AWS recommends to use accounts for segmentation, and has APIs to manage accounts (https://docs.aws.amazon.com/wellarchitected/latest/security-..., https://docs.aws.amazon.com/cli/latest/reference/organizatio...).
There is a 90 day recovery period, but I can think edge cases where this isn't enough. There is some data that companies need exactly once a year for financial reporting/audits etc. but losing it is seriously expensive. Imagine the person managing that data being disgruntled and closing the account holding the data (and just that data, so the deletion isn't noticed) 6 months before the next audit.
Can you close an account with locked data in it? If yes, is the data actually deleted, or could the org recover it?
Another interesting scenario that could test how reliable the lock is would be a griefer (i.e. an actor that wants to cause damage without profiting from it) who gets access to an organization's account, uploads a large amount of data, and locks it. Will Amazon simply keep the data and waive the cost, or will support unlock the data, or will the organization be forced to pay up? The latter two both have interesting implications (compromised support agents and social engineering in the first case, extortion in the second case - think "we have taken over your AWS account and created several paths of access, send XX bitcoin or we'll lock this exabyte of data and you'll pay $XXXXXXXX in AWS fees, if you start taking away our access or deleting the data we'll see before you finish and use one of the remaining accounts to lock the data").
The difficulty with ransomware is that—without object lock—you would need to check that all data is still valid. That is usually going to be very difficult to do and any heuristic checks are liable to miss some cases.
On the other hand, checking that an account is still extant is easy and, since that's an operation that should not be undertaken without a whole oversight process, you can significantly limit who has the permission to do so.
If they do, then it probably would require a human to run a tool. It would have to be big bill to warrant that.
https://www.theregister.com/2022/06/25/ransomware_gangs_exto...
"Increasingly, however, cybercrime rings still tracked as ransomware operators are turning toward primarily data theft and extortion – and skipping the encryption step altogether. Rather than scramble files and demand payment for the decryption keys, and all the faff in between in facilitating that, simply exfiltrating the data and demanding a fee to not leak it all is just as effective. This shift has been ongoing for many months, and is now virtually unavoidable."
https://www.theregister.com/2022/06/03/fbi_cisa_warn_karakur...
Obviously it’s still really bad if sensitive information is exposed. But also consider that some of the information essential for business continuity would be less sensitive in a public exposure scenario.
So in some cases it is just as effective, but in many cases it is not. As I understand it, most ransomware providers still attempt both encryption and exfiltration. Exfiltration is now standard not because it is easier but because more companies are able to restore operations from backup.
I don't think this is true. Isn't it more like you can't, and AWS can but promises that they won't?
So long as the data wasn't corrupted before it hit one of the designated S3 buckets, the risks of the retention periods seemed minor for that startup at the time: basically, having data there that we wanted to delete, but couldn't.
(For an example risk of not being able to delete, the most likely scenario might be accidentally copying a gazillabytes of objects to the magic bucket that can't be emptied for X months, so having to pay for that storage. For a different scenario, the nature of our business, together with our security assurances and practices, meant that we never handled data that would be improper to store there, such that we urgently needed to delete it. In a highly unlikely scenario of an attack putting very evil data there, we'd have to report the incident to government authorities in any case, and we could effectively cut off our own access to it, while AWS preserves gov't access to it.)
Of course this would be more complicated if the files were user-encrypted in the first place, but good tools to detect these things asap would have a good market above & beyond antivirus that is more focused on detection of the virus and not a complete packaged of file recovery as well.
