BinaryEdge - Science and Technology

Thoughts, stories and ideas.

Wednesday

18

January 2017

The compendium of database ransomware

by BinaryEdge

Over the last week, we've been regularly monitoring multiple storage/database technologies for ransomware, it all started with MongoDB, however other technologies are now being affected. This is nothing new to BinaryEdge, has we had previously shown how these technologies, when misconfigured can present themselves as big problems.

We've seen MongoDB, Redis, ElasticSearch, Hadoop, Cassandra, CouchDB falling to ransomware attacks.

We will keep updating this compendium with new database names that we find associated with Ransomware and new technologies.

MongoDB

We're seeing multiple players attacking MongoDB, regular scans show changes in database names, where in some cases we saw "WARNING" on top on a second scan "PLEASE_READ_ME" was in the lead (these scans were 24 hours apart), this shows that hackers are competing for machines/databases and there are lots of different attacks happening simultaneously.

Scan made on 16th of January


Scan made on 17th of January


The list of ransomware names we've found for mongoDB are:

CONTACTME WARNING
ENCRYPTED
PWNED_SECURE_YOUR_STUFF_SILLY
PLEASE_READ
PLEASE_READ_ME
README_MISSING_DATABASES
READ1
README
README_YOU_DB_IS_INSECURE

To learn how to secure your MongoDB please go to: http://docs.mongodb.org/manual/security/

Redis

Ransomware on Redis has previously been detected by DuoSecurity. This is something that is still happening. If you want to check if your redis instance has been attacked, check your keys using the "KEYS *" command on redis command line, and if you have a key named crackit you might be affected.

ElasticSearch

We're seeing multiple instances of ElasticSearch also being targeted by ransomware, to see if you've been affected you check your index names and see if any of the following are present (https://www.elastic.co/guide/en/elasticsearch/reference/current/cat-indices.html).

The index names we've seen being used as ransomware on elasticsearch are:

pleasereadthis please_read warning

Hadoop

Hadoop is another technology that has also been affected by ransomware attacks.

If you want to see if your instance of Hadoop is affected, visit the following URL on your Hadoop instance: http://:50070/explorer.html#/

For Hadoop the indexes we've seen the following key being used:

NODATA4U_SECUREYOURSHIT

On the 17th of January, we have already seen over 1000 instances of Hadoop already affected by ransomware.

Cassandra

Cassandra is a high scalability and high availability database.

To see if your Cassandra instance was compromised, look at your Keyspaces (this can be done using cqlsh and using the command DESCRIBE keyspaces; ) and see if you have any of the following:

your_db_is_not_secure

CouchDB

CouchDB instances are also being compromised. To verify if your instance has been compromised you can visit

http://:5984/_all_dbs and check the name of the databases for some of the following:

pleaseread

pleasereadme

To secure your CouchDB instance please add authentication by following the steps on this link: http://docs.couchdb.org/en/2.0.0/api/server/authn.html

BinaryEdge
BinaryEdge - https://www.binaryedge.io

BinaryEdge is a Swiss startup with a focus on DataScience and CyberSecurity.