Ransomware: one in three databases have been hacked

In January 2017, we discussed how cybercriminals were hacking and ransoming MongoDB databases, a lucrative practice that soon spread to Elastic databases. Three months on, are we any closer to a solution?

The idea is simple: hackers download the contents of a database and replace them with a single entry, generally called “please_read”. The entry usually contains a text message, an email address and a bitcoin address, as seen below.

David Blog one

Your DB is backed up at our servers, to restore send 0.5 BTC [approximately €490] to the bitcoin address then send an email with your server IP.

Hackers do not exploit technical vulnerabilities, but human error: most of the databases attacked are completely open, meaning they require no logins or passwords to be accessed online. To identify databases without authentication procedures, hackers use free tools that are available on the Internet.

More than one in three databases ransomed

To date, our tools have identified 97,584 unprotected databases, 33,842 (35%) of which have been ransomed.

David image 2

Approximately 35% (33,842) of 97,584 open databases have been ransomed.
Our research has shown that MongoDB databases are the most affected. They are also more likely to be online and unprotected.

David blog 3

Summary:

Elastic MongoDB Total
Ransomed 4,538 29,304 33,842
Clean 19,603 44,139 63,742
Unprotected 24,141 73,443 97,584

A lucrative practice?

Despite the growing number of databases affected by ransomware, hackers do not seem to be making huge profits. If the email and bitcoin addresses in ransom messages are anything to judge by, very few cybercriminals are working the market. Three of the bitcoin addresses we analysed have never received ransom payments.

David Blog 4

A fourth bitcoin address has received one payment, but this could be a pretence to encourage victims to trust the hacker.

Improved communications

Meanwhile, Elastic and MongoDB have both warned users about these kinds of attacks and recommended good practices to protect databases. For example, using strong access controls or regularly saving databases are two ways of minimising the risks associated with data theft and ransomware attacks.

Attacks can have very serious consequences. In April 2016, researcher Chris Vickery discovered an unprotected database containing personal data on more than 94 million Mexican citizens. If hackers had accessed this information, the consequences would have been disastrous.

To prevent issues such as these, companies and organisations must monitor perimeters that are outside of their control. Hackers may be one step ahead – but that is no reason to lag behind.