Hackers have attacked Elasticsearch databases with weak security and replaced 450 indexes with ransom letters demanding $620 to recover contents, totaling $279,000. Threat actors have established a seven-day payment deadline and have threatened to treble the demand beyond that. They claim that if the victim goes another week without being compensated, the indexes will be lost.
Those who pay the fee will receive a download link to their database dump, which will reportedly allow them to restore the data structure to its original state swiftly. Threat experts at Secureworks found this effort, which included more than 450 distinct ransom demands.
The threat actors, as per Secureworks, employ an automated script to analyze unprotected databases, delete their contents, and add the ransom. Thus, there appears to be no manual involvement in this operation. This effort is not new, and there have been similar opportunistic cyberattacks against various database management systems in the past. Paying hackers to restore database contents is an implausible possibility since the attacker would have a logistical and economic problem keeping the data of so many databases.
Alternatively, the threat actors simply wipe the contents of the unprotected database and leave a ransom note, hoping that the victim would believe them. One of the Bitcoin wallet addresses mentioned in the ransom notes has already been paid. However, if data owners do not make frequent backups, losing everything due to a wipe will certainly result in huge financial losses.
Since some of these databases support online services, there’s always the danger of a company disruption, which might cost far more than the fraudsters’ small fee. In addition, companies should never rule out the prospect that intruders would take data to monetize it in various ways. Unfortunately, these opportunistic cyberattacks will continue to target databases as long as they are accessible on the public face of the internet without effective security.
According to a recent analysis by Group-IB, over 100,000 Elasticsearch instances were discovered accessible on the web in 2021, accounting for almost 30% of the total of 308,000 open databases. The same survey also reveals that the database administrators take an average of 170 days to notice they’ve committed a setup error, giving hostile actors plenty of opportunities to launch cyberattacks.
As Secureworks points out, no database should be made public unless absolutely necessary for its function. Furthermore, if remote access is essential, administrators should implement multi-factor authentication for approved users and limit access to only those who need it. Businesses that outsource such services to cloud providers should ensure that the vendor’s security rules align with their own and that all data is properly safeguarded.