LoFP LoFP / administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the uploaded files are not part of a legitimate operation before taking action.

Techniques

Sample rules

Potential AWS S3 Bucket Ransomware Note Uploaded

Description

Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call with a common ransomware note file name or extension such as ransom or .lock. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.

Detection logic

file where
  event.dataset == "aws.cloudtrail" and
  event.provider == "s3.amazonaws.com" and
  event.action == "PutObject" and
  event.outcome == "success" and
  /* Apply regex to match patterns only after the bucket name */
  aws.cloudtrail.resources.arn regex "arn:aws:s3:::[^/]+/.*?(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue).*" and
  not aws.cloudtrail.resources.arn regex ".*(AWSLogs|CloudTrail|access-logs).*"