administrators may legitimately access, delete, and replace objects in s3 buckets. ensure that the uploaded files are not part of a legitimate operation before taking action.

t1485
t1486
aws
elastic

Techniques

T1485
T1486

Sample rules

Potential AWS S3 Bucket Ransomware Note Uploaded

source: elastic
technicques:
- T1485
- T1486

Description

Identifies potential ransomware note being uploaded to an AWS S3 bucket. This rule detects the PutObject S3 API call with a common ransomware note file name or extension such as ransom or .lock. Adversaries with access to a misconfigured S3 bucket may retrieve, delete, and replace objects with ransom notes to extort victims.

Detection logic

file where
  event.dataset == "aws.cloudtrail" and
  event.provider == "s3.amazonaws.com" and
  event.action == "PutObject" and
  event.outcome == "success" and
  /* Apply regex to match patterns only after the bucket name */
  aws.cloudtrail.resources.arn regex "arn:aws:s3:::[^/]+/.*?(ransom|lock|crypt|enc|readme|how_to_decrypt|decrypt_instructions|recovery|datarescue).*" and
  not aws.cloudtrail.resources.arn regex ".*(AWSLogs|CloudTrail|access-logs).*"