Hackers attacked poorly protected Elasticsearch databases and replaced 450 indexes with ransom letters demanding $620 to restore contents, for a total demand of $279,000.

The threat actors have set a seven-day deadline for payments and have threatened to treble the demand after that. They claim that if the victim does not get payment for another week, the indexes will be lost.

Those who pay the fee are guaranteed a download link to their database dump, which would allegedly aid in swiftly restoring the data structure to its original shape.

Secureworks threat experts uncovered this campaign after identifying over 450 separate ransom payment demands.

According to Secureworks, the threat actors utilize an automated script to analyze unprotected databases, delete their contents, and add the ransom, implying that no user intervention is involved in this operation.

Campaign ramifications

This effort is not new, and we have seen similar opportunistic assaults against various database management systems in the past.

Restoring the database contents by paying the hackers is an implausible scenario, as the attacker has a practical and financial problem in keeping the data of so many databases.

Instead, the threat actors simply wipe the contents of the unprotected database and leave a ransom note in the hope that the victim would believe them. So far, one payment has been made to one of the Bitcoin wallet addresses mentioned in the ransom letters.

But if data owners do not take frequent backups, losing everything as a result of such a wipe will almost certainly result in huge financial losses.

Because some of these databases underpin online services, there is always the possibility of company interruption, which might cost far more than the tiny sum asked by the fraudsters.

Furthermore, companies should never rule out the potential that intruders take the data in order to monetize it in other ways.

Elasticsearch security

Unfortunately, as long as databases are accessible on the public face of the internet without being properly secured, opportunistic assaults will continue to target them.

According to a recent Group-IB analysis, over 100,000 Elasticsearch instances were discovered exposed on the web in 2021, accounting for almost 30% of the total of 308,000 exposed databases in 2021.

According to the same survey, it takes an average of 170 days for database administrators to recognize they have committed a setup error, giving hostile actors plenty of opportunity to conduct assaults.

According to Secureworks, no database should be made public unless it is absolutely necessary for their purpose. Furthermore, if remote access is essential, administrators should implement multi-factor authentication for approved users and limit access to only those who need it.

Organizations that outsource these services to cloud providers must ensure that the vendor’s security rules align with their own and that all data is securely safeguarded. In addition to cloud service providers, virtual machine backup providers are also a good choice. Virtual machine backup can back up and protect the most data with less physical conditions. And it is very beneficial to management and cost-effective. Many businesses are now paying more and more attention to data security and are constantly updating their approach to data protection. Virtual machine backup is the latest data protection method, including VMware Backup, Hyper-V Backup, Xenserver Backup, and so on.