Threat actors have been observed abusing Amazon S3 (Simple Storage Service) Transfer Acceleration feature as part of ransomware attacks designed to exfiltrate victim data and upload them to S3 buckets under their control.

"Attempts were made to disguise the Golang ransomware as the notorious LockBit ransomware," Trend Micro researchers Jaromir Horejsi and Nitesh Surana said. "However, such is not the case, and the attacker only seems to be capitalizing on LockBit's notoriety to further tighten the noose on their victims."

The ransomware artifacts have been found to embed hard-coded Amazon Web Services (AWS) credentials to facilitate data exfiltration to the cloud, a sign that adversaries are increasingly weaponizing popular cloud service providers for malicious schemes.

The AWS account used in the campaign is presumed to be either their own or compromised. Following responsible disclosure to the AWS security team, the identified AWS access keys and accounts have been suspended.

Trend Micro said it detected more than 30 samples with the AWS Access Key IDs and the Secret Access Keys embedded, signaling active development. The ransomware is capable of targeting both Windows and macOS systems. Cybersecurity firm SentinelOne has given it the name NotLockBit.

It's not exactly known how the cross-platform ransomware is delivered to a target host, but once it's executed, it obtains the machine's universal unique identifier (UUID) and carries out a series of steps to generate the master key required for encrypting the files.