Ransom Attacks on Databases Rise

In the previously reported MongoDB ransom attacks it’s exploited by the MongoDB installation being left in a default state with open credentials. This allows an easily scripted entry point giving access to the databases held within, after removing the data a ransom note is deployed. In some cases the data was exfiltrated but others simply deleted the content.

The rise in the attacks has seen the rise on the databases; Elasticsearch (open source version), CouchDB and Hadoop. Collectively there have been over 36,000 servers targeted. The latest development in these attacks has seen ransom notes being overwritten leaving the targets without the detail of the original attacker who removed the data. This reduces the chance for them to recover their data even if they did pay the ransom.

By targeting MYSQL databases the attack method differs slightly in that attackers are not focusing on credentials left open but are instead employing brute force methods against the ‘root’ user looking for weak passwords to gain access.

The following commands have been seen in all of the attacks:

• INSERT INTO PLEASE_READ.`WARNING`(id, warning, Bitcoin_Address, Email) VALUES(‘1′,’Send 0.2 BTC to this address and contact this email with your ip or db_name of your server to recover your database! Your DB is Backed up to our servers!’, ‘1ET9NHZEXXQ34qSP46vKg8mrWgT89cfZoY’, ‘[email protected]’)
• INSERT INTO `WARNING`(id, warning) VALUES(1, ‘SEND 0.2 BTC TO THIS ADDRESS 1Kg9nGFdAoZWmrn1qPMZstam3CXLgcxPA9 AND GO TO THIS SITE ://sognd75g4isasu2v[.]onion/ TO RECOVER YOUR DATABASE! SQL DUMP WILL BE AVAILABLE AFTER PAYMENT!