Hundreds of Elasticsearch Databases Hit by Ransomware Attacks

According to Secureworks, hackers are attacking poorly protected Elasticsearch databases and have already replaced at least 450 indexes with ransom notes.

Let me remind you that recently we also wrote that Experts Found More Than 3.6 million Unprotected MySQL Servers.

CTU researchers identified over 1,200 Elasticsearch databases that contained the ransom note. It is not possible to determine the actual number of victims because the vast majority of the databases were hosted on networks operated by cloud computing providers. It is likely that some databases belong to the same organization, but identifying specific victims was not possible in most cases.the researchers write.

Attackers extort $620 from their victims for data recovery, that is, the group is demanding $279,000 in total.

The researchers write that the hackers are setting a seven-day deadline for paying the ransom, and then threatening to double the amount. If the victim does not pay even after that, the data will supposedly be lost forever. Those who pay the ransom are promised to be provided with a link to download a dump of their database, which supposedly will help to quickly restore the data structure and return everything to its original form.

Elasticsearch databases

Apparently, to compromise their targets, the attackers use an automated script that analyses unprotected databases, erases information, and adds a ransom note to the server. Researchers believe that nothing is done manually in this campaign.

Experts remind that paying extortionists is not the best idea. At least because the practical and financial problems associated with storing such a large number of databases make this task almost impossible for hackers. More often, attackers simply delete the contents of an unprotected database, leave a ransom note, and hope that the victim will believe their threats.

The hackers behind the campaign have reportedly received only one payment to one of their bitcoin wallets so far.

While this campaign appears to be unsuccessful, it poses a risk to organizations hosting data in online databases. Unprotected Elasticsearch instances are trivially easy to identify using the Shodan search engine. Instructions are available for identifying unsecured Elasticsearch databases.experts of Secureworks told.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.