In January 2017, we discussed how cybercriminals were hacking and ransoming MongoDB databases, a lucrative practice that soon spread to Elastic databases. Three months on, are we any closer to a solution?
The idea is simple: hackers download the contents of a database and replace them with a single entry, generally called “please_read”. The entry usually contains a text message, an email address and a bitcoin address, as seen below.
“Your DB is backed up at our servers, to restore send 0.5 BTC [approximately €490] to the bitcoin address then send an email with your server IP.”
Hackers do not exploit technical vulnerabilities, but human error: most of the databases attacked are completely open, meaning they require no logins or passwords to be accessed online. To identify databases without authentication procedures, hackers use free tools that are available on the Internet.
More than one in three databases ransomed
To date, our tools have identified 97,584 unprotected databases, 33,842 (35%) of which have been ransomed.
Approximately 35% (33,842) of 97,584 open databases have been ransomed.
Our research has shown that MongoDB databases are the most affected. They are also more likely to be online and unprotected.
A lucrative practice?
Despite the growing number of databases affected by ransomware, hackers do not seem to be making huge profits. If the email and bitcoin addresses in ransom messages are anything to judge by, very few cybercriminals are working the market. Three of the bitcoin addresses we analysed have never received ransom payments.
A fourth bitcoin address has received one payment, but this could be a pretence to encourage victims to trust the hacker.
Meanwhile, Elastic and MongoDB have both warned users about these kinds of attacks and recommended good practices to protect databases. For example, using strong access controls or regularly saving databases are two ways of minimising the risks associated with data theft and ransomware attacks.
Attacks can have very serious consequences. In April 2016, researcher Chris Vickery discovered an unprotected database containing personal data on more than 94 million Mexican citizens. If hackers had accessed this information, the consequences would have been disastrous.
To prevent issues such as these, companies and organisations must monitor perimeters that are outside of their control. Hackers may be one step ahead – but that is no reason to lag behind.