View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

This Ransomware Campaign is Being Orchestrated from the Cloud

Malware hosted on Pastebin, delivered by CloudFront

By claudia glover

Amazon’s CloudFront is being used to host Command & Control (C&C) infrastructure for a ransomware campaign that has successfully hit at least two multinational companies in the food and services sectors, according to a report by security firm Symantec.

“Both [victims were] large, multi-site organizations that were likely capable of paying a large ransom” Symantec said, adding that the attackers were using the Cobalt Strike commodity malware to deliver Sodinokibi ransomware payloads.

The CloudFront content delivery network (CDN) is described by Amazon as a way to give businesses and web application developers an “easy and cost effective way to distribute content with low latency and high data transfer speeds.”

Users can register S3 buckets for static content and and EC2 instances for dynamic content, then use an API call to return a domain name that can be used to distribute content from origin servers via the Amazon CloudFront service. (In this case, the malicious domain was

Like any large-scale, easily accessible online service it is no stranger to being abused by bad actors: similar campaigns have been spotted in the past.

Malware was being delivered using legitimate remote admin client tools, Symantec said, including one from NetSupport Ltd, and another using a copy of the AnyDesk remote access tool to deliver the payload. The attackers were also using the Cobalt Strike commodity malware to deliver the Sodinokibi ransomware to victims.

The attackers also, unusually, scanned for exposed Point of Sales (PoS) systems as part of the campaign, Symantec noted. The ransom they demanded was significant.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“The attackers requested that the ransom be paid in the Monero cryptocurrency, which is favored for its privacy as, unlike Bitcoin, you cannot necessarily track transactions. For this reason we do not know if any of the victims paid the ransom, which was $50,000 if paid in the first three hours, rising to $100,000 after that time.”

Indicators of Compromise (IoCs)/bad domains etc. can be found here.

With ransomware predicted by Cybersecurity Ventures to hit a business every 11 seconds this year, businesses should ensure that they have robust backups.

As Jasmit Sagoo from security firm Veritas puts it: “Companies… have to take their data back-up and protection more seriously as a source of recovery.

“The ‘3-2-1 rule’ is the best approach to take.

“This entails each organisation having three copies of its data, two of which are on different storage media and one is air-gapped in an offsite location. With an offsite data backup solution, businesses have the option of simply restoring their data if they are ever locked out of it by criminals exploiting weaknesses in systems. Realistically, in today’s world, there’s no excuse for not being prepared.”

See also: Amid a Ransomware Pandemic, Has Law Enforcement Been Left for Dust?


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.