It's a good news day for organizations that don't leave their AWS environment files publicly exposed because infosec experts say those that do could be caught up in an extensive and sophisticated extortion campaign.

Security shop Cyble released some research this week after finding 110,000 domains as attackers exploiting misconfigured .env files, which typically contain secrets such as hard-coded cloud access keys, SaaS API keys and database login information, the researchers said.

In this specific cluster of activities, attackers are believed to have a deep understanding of cloud architectures – a dangerous thing when organizations fail to implement cloud security in various areas.

Those in the study who eventually found their S3 stored data replaced with a ransom had exposed their environment variables, failed to update credentials regularly, and did not adopt a least-privilege architecture.