Investigate a Ransomware Attack in AWS using Splunk

Ransomware attacks in cloud environments can be made more severe by misconfigured AWS IAM and KMS services. In this hands-on lab, you will analyze a ransomware incident - detecting and following the trail of malicious activity in AWS CloudTrail logs using Splunk.

In an ongoing investigation, Huge Logistics' AWS account was recently compromised in a ransomware attack. The security manager has tasked you with analyzing AWS CloudTrail logs ingested into Splunk, in order to determine the source of the compromise and understand the chain of events as the attack was carried out

• Familiarity with AWS services
• Basic understanding of AWS CLI and AWS Management Console

• Understand how AWS KMS can be abused in ransomware scenarios
• Understanding of Splunk, including ingestion and search capabilities
• Investigate unauthorized KMS usage and assess its impact on resources
• Learn mitigations to prevent similar incidents

According to Unit 42's 2023 Ransomware and Extortion report, threat actors engaged in data theft in approximately 70% of ransomware cases by late 2022, up from 40% in mid-2021. The report also highlights the growing sophistication of ransomware attacks in cloud environments. Misconfigured AWS IAM and KMS policies amplify these risks, enabling attackers to escalate privileges through overly permissive policies and encrypt resources - holding data for ransom while threatening to leak it. These attacks also cause significant operational disruptions. This lab simulates real-world scenarios to enhance your ability to detect and mitigate such threats.