Earlier this month, Salted Hash reported on a surge in attacks against publicly accessible MongoDB installations.
Since January 3, the day of that first report, the number of victims has climbed from about 200 databases to more than 40,000. In addition to MongoDB, those responsible for the attacks have started targeting Elasticsearch and CouchDB.
No matter the platform being targeted, the message to the victim is the same; send a small Bitcoin payment to the listed address, or forever lose access to your files.
The problem is, some of the more recent attacks show evidence the database was erased. So even if the ransom is paid, the data is lost for good.
The researchers tracking these attacks are aware of at least four individuals who delete the databases entirely after running a list command. Once deleted, they’ll leave the ransom note and logoff the system. So far, these individuals have used more than a dozen Bitcoin wallet addresses, and nine different email accounts.
The tracking document is available on Google Docs.
Based on the most recent figures, ten organizations paid the ransom in order to restore their databases, but not a single one has had their data returned. Only one of those victims had backups to use when the ransom payment failed.
But MongoDB was just the start.
Soon, criminals started going after other development platforms, such as Elasticsearch – a Java-based search engine that’s popular in enterprise environments. Then they moved on to public facing Hadoop and CouchDB deployments.
Researchers at Rapid7 Labs have been following these attacks and used Project Sonar to look at the current situation.
“The core reason why attackers are targeting devops-ish technologies is that most of these servers have a default configurations which have tended to be wide open (i.e. they listen on all IP addresses and have no authentication) to facilitate easy experimentation [and] exploration,” a report from Rapid7 explains.
“Said configuration means you can give a new technology a test on your local workstation to see if you like the features or API but it also means that — if you’re not careful — you’ll be exposing real data to the world if you deploy them the same way on the internet.”