S3 Ransomware: Trend Micro Details Five Variants Targeting AWS Cloud Storage
Trend Micro researchers have documented five S3 ransomware variants that exploit misconfigured AWS buckets and stolen IAM credentials to encrypt, delete, or exfiltrate cloud-stored data.
Ransomware has officially moved to the cloud, and Amazon S3 buckets are in the crosshairs. In a detailed report published November 18, 2025, Trend Micro researchers outline five distinct S3 ransomware variants that leverage compromised IAM credentials, misconfigured bucket policies, and direct API calls to encrypt or destroy data stored in AWS Simple Storage Service. Unlike traditional ransomware that relies on file-encrypting malware, these cloud-native attacks abuse legitimate AWS APIs to overwrite objects, delete backups, and hold data hostage without deploying a single binary on the victim's endpoint.
The report identifies five variants: S3 Ransomware Type 1 (direct encryption of S3 objects using server-side encryption with customer-provided keys), Type 2 (object overwriting with ransom notes), Type 3 (bucket policy manipulation to deny access), Type 4 (lifecycle rule abuse to expire objects), and Type 5 (exfiltration followed by deletion). Each variant exploits a different combination of S3 API permissions, such as `s3:PutObject`, `s3:PutBucketPolicy`, or `s3:PutBucketLifecycleConfiguration`. The common thread is that attackers first gain access through leaked or stolen IAM access keys, often obtained via phishing, credential stuffing, or exposed secrets in code repositories.
Trend Micro emphasizes that S3 is an especially attractive target because it serves as the backbone for application data, backups, logs, and infrastructure configuration files like Terraform state. A successful attack can cripple business operations, destroy forensic evidence, and eliminate recovery options if backups are also stored in S3. The researchers note that many organizations fail to enable versioning, MFA delete, or object lock — features that can prevent or mitigate these attacks. Without these safeguards, an attacker with write access can permanently delete or overwrite data within minutes.
The report also outlines broader cloud ransomware targets beyond S3, including EBS snapshots, RDS databases, ECR container images, and AWS Backup vaults. In each case, the attacker aims to delete or encrypt the recovery mechanism, forcing victims to pay ransoms to restore access. Trend Micro warns that attackers are increasingly targeting cloud-native assets because they are often less monitored than on-premises systems and can be compromised without triggering traditional endpoint detection tools.
To defend against these threats, Trend Micro recommends a combination of IAM least-privilege policies, S3 bucket versioning, MFA delete, CloudTrail logging, and continuous monitoring via Trend Vision One. The platform provides detections for suspicious CloudTrail events such as `PutBucketPolicy` followed by `ListObjects` and `GetObject` — a pattern indicative of ransomware activity. The researchers also advise organizations to regularly audit S3 bucket configurations, rotate access keys frequently, and implement data lifecycle policies that prevent automatic deletion.
The emergence of S3-specific ransomware variants marks a significant evolution in the ransomware landscape. As more organizations migrate critical data to the cloud, attackers are adapting their tactics to exploit cloud-native features rather than traditional malware. Trend Micro's analysis serves as both a warning and a practical guide for defenders, highlighting the need for cloud-specific security controls that go beyond conventional endpoint protection.