I’ve reported on this concern before, but Tom Spring has a nice write-up on ThreatPost that begins:
Recent attacks against insecure MongoDB, Hadoop and CouchDB installations represent a new phase in online extortion, born from ransomware’s roots with the promise of becoming a nemesis for years to come.
“These types of attacks have grown from ones of opportunity to full-scale automated and systematic assaults targeting misconfigured servers containing sensitive data that can be easily hijacked,” said Zohar Alon, co-founder and CEO, security firm Dome9.
First spotted on Dec. 27 by Victor Gevers, an ethical hacker and founder of GDI Foundation, attacks in the past two months shot up from 200 to near 50,000.
But as I’ve noted before, we shouldn’t call all attacks “ransomware” even if there’s a so-called “ransom demand.” Spring writes, for example:
Security researchers at Rapid7 estimate that 50 percent of the 56,000 vulnerable MongoDB servers have been ransomed. When it comes to similar misconfigured databases; 58 percent of the 18,000 vulnerable Elasticsearch servers have been ransomed and of the 4,500 CouchDB servers vulnerable 10 percent have been ransomed.
“It’s about the path of least resistance for hackers interested in the biggest potential reward,” said Bob Rudis, chief data security officer at Rapid7. “Hackers have decided it’s easier to end-run an enterprise’s multi-million dollar security system and instead simply target an open server.”
But these servers are NOT being ransomed even though there are “ransom demands.” What researchers from GDI Foundation have found is that the servers are just being wiped and a ransom note left in their place. But if entities pay the “ransom,” they still don’t get the database back because it appears that the databases are not being copied and exfiltrated.
Read more on ThreatPost. And read GDI Foundation’s warning on Hadoop, as Hadoop installations have also been attacked.