uploaded
Data type:AWS CloudTrail
Severity:
Medium
MITRE ATT&CK:TA0040:T1486

Description

AlphaSOC detected an object with a suspicious name uploaded to an AWS S3 bucket, potentially containing a ransomware note. Adversaries may leave ransom notes in affected systems to communicate their demands.

Impact

The presence of a potential ransomware note in an AWS S3 bucket may indicate a compromise of the AWS environment. Ransomware may result in data encryption, exfiltration, or destruction across AWS services.

Severity

SeverityCondition
Medium
Potential ransomware note uploaded to an AWS S3 bucket

Investigation and Remediation

Review the suspicious object in the S3 bucket. Examine its contents, creation timestamp, and the user or role responsible for its upload. Analyze AWS CloudTrail logs for unusual activity. If ransomware is confirmed, isolate the affected resources and revoke any compromised credentials.